The Communications (Retention of Data) (Amendment) Act 2022: ignore the warnings, legislate in haste, repent at leisure – variously updated

Data Retention; via Dall-E 2; modifiedThe headline in the Irish Examiner is stark: “European Commission says Ireland’s new data law may be ‘inapplicable’.” Cianan Brennan reports that the European Commission “has dismissed Ireland’s new controversial data retention law as possibly ‘inapplicable and unenforceable’, as it was not submitted to the Commission before its enactment”. The legislation in question is the Communications (Retention of Data) (Amendment) Act 2022 (also here); and it was, as Brennan says, rushed through the Oireachtas last summer with minimal scrutiny.

It is worth pausing for a moment to see where the Act came from, and to consider why it was so rushed. The Department of Justice repeatedly failed to take the right path, even as it has had plenty of opportunity to do so. When it finally did something, it acted hastily; and it now seems that the hasty solution hasn’t worked.

The legal story starts on 27 March 2015, when Graham Dwyer was convicted of murdering Elaine O’Hara in 2012. Much of the evidence had been gathered pursuant to Section 6(1) of the Communications (Retention of Data) Act 2011 (also here), which provides:

A member of the Garda Síochána not below the rank of chief superintendent may request a service provider to disclose to that member data retained by the service provider in accordance with section 3 where that member is satisfied that the data are required for—

(a) the prevention, detection, investigation or prosecution of a serious offence, …

That Act had been introduced to implement the Data Retention Directive (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, 13.4.2006, p. 54–63)). However, in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger (ECLI:EU:C:2014:238; Grand Chamber, CJEU; 08 April 2014), the CJEU struck down the Directive on privacy grounds. From the date of that judgment, the writing was on the wall for the validity of the 2011 Act. This was long before the Dwyer case; and, if the Department had acted promptly at that stage to bring Ireland’s data retention regime into compliance with EU law, none of the subsequent mess would have happened. This was the Department’s first warning, a warning the CJEU repeated regularly thereafter as various data retention regimes have been tested against EU law and found wanting (see, eg, Joined Cases C-203/15 and C-698/15; Case C-623/17; Joined Cases C-511/18 and C-512/18; Case C-520/18; Case C-764/18).

Three years after the Digital Rights Ireland case, Mr Justice John L Murray concluded that many of the features of the 2011 Act were precluded by EU law (Review of the Law on Retention of and Access to Communications Data (2017; pdf via here) (submitted April 2017; published 3 October 2017)). This was the Department’s second warning that the 2011 Act was on shaky legal foundations. It may have come too late to rescue the legal position for the Dwyer case; but it looked as though the Department had chosen to grasp the nettle: accompanying the the Murray Review, the Department published a General Scheme of a Communications (Retention of Data) Bill 2017 (pdf via here). The Joint Oireachtas Committee on Justice and Equality published its highly critical Report on Pre-Legislative Scrutiny (pdf) of the Scheme in January 2018; and the Bill has continued to appear in the Government’s Legislative Programmes (see, eg, Legislative Programme for Summer 2021 and Autumn 2021; and Spring 2022 and Autumn 2022 as the Communications (Data, Retention and Disclosure) Bill) but not as a priority. The Bill was effectively left to languish, and the Department squandered its second opportunity to bring Ireland’s data retention regime into compliance with EU law.

Meanwhile, Dwyer challenged the validity of the 2011 Act; and, when his case reached the CJEU, the Court said that the Supreme Court was “bound to make” a declaration that the 2011 Act is incompatible with EU law (see Case C-140/20 GD v Commissioner of An Garda Síochána (ECLI:EU:C:2022:258; CJEU, Grand Chamber; 5 April 2022) [123], [128], [129](3)). And the Court has repeatedly reaffirmed its DRI and GD holdings (see, eg, Case C-817/19; Joined Cases C-793/19 and C-794/19; Joined Cases C-339/20 and C-397/20; Case C-470/21). EU Law is clear beyond argument at this point. And this was not so much a third warning as a third strike against the 2011 Act. So the Department finally decided to act, though only to do the absolute bare minimum necessary to respond to the GD decision. Immediately after the CJEU handed down its judgment, the Minister for Justice announced that her Department was working on legislation in relation to the case (Irish Examiner | 11 April 2022; Irish Independent 12 April 2022; Irish Times 19 April 2022). Indeed, she already had the Communications (Retention of Data) Bill 2017 in the pipeline. However, many features of the 2017 Bill would not survive scrutiny against EU law requirements of oversight (see, eg, McIntyre (pdf)), so the Department would have had to do a lot of work on it to make it compliant.

Rather than do that work, the Minister sought and received Cabinet approval for an immediate (if limited) legislative response to the CJEU’s judgment (Press Release, Department of Justice | Irish Examiner | Irish Independent | Irish Times | 31 May 2022), to amend the 2011 Act rather than revise the 2017 Bill, as an emergency measure until more comprehensive legislation based on a revision of the 2017 Bill could be passed. The General Scheme of a Communications (Retention of Data) (Amendment) Bill 2022 was published by the Department of Justice on 21 June 2022, to amend the 2011 Act. It effectively ensured that communications data could be retained for national security reasons only (Irish Examiner | Irish Times 21 June 2022); and it provided for the preservation and production orders envisaged as exceptions by the CJEU in GD. These orders are severely criticised in Aisling Kelly “Based in Reality” (2022) 116(5) Law Society Gazette 20 (pdf; June 2022 issue), and the whole Bill is trenchantly critqued by the ICCL. In particular, they argue that the Bill

  • permits rolling one-year renewable data retention: this, in effect, amounts to indefinite retention;
  • fails to provide any definition of national security;
  • fails to provide for protection of journalists’ sources;
  • fails to provide an adequate oversight mechanism;
  • fails to provide judicial remedies for a breach of the powers provided in the Bill;
  • attempts the retrospective validation of illegal data retention, contrary to EU law; and
  • attempts to interfere with the independence of the Courts and of the Data Protection Commission.

Nevertheless, Minister McEntee sought and received Cabinet approval to introduce the Bill to a special Friday sitting of the Dáil on 1 July (Irish Times 28 June 2022). However, the Oireachtas Justice Committee declined her request to waive pre-legislative scrutiny (Irish Times 28 June 2022). Despite misgivings (Irish Times 30 June 2022), it scheduled a hearing for Thursday 30 June 2022 (transcript | video), and published an expedited (and critical) report (pdf) that evening. The Bill was published the following day, on 1 July 2022. However, this was too late to permit it to be debated that day, as the Minister had hoped, and it didn’t appear on the Dáil schedule. Instead, the Second Stage was scheduled for the following Tuesday 5 July 2022 (transcript | video), and the Committee and Final stages for the next day, Wednesday 6 July 2022 (transcript | video). The Bill finished all stages in the Seanad the following Tuesday, 12 July 2022 (transcript | video) and Wednesday, 13 July 2022 (transcript | video) (see, generally, here); and it was signed into law by the President on Thursday 21 July 2022 (see here), as the Communications (Retention of Data) (Amendment) Act 2022. This was enacted pretty much as quickly as it could have been.

Despite all this rush to enact it, the Act has was not commenced pursuant to section 11, probably because the Department of Justice had failed to notify it to the EU Commission pursuant to Directive (EU) 2015/1535 (Irish Examiner 04 December 2022 | The Gist 05 December 2022 | Irish Times 08 December 2022). At that stage, the Department said that it believed that the Act fell under an exception for legislation implementing CJEU decisions (see Irish Examiner here | here). Nevertheless, the Department submitted the Act to the Commission a fortnight later.

In the response reported on by Brennan in the Irish Examiner article with which this post opened, the Commission indicated that Directive (EU) 2015/1535 requires that Member States notify legislation in a draft stage, and that the legislation should remain in that draft stage for the three-month period that the Commission is considering it. Moreover, the Commission reminded the Department that the CJEU has held that such legislation cannot be applied if, though notified, it has been adopted, entered into force and implemented before the end of that three-month period. The Commission concluded its reply by warning that that a failure to respect that three-month period would be a material procedural defect rendering the legislation at issue inapplicable and unenforceable against individuals. Given that the Department did not notify the Act when it was a Bill and thus in draft form, but instead adopted it before notifying it, this would seem to sound the death-knell for the 2022 Act. Nevertheless, the Department told Brennan that it continues to engage “at European level” and that its aim was to commence the Act “at the earliest possible date”. In a follow-up‘s piece, Brennan suggests that this seems to be a deeply charitable appraisal of the situation. And the Commission’s response suggests that this is unlikely, to say the least. The moral of this aspect of the story is: ignore the warnings. legislate in haste, repent at leisure.

Penultimately, not only is the Act being called into question by the European Commission, but – as Ronan Lupton SC told Mary Carolan in the Irish Times – it could also face challenges in the Irish Courts from telecommunications companies or data privacy campaigners, to say nothing of challenges from journalists, or accused or convicted persons like Graham Dwyer, all for the kinds of reasons set out by the ICCL above.

Finally, recall that the 2022 Act is only intended to be a temporary stopgap to allow more time for the overhaul of the 2011 Act; as the Minister confirmed in July 2022 during the Second Stage debate:

.. later in 2022 I intend to bring forward a set of wider reforms to clarify and consolidate the law on data retention. I intend to publish an updated general scheme of a Bill, which will build on a previous general scheme that was published in 2017 and completed scrutiny in early 2018. This general scheme will also have regard to the evolving case law of the Court of Justice in the intervening period and will be proposed for discussion and further consultation, as required, before the Joint Committee on Justice.

2022 has come and gone, and – surprise! surprise! – we are still waiting for that Bill. This may be a blessing in disguise for the Department, because it is the only vehicle left by which it can now establish a data retention regime that complies with EU law. In doing so, perhaps it might finally heed the warnings and learn the lesson that it ignores EU law on this issue at its peril.

Note: I have consolidated all of the updates in a post on recent developments with traffic data retention.