This article provides an introduction to data retention, before exploring a new judgment on the topic, which was delivered by the Court of Justice of the European Union (CJEU) on Tuesday 5 April 2022.
What are Data Retention Obligations?
Data retention obligations require parties to store data for a certain period of time. The storage limitation of personal data is one of the underlying principles of the GDPR, ensuring that personal data should not be kept for longer than necessary for the purposes for which data is processed. Whilst data retention obligations apply to all organisations who process personal data, there are additional obligations imposed on electronic communications service-providers (such as mobile phone companies) who are required, on request, to provide security and law enforcement agencies with access to the retained data.
Notably, some data retention obligations relate to metadata (i.e. data about communications, such as the identity of the communicating parties, or the time at which a communication was sent) whereas others relate to content data (i.e. the content of the communications themselves).
Benefits and Risks of Data Retention
The main benefit of data retention is that it can provide invaluable support to security and law enforcement activities, such as identifying national security threats and investigating serious crime.
However, in the absence of proper safeguards, data retention may pose a serious threat to the rights of the individuals whose data is retained. This includes, most notably, their fundamental rights to privacy and personal data protection, as enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights.
Importantly, a data retention obligation concerning metadata is no less threatening to privacy and personal data protection than one concerning content data. This is because (amongst other things) ‘[k]nowing the every detail of our communications creates an extremely intimate portrait of our lives’, including who we typically interact with, where we typically go, what time we typically do certain activities, and so on and so forth. This has recently been recognised by the European Court of Human Rights (ECtHR), in the case of Big Brother Watch and Others v UK.
Data Retention in the EU
In the EU context, data retention has been, and continues to be, ‘the subject of much debate and controversy’.
An oft-cited example is Joined Cases C-293/12 and C-594/12 Digital Rights Ireland, in which the CJEU declared that the Data Protection Directive 2006/24/EC was invalid, because it constituted a disproportionate interference with the fundamental rights to privacy and personal data protection.
Eight years (and a raft of litigation) later, the topic remains unsettled. Thus, earlier this week, the CJEU delivered yet another judgment on data retention, in Case C-140/20 GD v Commissioner of An Garda Síochána (GD).
The GD Case: Factual Background
The GD case was centred around Graham Dwyer.
Dwyer was convicted in Ireland in 2015 for the brutal murder of Elaine O’Hara.
His conviction was based, in part, on metadata from his mobile phone, which had allowed the police to trace his movements and communications with O’Hara in the hours preceding her death.
Importantly, however, the police had obtained this metadata pursuant to section 6(1)(a) of the Communications (Retention of Data) Act 2011, which was enacted to give effect to the (subsequently invalidated) Data Retention Directive.
Dwyer relied on this in an attempt to overturn his murder conviction. More specifically, he brought proceedings in the Irish courts, claiming (inter alia) that the metadata used against him at trial was illegally obtained, such that it was inadmissible evidence, and his conviction was unsafe.
In the course of these proceedings, the Supreme Court of Ireland requested a preliminary reference from the CJEU, to clarify certain relevant aspects of EU data retention law.
The GD Case: CJEU Judgment
The judgment contained several key findings. Four, in particular, merit attention.
First, the CJEU found that a general (i.e. indiscriminate) obligation to retain metadata is only compatible with EU law insofar as it constitutes a proportionate measure to safeguard national security. Therefore, any other objective (even the prevention and detection of serious crime) cannot justify such an obligation. This finding was favourable to Dwyer, because the data retention obligation in question was a general one, which had been justified on the ground of serious crime. As such, it was incompatible with EU law.
Second, however, the CJEU found that targeted obligations to retain metadata could pursue objectives other than national security, so long as they were proportionate. This included, for example, obligations targeting geographic areas with a particularly high crime rate.
Third, the CJEU found that a request to access retained metadata must receive prior authorisation from a court or independent administrative body, and that the Irish legislation had not met this threshold.
Fourth, and finally, the CJEU found that, if legislation is declared incompatible with EU law, then it is invalid from its inception, and a Member State cannot apply any time limits on this. This finding was also favourable to Dwyer, because it precluded the Irish courts from limiting the effect of the legislation’s invalidity, such that it would not impact his conviction.
The judgment in GD was not a surprise, in the sense that the CJEU followed the advisory Opinion of Advocate General Manuel Campos Sánchez-Bordona closely.
It is, however, clearly a significant judgment, for at least three reasons.
First, the judgment could play an important role in Dwyer’s appeal against his conviction. While the outcome of the appeal is by no means inevitable (because the precise rules on the admissibility of illegally obtained evidence are a matter for Irish law) the CJEU’s declaration of invalidity is clearly favourable to Dwyer.
Second, the judgment will contribute to the long-standing debate on data retention in the EU, perhaps prompting further discussion of topics such as how to distinguish between national security and serious crime.
Third, and finally, the judgment is a powerful reminder of the extremely delicate balance that data retention law must strike between the pursuit of national security and law enforcement objectives, on the one hand, and the fundamental rights to privacy and personal data protection, on the other hand. Needless to say, there will be outrage if Dwyer walks free from a murder conviction on the basis of an invalid data retention law, with one headline stating that: ‘[t]he prospect of Elaine O’Hara’s sadistic killer Graham Dwyer walking free on a technicality would be a travesty of justice