Will EU data privacy law free convicted murderer, Graham Dwyer?

Our new senior consultant Dr. Maria Moloney explores whether Graham Dwyer will benefit personally from the Court of Justice for the European Union’s (CJ EU) mobile phone metadata ruling of the 5th of April 2022?

Convicted murderer, Graham Dwyer has just successfully challenged the Irish Communications (Retention of Data) Act 2011, in the Court of Justice for the European Union (CJEU). Dwyer is an architect from Foxrock in Dublin who is serving life for the murder in 2012 of Elaine O’Hara, a childcare worker with whom he was romantically involved.
It was under the Irish Communications (Retention of Data) Act of 2011 that Dwyer’s mobile location data was seized and retained by the Gardai. This data was key to identifying him as a suspect in the murder case. The recent ruling of the CJEU affirmed that data retention under the Act was too general and indiscriminate to be valid under EU law, and that the Act’s retention process lacked independent oversight from a judge.
The CJEU stated that EU law does, in certain situations, permit targeted retention of data, but it is subject to time limits, safeguards for the data subjects and there must be a process of independent prior review.
According to Advocate General Manuel Campos Sánchez-Bordona, a legal adviser to the CJEU, general and indiscriminate retention of electronic communications traffic and location data is permitted only where there is “a serious threat to national security” that is shown to be genuine and present or foreseeable. The CJEU ruling clarifies that this does not stretch to murder cases.
The CJEU decision now makes it possible for Dwyer’s lawyers to bring his case to the Court of Appeal regarding his 2015 murder conviction arguing that information gathered from the retained mobile location data should not have been entered into evidence.
An important fact about the case is that the Data Retention EU Directive (2006/24/EC) that brought about the 2011 Act in the first place was later struck out by the CJEU in 2014. The Gardai, however, continued to use the 2011 Act to access and gather mobile phone data.
What does this mean for Data Protection Law in Europe and Ireland?
On the one hand, having this Data Retention Act 2011 struck out is a good thing for data protection in both Ireland and Europe, as the decision means phone companies can no longer retain general phone data arbitrarily. Consequently, it prevents the potential abuse of indiscriminate data retention of personal mobile phone data.
The idea, however, that this may cause a convicted murderer to walk free is unsettling, not to mention all the other convicted criminals waiting in the wings to have their day in court as a result of the 2011 Act being struck out. Senior Irish legal figures have warned many criminal investigations may struggle to get solved because of the stance the CJEU has taken.
All is not lost though, many criminal experts argue that once the State can prove that unconstitutionally obtained mobile phone evidence was attained due to an inadvertent breach of a data subject’s constitutional rights, it is still admissible as evidence against them.
Added to this, for this particular case, criminal law experts contend that it will prove difficult for Dwyer to be successful in his criminal appeal against his conviction of 2015 based on the CJEU ruling alone.
Author_ Dr Maria Moloney
April 2022