The Graham Dwyer Court of Justice Appeal: A Cruel Criminal With a Worthy Question

by Charlotte Waldron

Charlotte Waldron is a final-year Business and Law student at UCD. In this article, she critically assesses the Court of Justice’s decision in the Graham Dwyer appeal which concerned the use of data in fighting serious crime. She discusses the meaning of the Court’s decision for EU Member States’ data protection obligation’s in the context of law enforcement. 

This appeal provokes a consideration of fundamental questions of the twenty-first century: How paramount is individual privacy? How much emphasis should society put on maintaining the essence of that right, when surveillance policies created by governments seek to erode it? Intelligence-gathering technology facilitates monitoring of citizens to levels never observed before. The privacy invasions perpetrated by governments provoke a rumination of this issue. What is the price we want to pay for living in a free and secure society?[1] How much criminality is society capable of accepting for the benefit of safeguarding fundamental rights and freedoms?[2] The judgment in Case C-140/20, G.D. v Commissioner of An Garda Síochána and ors [3] by the Court of Justice (‘the Court’) considered such questions in the context of indiscriminate data retention with the objective of fighting serious crime. This case concerned Graham Dwyer, a man convicted of murder and sentenced to life imprisonment. Dwyer criticised the evidence used to convict him, particularly traffic and location data relating to phone calls. His central argument was that Communications (Retention of Data) Act 2011, which allowed for general and indiscriminate retention of data, infringed rights conferred onto him by EU law. He sought a declaration in the Irish High Court that provisions of this Act are invalid. This question was referred to the Court of Justice.

This judgment reaffirms the Court’s status as the guardian of privacy rights within the EU.  Its strict interpretation of the conditions which permit derogation from the principle of confidentiality protect the essence of the right to privacy.[4] The Court was correct in its three critical findings. Firstly, legislative measures which provide, as a preventive measure, for the purpose of combatting serious crime and for the prevention of serious threats to public security, for the general and indiscriminate retention of traffic and location data are unlawful, when read in light of Articles 7, 8, 11and 52(1) of the Charter of Fundamental Rights of the European Union(‘the Charter’).[5] Secondly, national legislation which allows for the centralised processing of requests for access to retained data, issued by the police, in the context of the investigation or prosecution of serious criminal offences is also not permitted when read in light of the aforementioned provisions. [6] Finally, EU law must be interpreted as precluding a national court from limiting the temporal effects of a declaration of invalidity which it is bound to make and no exception to this principle arose here.[7] The reasoning articulated by the Court in arriving at these conclusions was compelling.

The first, second and fourth questions referred to the Court considered whether Article 15(1) of Privacy and Electronic Communications Directive 2002/58/EC (‘Directive 2002/58’)[8] must be interpreted as precluding national legislation that provides for the general and indiscriminate retention of traffic and location data for the purposes of combating serious crime,[9] in light of Articles 7, 8, 11 and 52 of the Charter. The Court noted early in its judgment that the retention of such data itself constitutes a derogation from the prohibition laid down in Article 5(1) of Directive 2002/58 and an interference with fundamental rights to respect for private life and the protection of personal data in Article 7 and 8 of the Charter.[10] This is the case regardless of whether the information at issue is sensitive, whether the person concerned has been inconvenienced, or whether the data retained will or will not be used subsequently.[11] The Court aptly notes that traffic and location data may reveal significant aspects of an individual’s private life and can be used to establish a profile of individuals, even where the contents of communications do not form part of the data set.[12] This consideration is important as one reflects on what data should be permissible for the police to access. Traffic and location data should be protected, in part because they can form a profile of the individual’s concerned. 

In determining whether a measure is necessary in a democratic society, the Court will consider whether measures were proportionate to the legitimate aims they pursued.[13] This issue of proportionality requires the Court to consider whether the interference in this case is strictly necessary.[14] Objective criteria that establish a nexus between the data to be obtained and the objective pursued are required in considering whether the proportionality requirement is met.[15] It is stipulated that a hierarchy of objectives arises in the context of data retention.[16] Objectives pursued by the measure must be assessed in light of their respective importance and the seriousness of the interference they entail, in order to assess the concept of proportionality here.[17]

The Court indicated, in particular, that the objective of safeguarding national security justifies more serious interference with fundamental rights, because it takes relative priority in the hierarchy of objectives.[18] The essence of the threat posed to national security is distinguished from that posed by serious crime.[19] The objective of protecting national security protects the fundamental interests of society.[20] The risks inherent in issues of national security have the ability to destabilise the fundamental constitutional, political economic or social structures of a country[21] and are often foreseeable.[22] The Court convincingly differentiated between this concept and that of preventing serious crime, drawing on this compelling connection between national security and the stability of a state. In the Quadrature du Net case,[23] by introducing the concept of “targeted retention”, the Court had previously opened the door to a wide variety of possible exceptions to the rule that that general and indiscriminate retention of traffic and location data is precluded.[24] In this case, however, the Court stipulated that less interference with individual rights will be tolerated in the context of serious crime, because it falls lower on the hierarchy of rights. This reasoning is coherent and well-founded. A distinction must be made between national security and serious crime when reflecting on what privacy invasions society will tolerate. The Court effectively considered the proportionality of the interference and whether it is strictly necessary in this case.

Targeted retention is, however, nonetheless also permissible, in principle, in the context of serious crime. The Court recalled its earlier finding that targeted retention on the basis of non-discriminatory factors is allowed, but this is, again, limited to what is strictly necessary.[25] It continued by detailing how a targeted measure of retention such as a geographic criterion, would be permitted if the authority could point to, for example, the average crime rate in a geographic area.[26] The Court opined that “it is, in principle, not likely to give rise to discrimination, as the criterion drawn from the average rate of serious crime is entirely unconnected with any potentially discriminatory factors.”[27] I respectfully yet profusely disagree with this statement. If targeted retention is employed in areas with higher crime rates, it creates a two-tier system of surveillance, with those living in higher crime areas being subject to more monitoring. It is undoubtedly discriminatory. The Court should have recalled its hierarchy of objectives here. While the use of a geographical criterion as a basis for targeted retention may be tolerable in the context of national security, the discriminatory effect of the measure undoubtedly outweighs any benefit gained in the context of serious crime. This potential discriminatory effect can be seen when one considers the facts of the case that prompted the appeal to the Court. Graham Dwyer, a man convicted of murdering a woman, was a resident in a Dublin suburb which would likely not have been the subject of a targeted retention campaign based on its crime rate. The discriminatory effects of allowing a geographical criterion based on average crime rate to be imposed in the context of targeted retention are undeniable. The Court should not have proposed the use of this criterion.

The third question posed by the referring court concerned whether national legislation which allows for the centralised processing of requests for access to retained data, issued by the police in the context of the investigation or prosecution of serious criminal offences, is permitted.[28] It was held that prior review by a court or an independent administrative body is required in this context,[29] and that the suggestion by the referring court of allowing judicial review of the decision after the breach has occurred was not sufficient. I agree with the finding of the Court. The decision must be subject to review before the breach of such fundamental rights occur—that is, before the implementation of the offending data retention measure. A short time is available to bring judicial review proceedings in Ireland, which could have a barring effect on potential applicants.[30] Individuals may not even be aware their rights have been breached within the three-month period allowed for judicial review in Ireland. The Court, in requiring prior review by an independent body or court, protected the essence of an individual’s right to data protection. It also protected an individual’s right to recourse within the law when that right has been infringed.

The independent body or court must also be in a position to actually make the decision. In a separate context, fears of the independent body or court merely “rubber-stamping” a decision have been raised.[31] These fears are also relevant here. It must be clear whether the decision-maker has the capacity to come to their own conclusion. Furthermore, I submit that a court would be the more favourable option as decision-maker as a court is more accustomed to weighing evidence and discerning findings of fact. The Court’s conclusion on the third question referred to for preliminary ruling is rational and well-grounded. National legislation which allows for the centralised processing of requests for access to retained data, issued by the police in the context of the investigation or prosecution of serious criminal offences, is not permitted in light of the relevant Charter articles.[32]

The fifth and sixth questions referred to the Court concern whether EU law must be interpreted as precluding a national court from limiting the temporal effects of a declaration of invalidity which the national court is bound to make.[33] The Court outlined how in exceptional cases, on the basis of overriding considerations of legal certainty, it may allow the temporary suspension of the ousting effect of the rule of EU law with respect to national law that is contrary to it,[34]but this is not such an exceptional case.[35] This is the correct finding. No exceptional circumstances arise that give rise to issues of legal certainty. The admissibility of the evidence obtained by such retention is matter for national law, subject to compliance with the principles of equivalence and effectiveness[36]. In an Irish context, given the decision in DPP v. J.C,[37] the evidence in question may still be permissible. Dwyer’s conviction likely remains sound, but future convictions will need to be secured without the general and indiscriminate retention of traffic and location data.

Dwyer’s offences are forever etched in the collective memory of Irish society. However, the questions posed in his appeal in this case are imperative.  It forces society to consider how much privacy invasion by the government is permissible. The desire to catch and bring perpetrators such as Dwyer to justice, should not erode the nature of the fundamental rights at issue in this case.

In sum, in this judgment the Court has undoubtedly solidified its role in many minds as the Protector-in-Chief of the data rights of European citizens. The Court pushes back on the notion that if a crime can be solved through surveillance, it must be solved through surveillance. Society must be able to accept a certain level of crime to maintain the essence of privacy protection. As issues continue to arise from the creation of new technologies, including most recently the issue of predictive policing, it is imperative that the Court continues its role as guardian of the privacy rights of EU citizens. This judgment represents a win for privacy-protection advocates in Europe and around the world.


[1] Adam Juszczak and Elisa Sason ‘Recalibrating Data Retention in the EU’ [2021] 4 Eucrim < https://eucrim.eu/articles/recalibrating-data-retention-in-the-eu/ > Accessed at: 11/04/2022

[2] ibid.

[3] Case C-140/20 (A request for preliminary ruling under Article 267 TFEU from the Supreme Court (Ireland) made by decision of 25 March 2020, received at the Court of 4 August 2016, in the proceedings G.D. v Commissioner of An Garda Síochána, Minister for Communications, Energy and Natural Resources, Attorney General) ECJ (5 April 2022).

[4] ibid, para 51.

[5] Charter of Fundamental Rights of European Union 2000.

[6] G.D. v Commissioner of An Garda Síochána (n 3) para 114.

[7] ibid, para 128.

[8] Directive 2002/58/EC on Privacy and Electronic Communications [2002] OJ l 201.

[9] G.D. v Commissioner of An Garda Síochána (n 3) 31.

[10] ibid, para 44.

[11] ibid, para 44.

[12] ibid, para 45.

[13] European Court of Human Rights, Guide on Article 8 of the European Convention on Human Rights (Updated 31 August 2021 https://www.echr.coe.int/documents/guide_art_8_eng.pdf > Accessed at: 11/04/2022, para 29

[14] G.D. v Commissioner of An Garda Síochána (n 3) para 54.

[15] ibid, para 55.

[16] ibid, para 56.

[17] ibid, para 56.

[18] ibid, para 57.

[19] ibid, para 62.

[20] ibid, para 61.

[21] ibid, para 61.

[22] ibid, para 62.

[23] C- 511/ 18, C-512/18, C-520/18 Request for a preliminary ruling from the Conseil d’État (France) lodged on 3 August 2018 — La Quadrature du Net, French Data Network, Fédération des fournisseurs d’accès à Internet associatifs, Igwan.net v Premier ministre, Garde des Sceaux, Ministre de la Justice, Ministre de l’Intérieur, Ministre des Armées (Case C-511/18) and request for a preliminary ruling from the Conseil d’État (France) lodged on 3 August 2018, French Data Network, La Quadrature du Net, Fédération des fournisseurs d’accès à Internet associatifs v Premier ministre, Garde des Sceaux, Ministre de la Justice (Case C-512/18).

[24] Adam Juszczak and Elisa Sason ‘Recalibrating Data Retention in the EU’ [2021] 4 Eucrim < https://eucrim.eu/articles/recalibrating-data-retention-in-the-eu/ > Accessed at: 11/04/2022

[25] G.D. v Commissioner of An Garda Síochána (n 3) para 67.

[26] ibid, para 79.

[27] ibid, para 80.

[28] ibid, para 102.

[29] ibid, para 106.

[30] Order 84, Rule 21, Rules of the Superior Courts.

[31] Adam Juszczak and Elisa Sason ‘Recalibrating Data Retention in the EU’ [2021] 4 Eucrim < https://eucrim.eu/articles/recalibrating-data-retention-in-the-eu/ > Accessed at: 11/04/2022

[32] G.D. v Commissioner of An Garda Síochána (n 3) para 114.

[33] ibid para 115.

[34] ibid para 119.

[35] ibid para 123.

[36] ibid para 128.

[37] Director of Public Prosecutions v J.C. [2015] IESC 31.


%d bloggers like this: