Case Note: Digital Rights Ireland Ltd v Minister For Communications, Marine And Natural Resources (Joined Cases C-293/12 And C-594/12)

by Av. Merve Koca

Introduction

This case note will examine in depth the case of Digital Rights Ireland[1] ruled by the Court of Justice of the European Union -Grand Chamber- on 08 April 2014. The judgment resulted in the invalidation of the Data Retention Directive 2006/24/EC[2] and, in particular, redrew the boundaries of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The facts and reasoning of the case, the logic of the decision, the application of the proportionality test will be examined from a broad perspective, considering its implications for the development of the field, the connection with previous case law and its status in relation to privacy and data protection law in European Union. This examination will provide a critical analysis of the case.

1. Facts of the Case

The European Court of Justice ruled that the Data Retention Directive was incompatible with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and constituted a violation, thereby declaring the Directive invalid in the Digital Ireland case. The main reasoning behind the Court's decision was that states cannot extend the surveillance powers they hold within the scope of legitimate security measures; rather, they must use these powers in a manner that is lawful and does not violate individuals' privacy rights. In this context, the Court concluded that a balance must be struck between the legitimate security rights of states and the privacy rights of individuals in accordance with the principle of proportionality. This decision by the Court caused a great stir in both European and international circles and had a significant impact on shaping legal frameworks.

Digital Rights Ireland Ltd.[3] is a non-profit civil society organisation based in Ireland, whose primary aim is to ensure the protection of individuals' data in the digital environment. In order to defend these rights, it has objected to the regulation in Article 6 of the Directive requiring telecommunications providers to retain metadata relating to telephone and internet communications for up to two years for use in investigations.

The applicant, Digital Rights Ireland Ltd., argued that the data retention scheme contained in the Directive infringed the rights enshrined in Article 7 of the EU Charter, entitled “Respect for private life”, and Article 8, entitled “Protection of personal data”, primarily the constitutional right to privacy. The case was then referred to the Court of Justice of the European Union, along with questions from the Irish High Court regarding the Directive's compatibility with the EU Charter. Similarly, the Austrian Constitutional Court also brought a case, and these cases were joined as C-293/12 and C-594/12. The ruling issued by the Court of Justice of the European Union in this case would, pursuant to Article 267 of the Treaty on the Functioning of the European Union, be binding on the referring court and would ensure the consistent application of EU law across all Member States in accordance with the purpose of the article.

According to the Directive, electronic communications service providers could store traffic and location data generated and/or processed in the course of providing these services for periods ranging from six months to two years. However, this storage would apply to all users' data, regardless of whether they were suspected of any crime. The stored data would cover metadata relating to telephone, mobile phone, SMS, email and internet access, excluding content. EU law, which has been significantly influenced by post-11 September security paradigms,[4] generally accepts such retention regulations as legitimate national security measures. However, there remains a significant question as to whether retention carried out in accordance with the directive provides sufficient protection for individuals' personal data.

At this point, the Court turned to the proportionality analysis and followed its previous case law on fundamental rights.[5] However, the Directive failed the necessity and proportionality tests. The Court found three instances of disproportion in the Directive:

  1. General distinctions and indiscriminate retention:

Any doubt regarding the scope of the interference and the failure to seek risk factors was found to be disproportionate. This approach would later become a detailed standard in the Tele2 Sverige[6] EU decision.

  1. Clear limitations on access and use:

The conversion of conditions for access to data into national law, the absence of independent judicial or administrative oversight, and the insufficiently limited recognition of law enforcement support are problematic.

  1. Requirements for technical and organisational security measures:

The determination of storage requirements without analysis and the lack of regulation on the requirement to store data within the EU were incompatible with the protection standard in Article 8 of the Directive.

  1. Three decisive proportionality errors:

A) Lack of differentiation or targeting: The directive applied to all users regardless of risk factors, geography, time period or suspicion. This error formed the basis of the subsequent Tele2 Sverige doctrine prohibiting general and indiscriminate retention.

B) Absence of strict access safeguards: There was no prior judicial or independent administrative authorisation requirement. Access purposes were broad and undefined. Retention periods -6-24 months- were not based on objective criteria.

C) Inadequate data security and oversight obligations: The directive permitted storage outside the EU without equivalent safeguards. There were no specific requirements for security measures, integrity, or destruction.

2. Decision and Ratio Decidendi

The Grand Chamber ruled at the end of the case that the entire directive was invalid.

Although the Court stated in its ruling that the legitimate aim of implementing the Directive was to combat serious crime and that the storage of data was acceptable in this context, it ruled that the Directive did not comply with the principle of proportionality. Under the provisions of the Directive, the data of almost the entire EU population could have been stored without any distinction and without sufficient safeguards.

The Court of Justice of the European Union ruling contained three important findings.

  1. This type of general and indiscriminate storage of traffic and location data is incompatible with Articles 7 -respect for private life-, 8 -protection of personal data-, 11 and 52/1 of the Charter of Fundamental Rights of the European Union.

  2. For police access, data access requests made by a central organisation (police + state) must be subject to prior judicial or independent review.

  3. National courts cannot establish rules to limit the ‘extended effect of invalidity (temporary suspension)’ due to compliance with EU case law: Courts must issue a decision of full invalidity in accordance with EU case law.[7]

The reasons that led the court to this decision can be summarised under the following headings.

  • Interference with fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union

Serious interference with private life through the storage of comprehensive data[8] relating to individuals' private lives, contrary to the provisions of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union[9]

  • The regulation not having clear and precise limitations and safeguards to protect data subjects[10]

The Directive does not contain the legal basis for access to data by authorities, the purpose limitation, and access control provisions set out in Articles 5/1-a, 6, and 32 of the General Data Protection Regulation EU 2016/679,[11] which are fundamental elements of data protection; Article 5/1-e on data retention periods, which stipulates that data may not be kept longer than necessary; and Articles 5/1-f on technical and organisational security measures to protect data against misuse, and 32 on protection against unauthorised access, disclosure, loss and misuse, which it fails to incorporate with objective criteria

  • Contradiction with the principle of proportionality,[12] which is the fundamental control criterion applied in any process that restricts rights or freedoms

Although the Directive is regulated within the scope of legitimate security measures and serves a purpose, it clearly violates the principle of proportionality[13] because it is not limited in accordance with the regulations within the scope of the General Data Protection Regulation and does not contain any provisions regarding access to data.

The Digital Rights Ireland case encompasses the entire spectrum of privacy, surveillance and data retention, and is a case that arises at the intersection of these three areas. This case is at the centre of debates in both EU law and Irish law. From a doctrinal perspective, it also pioneers a noteworthy development in the context of constitutional and EU law based on data protection.

3. Critical Analysis and Discussion

In this section, the decision will be examined in greater detail in relation to academic assessments and case law.

3.1. Correctness of the decision

When examining the decision rendered in the case, we can see that the court issued a legally sound decision based on strong grounds. Moreover, since the decision rendered the Directive entirely invalid, the Court was, of course, obliged to establish a strong legal basis for its decision. The decision treats privacy and data protection as separate and autonomous rights. In particular, proportionality, which is the fundamental basis of the decision, is seen to uphold the established case law of the EU on fundamental rights[14]. However, it could be argued that the complete invalidation of the Directive is excessively strict against that its annulment. At the same time, this has left a regulatory gap in data retention law.

3.2. Departure from precedent

Prior to this court ruling, the EU institutions had not intervened in any way in the security measures taken by member states and their respective internal security measures. Therefore, the ruling in the Digital Rights Ireland case defended a departure from previous approaches in certain respects and emphasised the need for countries' security objectives to be regulated in a manner consistent with the EU's fundamental rights standards. Earlier decisions had not applied such strict proportionality scrutiny to security-related processing. The shift reflects a constitutional elevation of Articles 7 and 8 Charter of Fundamental Rights of the European Union. This argument was deemed valid, enabling courts to exercise broader oversight over data processing activities conducted by law enforcement agencies.

With Digital Rights Ireland case, the Court departed from earlier, more deferential approaches to state surveillance, particularly under E-Privacy Directive 2002/58[15] Article 15/1, which permitted restrictions for security purposes. The Court also moved away from the European Court of Human Rights’ more flexible margin-of-appreciation model in cases such as S. and Marper v UK.[16] The Court of Justice of European Union’s approach is more rigid because the Charter requires strict justification for limitations.[17]

3.3. Extra-legal repercussions

Following this decision, all Member States felt the need to reform their local data retention regimes, primarily Ireland's Communications (Retention of Data) Act 2011. Furthermore, the ruling emerged shortly after the Snowden disclosures 2013[18], which exposed mass surveillance practices by state agencies. This decision has led to intense debates on issues such as mass surveillance legislation and policy, which have continued to this day.[19] Although the Court does not cite these events, the socio-political context is relevant. Public concern over bulk surveillance shaped the interpretive environment. The Court established, for the first time in EU law, a clear "general surveillance protection" approach by recognizing that mass data storage is consistently incompatible with democratic society. This point aligns with the concerns that arose after the Snowden revelations, but the decision did not base itself on a personal context; the reasoning was based on legal merits. The decision reflects a broader European cultural commitment to informational self-determination, influenced by German constitutional thought[20] and Directive 95/46’s legacy.[21] Moreover, Article 8 of the Charter of Fundamental Rights of European Union has gained real substance, strengthening the EU's foundations on fundamental rights.

3.4. Influence on subsequent jurisprudence

The principles established by the court in the Digital Rights Ireland case formed the basis of the Tele2 Sverige AB (C-203/15) and La Quadrature du Net (Joined Cases C-511/18, C-512/18, C-520/18)[22] and have been reinforced by addressing the reasoning in greater detail.

  • Tele2 Sverige AB (C-203/15)

Tele2 Sverige applied Digital Rights Ireland to national laws. The Court held:

General and indiscriminate retention is always incompatible with the Charter. Only targeted retention is permissible, based on objective criteria such as geographical areas, persons, or time periods. Access must always be subject to prior judicial authorisation. This significantly expanded the logic of Digital Rights Ireland, effectively prohibiting national regimes based on bulk retention. The ruling confirmed the “binary” logic implied by Digital Rights Ireland: either targeted retention or none. However, Tele2 relied heavily on concepts introduced but not fully developed in Digital Rights Ireland, highlighting the earlier judgment’s lack of precision.

  • La Quadrature du Net (C-511/18, C-512/18, C-520/18)

This case revisited the issue under national-security legislation.

The Court reaffirmed that general retention for ordinary crime is impermissible but recognised limited exceptions for national security in cases of:

a genuine, present, or foreseeable threat to national security, subject to strict oversight, time-limited, and reviewed by independent authorities. This nuanced approach arose precisely because Digital Rights Ireland did not deal with national-security regimes.

The above later judgment shows the structural incompleteness of the Digital Rights Ireland case ruling. In similar ongoing cases, it has been emphasised that situations such as “general retention” and “mass data retention” cannot be accepted under EU law, and that only “targeted data retention” is permitted. The prohibition on data retention has been extended without clear distinction in each case, while the permitted matters have been limited. The case continues to influence legal developments such as the EU ePrivacy Regulation and amendments to Ireland's Data Retention Act. Furthermore, these cases have shaped Irish cases such as DPP v Graham Dwyer [2022] IESC 4,[23] where the High Court invalidated national data retention provisions based on the Digital Rights Ireland ruling.

  • DPP v Graham Dwyer (2022 IESC 4)

The Irish Supreme Court applied Digital Rights Ireland and Tele2 Sverige to domestic legislation. It held that the 2011 Irish Act on which Dwyer’s conviction was partly based violated EU law because it allowed general retention without independent prior authorisation. The Court emphasised that constitutional criminal-procedure concerns cannot override binding EU privacy requirements. The ruling demonstrates the long-term effect of Digital Rights Ireland: mandatory changes in national criminal-investigation practices.

3.5. Critiques in Academic Commentary

This section evaluates the correctness of the Court’s reasoning, drawing on academic commentary and subsequent jurisprudence.

A. Was the reasoning sound?

The proportionality reasoning is coherent. The Court correctly identified that indiscriminate retention creates a systemic surveillance structure independent of suspicion.

Lynskey[24] emphasises that the recognition of metadata’s profiling capacity represents a realistic understanding of technological capabilities. Costello[25] argues that treating data retention as inherently high-risk aligns with the Charter’s architecture, which treats data protection -article 8- as a freestanding right. Both assessments accurately reflect the judgment’s doctrinal significance.

However, the Court approached the Directive as if it lacked any safeguards whatsoever, which is factually imprecise. The Directive did impose minimum security requirements and limited retention to a maximum of two years. The Court of Justice of European Union considered these insufficient but did not specify what level would be adequate. This lack of calibration undermined the ruling’s practical utility.

B. Problems created by the judgment

i. Lack of practicable guidance

Here Korff’s[26] analysis is instructive. In “Data Retention in the EU: The CJEU’s Failure to Provide Practicable Guidance” he argues that the Court did not articulate usable criteria for lawful targeted retention. He contends that references to crime levels, geographic risk, and objective assessment are conceptually vague and operationally unworkable for legislators. This critique is accurate: the judgment sets negative limits “not general and indiscriminate” but does not set positive standards. Marie Georges[27] similarly highlights that the Court’s analysis does not clarify how national security exceptions under Article 4/2 of Treaty on European Union interact with the Charter. These critiques predict issues that indeed arose later.

ii. Lack of clarity regarding “serious crime”

The Court did not define “serious crime,” leaving the concept to Member States. This omission weakened the harmonising purpose of EU privacy law.

iii. No engagement with operational policing needs

Costello notes that the Court did not meaningfully assess whether targeted retention alone could support effective investigations. Law-enforcement bodies argued that retrospective metadata analysis often requires bulk databases. The Court does not address this tension.

As a result, the decision has been criticised as normatively strong but pragmatically thin.

C. Did the Court fail to address anything important?

Several gaps are clear: No explanation of how targeted retention should be operationalised. Policymakers were left without a technical standard. No meaningful reconciliation with Article 4/2 of Treaty on European Union national-security exceptions. No analysis of the potential chilling effect on media freedom Article 11 of Charter of Fundamental Rights of the European Union. The Court recognised interference but did not fully explore it. No transitional measures. Invalidation with immediate effect caused regulatory vacuum. No discussion of proportionality in relation to rapid technological developments. These omissions do not undermine the core logic but weaken doctrinal clarity.

D. Overall assessment

The judgment correctly identified the constitutional dangers of indiscriminate retention. It anchored Articles 7 and 8 of Charter of Fundamental Rights of the European Union as active constraints on EU legislation. However, critics such as Korff and Georges[28] accurately note that the ruling failed to provide actionable legislative guidance. Lynskey’s defence that strong rights protection requires decisive intervention is persuasive, yet operational ambiguity has plagued EU and national regimes since 2014.

Roisin Costello argued that privacy and data protection in EU law are increasingly being strengthened as a ‘substantive fundamental right,’[29] and Orla Lynskey similarly characterised the EU data protection regime as a ‘fundamental rights framework’.[30] While praising the Court of Justice of the European Union for strengthening privacy as a substantive right, they also questioned whether the decision sufficiently met the needs of law enforcement agencies. Kuner,[31] Lynskey[32] noted that the Court failed to establish a consistent standard for distinguishing between permissible ‘targeted’ storage and prohibited ‘general’ storage. The lack of practical guidance in the decision has led to uncertainty among Member States regarding the establishment of harmonised legal frameworks.

The Court’s reasoning is legally and normatively defensible but technically incomplete.

Conclusion

The Digital Rights Ireland case, with the European Court of Justice ruling in 2014 that invalidated the Data Retention Directive, has become one of the most significant turning points in European privacy and data protection law. This ruling continues to guide both European and national law.

The Data Retention Directive required telecommunications companies to collect and store all users' communications traffic data indiscriminately and collectively for reasons of national security and combating crime. The European Court of Justice ruled that this practice violated Articles 7 -privacy- and 8 -protection of personal data- of the Charter of Fundamental Rights of the European Union and annulled the Directive in its entirety. The Court emphasised that mass surveillance, such as data retention, constitutes a serious violation of fundamental rights and can only be justified by very strict, proportionate and necessary measures in a democratic society. The ruling confirmed that the rule of law, human rights, proportionality and privacy must be prioritised not only in data retention but in all areas requiring large-scale data processing or surveillance.

Following the annulment of the Directive, it became mandatory for Member States to bring their national data retention regimes into line with EU standards in terms of proportionality, necessity and effective oversight. The ruling also highlighted the need for stronger judicial oversight and safeguards, given the falling cost and increasing ease of surveillance technologies.

However, the European Court of Justice's decision did not establish practical criteria regarding the type of data that can be stored, the storage period, or the conditions for access, which has increased regulatory uncertainty in Member States and led to different national practices. The Court has been criticised for failing to draw concrete boundaries on how it will distinguish between ‘targeted’ and ‘general’ data retention, instead relying on general principles such as proportionality and necessity. Its deficiencies -lack of clear operational guidance, ambiguous treatment of national security, and absence of definitions such as “serious crime”- created doctrinal uncertainty. Subsequent cases -Tele2 Sverige, La Quadrature du Net- attempted to fill these gaps but did so with further complexity.

The influence of Digital Rights Ireland on national courts is substantial, illustrated most clearly in Graham Dwyer. Overall, the judgment strengthened fundamental rights but introduced enduring interpretive challenges. It remains a central reference point for understanding the limits of state surveillance in the EU legal order and continues to shape legislative debates on data retention.

The ruling reaffirms the right to privacy and the protection of personal data as cornerstones of the democratic legal order in the EU. Its impact is decisive not only for data retention but for all regulatory approaches in the areas of big data, surveillance technologies and public security.

Ultimately, the Digital Rights Ireland ruling unequivocally emphasised the necessity of the rule of law, judicial review and respect for fundamental rights in surveillance and data protection regulations across Europe, particularly in the EU and Ireland; however, it has also created some uncertainties and new responsibilities for states drafting legislation in practice.

Dipnotlar

  1. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others [2014] ECJ Joined Cases C‑293/12 and C‑594/12. ↩︎

  2. Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC 2006. ↩︎

  3. ‘About Digital Rights Ireland’ (Digital Rights Ireland) https://www.digitalrights.ie/about/ accessed 23 November 2025. ↩︎

  4. Dru Stevenson, ‘Effect of the National Security Paradigm on Criminal Law’ https://law.stanford.edu/wp-content/uploads/2018/03/stevenson.pdf ↩︎

  5. Volker und Markus Schecke GbR (C-92/09) and Hartmut Eifert (C-93/09) v Land Hessen [2010] ECJ Joined cases C-92/09 and C-93/09; Yassin Abdullah Kadi and Al Barakaat International Foundation v Council of the European Union and Commission of the European Communities [2008] ECJ Joined cases C-402/05 P and C-415/05 P. ↩︎

  6. Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others [2016] ECJ Joined Cases C-203/15 and C-698/15. ↩︎

  7. ucdlawreview, ‘The Graham Dwyer Court of Justice Appeal: A Cruel Criminal With a Worthy Question’ (UCD Law Review, 7 June 2022) https://theucdlawreview.com/2022/06/07/the-graham-dwyer-court-of-justice-appeal-a-cruel-criminal-with-a-worthy-question/ accessed 23 November 2025. ↩︎

  8. The court rejected the claim that metadata is less intrusive, stating that traffic and location data allow for detailed profiling. ↩︎

  9. Detention was not limited to persons suspected of criminal activity; it was applied indiscriminately. ↩︎

  10. (i) the retention period was very broad, (ii) the retention period was long and undifferentiated, (iii) a general retention regime covering the entire scope and not taking into account distinctions was envisaged. ↩︎

  11. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) 2016 (OJ L). ↩︎

  12. TJ McIntyre, ‘Data Retention in Ireland: Privacy, Policy and Proportionality’ http://hdl.handle.net/10197/9590 accessed 24 November 2025. ↩︎

  13. Article 52(1) of the Charter of Fundamental Rights of the European Union requires that restrictions on fundamental rights be proportionate. Article 52(1) defines proportionality as follows: 1)The interference with the right must be provided for by law. 2)The restriction must pursue a legitimate aim (e.g. public security, public health, protection of the rights of others). 3)The restriction must be necessary (if the same aim can be achieved by a less restrictive measure, that measure should be preferred). 4)The restriction must not undermine the essence of the right. 5)Proportionality in the narrow sense: There must be a reasonable balance between the public interest served and the burden imposed on the individual. ↩︎

  14. Volker und Markus Schecke GbR (C-92/09) and Hartmut Eifert (C-93/09) v Land Hessen [2010] ECJ Joined cases C-92/09 and C-93/09. ↩︎

  15. ‘Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications)’ (https://webarchive.nationalarchives.gov.uk/eu-exit/https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219) https://www.legislation.gov.uk/eudr/2002/58/article/15 accessed 24 November 2025. ↩︎

  16. S and Marper v the United Kingdom [2008] ECtHR [GC] 30562/04, 30566/04. ↩︎

  17. In S. and Marper v United Kingdom, the ECtHR held that the indefinite retention of DNA and fingerprint data from individuals who had not been convicted violated the right to respect for private life. It did not discard the margin-of-appreciation doctrine, but concluded that the United Kingdom’s practice was disproportionate. By contrast, in data-protection or fundamental-rights limitation cases, the CJEU does not give states a broad margin of appreciation and applies a strict proportionality review. For this reason, the text characterizes the CJEU’s approach as more rigid. ↩︎

  18. ‘The Intelligence Services and the Snowden Revelations - UK Parliament’ https://www.parliament.uk/business/publications/research/key-issues-parliament-2015/defence-and-security/intelligence-services/ accessed 23 November 2025. ↩︎

  19. ‘The Snowden Disclosures, 10 Years on | IAPP’ https://iapp.org/news/a/the-snowden-disclosures-10-years-on accessed 23 November 2025. ↩︎

  20. This doctrine is the principle of “informationelle Selbstbestimmung”, or information self-determination, developed in the “Volkszählungsurteil” (Census Decision) of the Federal Constitutional Court of Germany (Bundesverfassungsgericht) of 15 December 1983. ↩︎

  21. Directive 95/46 is the EU Data Protection Directive of 1995. It was the main data protection law before the GDPR. ↩︎

  22. Joined Cases C-511/18, C-512/18 and C-520/18: Judgment of the Court (Grand Chamber) of 6 October 2020 (requests for a preliminary ruling from the Conseil d’État, Constitutional Court — Belgium, France) — La Quadrature du Net (C-511/18 and C-512/18), French Data Network (C-511/18 and C-512/18), Fédération des fournisseurs d’accès à Internet associatifs (C-511/18 and C-512/18), Igwan.net (C-511/18) v Premier ministre (C-511/18 and C-512/18), Garde des Sceaux, ministre de la Justice (C-511/18 and C-512/18), Ministre de l’Intérieur (C-511/18), Ministre des Armées (C-511/18), Ordre des barreaux francophones et germanophone, Académie Fiscale ASBL, UA, Liga voor Mensenrechten ASBL, Ligue des Droits de l’Homme ASBL, VZ, WY, XX v Conseil des ministres (Reference for a preliminary ruling — Processing of personal data in the electronic communications sector — Providers of electronic communications services — Hosting service providers and Internet access providers — General and indiscriminate retention of traffic and location data — Automated analysis of data — Real-time access to data — Safeguarding national security and combating terrorism — Combating crime — Directive 2002/58/EC — Scope — Article 1(3) and Article 3 — Confidentiality of electronic communications — Protection — Article 5 and Article 15(1) — Directive 2000/31/EC — Scope — Charter of Fundamental Rights of the European Union — Articles 4, 6, 7, 8 and 11 and Article 52(1) — Article 4(2) TEU) (ECJ). ↩︎

  23. The Director of Public Prosecutions -v- Graham Dwyer [2024] Supreme Court [2024] IESC 39. ↩︎

  24. Orla Lynskey, ‘The Data Retention Directive Is Incompatible with the Rights to Privacy and Data Protection and Is Invalid in Its Entirety: Digital Rights Ireland’ (2014) 51 Common Market Law Review https://kluwerlawonline-com.ucd.idm.oclc.org/api/Product/CitationPDFURL?file=Journals\COLA\COLA2014138.pdf accessed 24 November 2025; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). ↩︎

  25. Róisín Costello, Privacy Law in Ireland (1st edn, Bloomsbury Professional 2023) https://go.exlibris.link/3P2Bm0K5 accessed 24 November 2025; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). ↩︎

  26. ‘KORFF - Expert Opinion - Bundestag - EXPERT OPINION Prepared for the Committee of Inquiry of the Bundestag into the “5EYES” Global Surveillance Systems Revealed by Edward Snowden Committee Hearing, Paul-Löbe-Haus, Berlin, 5 June 2014.Docx’ https://www.statewatch.org/media/documents/news/2014/jun/snowden-korff-expert-opinion-bundestag-June-2014.pdf?utm_source=chatgpt.com accessed 24 November 2025. ↩︎

  27. Douwe Korff and Marie Georges, ‘The Origins and Meaning of Data Protection’ (Social Science Research Network, 13 January 2020) https://papers.ssrn.com/abstract=3518386 accessed 24 November 2025. ↩︎

  28. ibid. ↩︎

  29. Costello (n 25). ↩︎

  30. Lynskey (n 24). ↩︎

  31. Christopher Kuner, ‘The European Union and the Search for an International Data Protection Framework’, GroJIL2(2)(2014), 55–71. ↩︎

  32. Orla Lynskey, The Foundations of EU Data Protection Law (1;First;, Oxford University Press 2015) https://go.exlibris.link/8yFzc9cg accessed 24 November 2025. ↩︎

Bibliography

‘About Digital Rights Ireland’ (Digital Rights Ireland) https://www.digitalrights.ie/about/ accessed 23 November 2025.

Costello R, Privacy Law in Ireland (1st edn, Bloomsbury Professional 2023) https://go.exlibris.link/3P2Bm0K5 accessed 24 November 2025.

‘Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications)’ (https://webarchive.nationalarchives.gov.uk/eu-exit/https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219) https://www.legislation.gov.uk/eudr/2002/58/article/15 accessed 24 November 2025.

‘KORFF - Expert Opinion - Bundestag - EXPERT OPINION Prepared for the Committee of Inquiry of the Bundestag into the “5EYES” Global Surveillance Systems Revealed by Edward Snowden Committee Hearing, Paul-Löbe-Haus, Berlin, 5 June 2014.Docx’ https://www.statewatch.org/media/documents/news/2014/jun/snowden-korff-expert-opinion-bundestag-June-2014.pdf?utm_source=chatgpt.com accessed 24 November 2025.

Korff D and Georges M, ‘The Origins and Meaning of Data Protection’ (Social Science Research Network, 13 January 2020) https://papers.ssrn.com/abstract=3518386 accessed 24 November 2025.

Kuner C, ‘The European Union and the Search for an International Data Protection Framework’, GroJIL2(2)(2014), 55–71.

Lynskey O, ‘The Data Retention Directive Is Incompatible with the Rights to Privacy and Data Protection and Is Invalid in Its Entirety: Digital Rights Ireland’ (2014) 51 Common Market Law Review https://kluwerlawonline-com.ucd.idm.oclc.org/api/Product/CitationPDFURL?file=Journals\COLA\COLA2014138.pdf accessed 24 November 2025.

——, The Foundations of EU Data Protection Law (1;First;, Oxford University Press 2015) https://go.exlibris.link/8yFzc9cg accessed 24 November 2025.

McIntyre TJ, ‘Data Retention in Ireland: Privacy, Policy and Proportionality’ http://hdl.handle.net/10197/9590 accessed 24 November 2025.

Stevenson D, ‘Effect of the National Security Paradigm on Criminal Law’ https://law.stanford.edu/wp-content/uploads/2018/03/stevenson.pdf

‘The Intelligence Services and the Snowden Revelations - UK Parliament’ https://www.parliament.uk/business/publications/research/key-issues-parliament-2015/defence-and-security/intelligence-services/ accessed 23 November 2025.

ucdlawreview, ‘The Graham Dwyer Court of Justice Appeal: A Cruel Criminal With a Worthy Question’ (UCD Law Review, 7 June 2022) https://theucdlawreview.com/2022/06/07/the-graham-dwyer-court-of-justice-appeal-a-cruel-criminal-with-a-worthy-question/ accessed 23 November 2025.

Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others [2014] ECJ Joined Cases C‑293/12 and C‑594/12

S and Marper v the United Kingdom [2008] ECtHR [GC] 30562/04, 30566/04

Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others [2016] ECJ Joined Cases C-203/15 and C-698/15

The Director of Public Prosecutions -v- Graham Dwyer [2024] Supreme Court [2024] IESC 39

Volker und Markus Schecke GbR (C-92/09) and Hartmut Eifert (C-93/09) v Land Hessen [2010] ECJ Joined cases C-92/09 and C-93/09

Yassin Abdullah Kadi and Al Barakaat International Foundation v Council of the European Union and Commission of the European Communities [2008] ECJ Joined cases C-402/05 P and C-415/05 P

Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC 2006

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) 2016 (OJ L)