The European Court of Justice has ruled that the general and indiscriminate retention of traffic and location data for the purpose of combatting serious crime is prohibited by EU law.*

The court found in favour of convicted murderer Graham Dwyer who challenged Ireland’s use of mobile phone metadata in his conviction, with potential implications for criminal investigations across Europe.

Comments Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice: “This decision is no surprise, given the court’s previous rulings on data retention. Indeed, the repeated references to ‘settled case-law’ perhaps betray its snark in having to reiterate that indiscriminate retention is not permitted for combatting serious crime.

“The court made clear that the admissibility of unlawfully obtained evidence is a matter for national law, so this is unlikely to be the end of the story – both for Dwyer’s case and the ongoing saga over data retention in Europe.”

“The case is timely, as it follows the recent agreement in principle of a new transatlantic data pact between the EU and US. Given that the agreement is designed to rein in US government surveillance, that a European member state has again breached similar obligations under EU law doesn’t look good when the US is being told that it needs to reform its snooping laws, if it wants a data deal.”

* https://curia.europa.eu/jcms/upload/docs/application/pdf/2022-04/cp220058en.pdf