Dwyer data defence leaves ripple effect for Irish spying laws

It allowed gardaí to access — without having to get independent authorisation, say from a court — data from a suspect’s mobile phone and internet use to build a potentially very detailed picture of their lives, not only their call history or internet history, but also their physical movements.

This bank of information played an important role in the conviction of Dwyer in March 2015, for the murder of Elaine O’Hara in August 2012.

The 36-year-old woman had only been discharged from a mental health facility the morning of her disappearance.

Chance sightings at a south Dublin park and good police work by a local garda — James O’Donoghue — led to the discovery of belongings and some remains of Ms O’Hara.

Mobile phone evidence — including ‘communication data’ on call usage and movement as well as the content of texts — helped convince the jury of his guilt.

The legislation providing the legal basis to access mobile phone data was contained in the Communication (Retention of Data) Act 2011.

It provided access on three grounds: Investigation of serious crime; security of the State; and locating a missing person/saving a human life.

The first ground was the remit primarily of An Garda Síochána, but was also available to Garda Síochána Ombudsman Commission, Revenue and Competition and Consumer Protection Commission.

Both gardaí and Defence Forces used it for State security reasons, and the gardaí could use it for a missing person.

The power was used extensively — 92,000 times over the five years between 2013 and 2017, reaching a high of 20,500 in 2017.

The vast bulk — almost 98% — of communication data disclosures were to gardaí.

It’s not that successive governments and the Department of Justice did not know there was a looming crisis.

A case by Digital Rights Ireland led to a landmark court ruling — one of many — in the European Court of Justice (ECJ) in 2014.

The following year, the then government produced a heads of bill to take account of the ruling.

In 2016, there was another ECJ ruling prohibiting general and indiscriminate retention of data.

Murray Report

In October 2017, the Murray Report made it clear to the Government that the law was on dodgy legal grounds.

Dwyer’s case contesting the use of communication data as evidence in his murder trial reached a climax in the High Court in December 2018.

Mr Justice Tony O’Connor found that the 2011 Act was “general and indiscriminate” and breached the “fundamental right to privacy” under European laws.

The judge stated that his ruling applied to the access to communication data for the investigation of serious crime, and not provisions on security of the State of living saving searches.

This ruling had a major impact on the use of the 2011 act, as seen in the following year’s figures.

The total number of requests for data fell dramatically in a year, from 20,000 in 2017 to less than 13,900 in 2018.

Thereafter, it continued to fall — to 8,355 in 2019, to 5,184 in 2020 and to 2,869 in 2021.

In the meantime, the court cases kept coming, culminating in another ECJ ruling, in April 2022, confirming that Ireland’s data-retention regime breached EU law.

It was then that the Government rushed through legislation — the Communication (Retention of Data) Amendment Act 2022.

A new report on the application of the amended law by an oversight judge — coincidentally Mr Justice O'Connor — shows there were 2,520 requests by State services between June 2023 and April 2024.

Mr Justice O'Connor, while recognising the “unenviable” job of those who draft legislation, said there were “few pieces of legislation on the statute book as convoluted as the 2022 Act” — and recommended the law be, again, cleared up.