Watch how you watch – privacy rights and targeted location data

Rory Ferguson from our Technology team looks back at an important CJEU decision earlier this year regarding the retention of location data.
 
In well-documented criminal proceedings, Graham Dwyer was sentenced to life in prison for murder in 2015. The prosecution relied heavily on location metadata taken from Mr Dwyer's phone that placed him at the murder site at specific times.

In subsequent civil proceedings before the High Court, Mr Dwyer successfully challenged the validity of the Communications (Retention of Data) Act 2011, Section 6(1) of which allowed for mobile phone data to be disclosed to An Garda Siochána on request. The State appealed the High Court's decision to the Supreme Court. The Supreme Court, in a reference to the CJEU, sought clarification on the requirements under EU law for the retention of data for the purposes of investigation into serious crime.

In the ensuing reference, the CJEU (in Case C-140/20 (G.D. v Commissioner of An Garda Síochána & Ors) held that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime. The request for a preliminary ruling concerned the interpretation of Article 15(1) of Directive 2002/58/EC, as amended ("the Directive"), concerning the processing of personal data and the protection of privacy in the electronic communications sector.

The decision did not come as a surprise to many as the CJEU in 2020 overruled similar pieces of national legislation from other jurisdictions. In addition to the headline-grabbing finding of the CJEU, which ultimately led to the Supreme Court upholding Mr Dwyer's successful High Court challenge to Ireland's data retention laws, the judgment provides a useful summary of the situations where it may be permissible to use targeted retention of personal data (particularly location and traffic data) and much of this is well-established in existing CJEU case law.

The CJEU noted that the Directive does not preclude national legislation based on objective evidence which makes it possible to target persons whose traffic and location data are likely to reveal a link, at least indirectly, with serious criminal offences to contribute in one way or another to combating serious crime or to preventing serious risk to public security or a risk to national security. The Court also noted a number of options available to Member States in relation to targeted retention including targeting persons who, on the basis of an identification, are the subject of an investigation or other measures of current surveillance or who are considered to have a high risk of reoffending. The Court also noted that the retention of traffic and location data may, having regard to the principle of proportionality, also be set using a geographical criterion where there exists in a geographical area a high level or risk of serious criminal activity.

The Court further noted that a targeted measure of retention of traffic and location data covering places with a very high volume of visitors such as airports, stations and ports may be permissible for the purposes of combating serious crime to draw conclusions as to an individual's presence and activity in those places or geographical areas at a specific time during the period of retention. However, the Court stressed that the duration of those targeted retention measures must not exceed what is strictly necessary in the light of the objective pursued and the circumstances justifying them.

Secondly the Court considered the expedited retention of traffic and location data processed and stored by providers of electronic communications services. Such data must, in principle, be erased or made anonymous at the end of the statutory periods within which the data must be processed and stored but the Court noted that during that processing and storage it may become necessary to retain data after the statutory periods have ended in order to shed light on serious criminal offences or national security issues. The Court noted that in such a situation it is permissible for Member States to provide in legislation for the possibility of instructing, by means of a decision of the competent authority subject to effective judicial review, providers of electronic communication services to undertake the expedited retention of traffic and location data for a specified period. It is also in principle permissible for legislation to authorise the expedited retention of traffic and location data of persons which whom a victim was in contact with prior to serious threats to public security arising or a serious crime being committed and likewise in respect of a geographical area where such threat or incident has occurred.

This decision of the CJEU provided further clarity on the boundaries in relation to the retention of traffic and location data for the purposes of combatting serious crime. The CJEU has made further rulings on the issue of retaining traffic and location data more recently.

In Joined Cases C-793/19 and C-794/19, Bundesrepublik Deutschland v Space Net AG and Telekom Deutschland the CJEU reiterated that EU data protection law precludes national measures which provide for the general and indiscriminate retention of traffic and location data on a preventative basis. Chief among the concerns of the CJEU was the ability to use location and traffic data to draw very precise conclusions about the persons whose data has been retained, such as their habits of everyday life, places of residence, relationships and social environments frequented by them. The Court considered that such data provides the means of establishing profiles of individuals that are no less sensitive than the actual content of communications. The Court held, however, that EU law does not preclude legislative measures for the purposes of combating serious crime and preventing serious threats to public security that provide for:
 

• the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to categories of persons concerned or using a geographical criterion for a no longer than is strictly necessary;
• the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited to what is strictly necessary;
• the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and
• recourse to an instruction requiring providers of electronic communications services, by means of a decision of the competent authority that is subject to effective judicial review, to undertake, for a specified period of time, the expedited retention of traffic and location data in the possession of those service providers.  

In light of the CJEU decision in GD v Commissioner of An Garda Síochána, the State moved to introduce the Communications (Retention of Data) (Amendment) Act 2022 ("the 2022 Act") which had been delayed as the State awaited the CJEU decision.

Some key areas of the 2022 Act are as follows:
 

• Obliges service providers to retain user data for a period of one year. This period may be increased or decreased by the Minister up to a maximum period of two years where necessary for and proportionate to the purposes of preventing, detecting, investigating or prosecuting offences and the safeguarding of the security of the State.
• Allows the Minister to seek an order for the retention of certain data by service providers where the Minister is satisfied that there exists a serious and genuine, present or foreseeable threat to the security of the State.
• Allows An Garda Síochána, the Permanent Defence Force, the Revenue Commissioners or the Competition and Consumer Protection Commission to require a service provider to disclose user data relating to a person where there are reasonable grounds for the request as it relates to each body.
• In cases of urgency, members of specified bodies can apply to a superior officer for an authorisation which will authorise the applicant to require a service provider to disclose specified Schedule 2 data, internet source data or cell site location data in the service provider's possession or control subject to any conditions or directions that are specified in the authorisation.  The superior officer will be required to apply to an authorising judge for affirmation of the authorisation no later than 72 hours after issuing the authorisation.
• Provides for preservation orders and production orders in respect of certain Schedule 2 data;
• Introduces offences for breaches of the 2011 Act with penalties of a class A fine and/or 12 months imprisonment on summary conviction and a fine up to €500,000 and/or 5 years imprisonment on indictment.

The 2022 Act has been signed into law by the President but is yet to be commenced by the Minister. It is unclear when this Act will be commenced and/or whether further legislation in this area may be introduced, in particular in light of more recent case law from the CJEU. We expect a number of other Member States are carefully considering their data retention laws in light of these judgments.   

Written by: Rory Ferguson, Craig Farrar and Ciara Cornyn