No CrossRef data available.
Article contents
EU DATA NULLIFICATION: CONFUSION AND THE RULE OF LAW
Published online by Cambridge University Press: 03 November 2025
Abstract
Effective justice seeks for the truth and consequently must be founded on an analysis of all relevant evidence. Only where a manifestly greater societal interest intrudes, can there be a privilege against the production of testimony. For the Court of Justice of the EU, however, an activist interpretation of Article 8 of the EU Charter, promoting security of data, has become an elevated privacy right which justifies nullifying crucial information, thus shielding criminals, undermining civil trials and obstructing searches for missing persons. No convincingly apodictic conclusion emerges from the several judgments of the court, while the exceptions identified undermine, rather than support, any articulated core principle.
Information
- Type
- Articles
- Information
- Copyright
- © The Author(s), 2025. Published by Cambridge University Press on behalf of The Faculty of Law, University of Cambridge
Footnotes
Both are graduates of Trinity College, Dublin.
References
1 The People (D.P.P.) v J.T. (1988) 3 Frewen 141 (I.E.C.C.A.).
2 See S. O’Leary, “Balancing Rights in the Digital Age” 59 (2018) Irish Jurist 59.
3 Metadata or “non-content data” refers to data about who communicated, when, for how long and where. The CJEU refers to this as “traffic and location data”, including (1) Subscriber: identifying the subscriber, (2) Traffic: routing, duration, time, volume protocol, location and network details, and (3) Location: coordinates, direction, accuracy and network cell.
4 US National Research Council, Bulk Collection of Signals Intelligence: Technical Options (Washington, DC 2015). Note, Collins Dictionary defines “surveillance” as “the careful watching of someone, especially by an organisation such as the police or army”.
5 D. Lyon, “Surveillance” (2022) 11 Internet Policy Review 1.
6 David Anderson Q.C., writing as the Independent Review of Terrorism Legislation, observed in 2016 that “whether a broader or narrower definition is preferred, it should be plain that the collection and retention of data in bulk does not equate to mass surveillance. Any legal system worth the name will incorporate limitations and safeguards designed precisely to ensure that access to stores of sensitive data is not given on an indiscriminate or unjustified basis”; see D. Anderson Q.C., Report of the Bulk Powers Review, Cm 9326 (London 2016), at [1.9].
7 D. Lyon, “Surveillance Capitalism, Surveillance Culture and Data Politics” in D. Bigo, E. Isin and E. Ruppert (eds.), Data Politics: Worlds, Subjects, Rights (London 2019), 65.
8 J. Laidler, “High Tech Is Watching You”, available at https://news.harvard.edu/gazette/story/2019/03/harvard-professor-says-surveillance-capitalism-is-undermining-democracy/ (last accessed 17 June 2025); see also S. Zuboff, The Age of Surveillance Capitalism: The Fight for the Future at the New Frontier of Power (London 2019).
9 D. Anderson Q.C., A Question of Trust: Report of the Investigatory Powers Review (London 2015), at [9.25].
10 In the US, Miranda v Arizona 384 U.S. 436 (1966) established rights for those arrested and interrogated by the police, while Mapp v Ohio 367 U.S. 643 (1961) applied the exclusionary rule to unlawful searches and seizures to states as well as the federal government.
11 E.g. The People (D.P.P.) v McNamara [2020] IESC 34, [2021] 1 I.R. 472, at [32] (Charleton J.), in which the Irish Supreme Court radically restated the defence of provocation. Changes can also be problematic and critiqued for that very willingness to develop the law; see A. Chronopoulos, Judicially Crafted Property Rights in Valuable Intangibles: An Analysis of the INS Doctrine (London 2024).
12 O. Wendell Holmes Jr., The Common Law (London 1911), ch. 8.
13 D. Ventre and P. Guillot, Electronic Communication Technology Interception Technologies and Issues of Power (Newark, NJ 2023), 9.
14 E.G. Hall, The Electronic Age: Telecommunications in Ireland (Dublin 1993).
15 A call made from a vehicle when the closest mast is occluded, for instance by a metal lorry, may route through a more distant mast.
16 Cell size depends on terrain; masts are usually built 200–500 metres apart in towns and 2–5 kilometres apart in rural areas but may be closer.
17 See J. Scherer (ed.), Telecommunications Law in Europe: Law and Regulation of Electronic Communications in Europe, 6th ed. (Haywards Heath 2013).
18 Now found in Consolidated Treaty on the Functioning of the European Union (OJ 2012 C 326 p. 47), arts. 170–172 (hereafter, “TFEU”), requiring “the Union [to] contribute to the establishment and development of trans-European networks in the areas of transport, telecommunications and energy infrastructures”.
19 Tele2 Sverige A.B. v Post-och Telestyrelsen and others, C-203/15 and C-698/15, [2017] Q.B. 771, at [180] (Saugmandsgaard Øe A.G.) (E.Ct.H.R.).
20 G. Orwell, Nineteen Eighty-Four (London 1949).
21 European Commission, Final Report: Study on the Retention of Electronic Communications Non-Content Data for Law Enforcement Purposes (Luxembourg 2020), 16.
22 Ibid.
23 In Member States, real-time interception and recording of communications require judicial authorisation by warrant on proof of reasonable suspicion of criminal culpability.
24 Hall, Electronic Age.
25 Here, the only limitation is that the relevant provision of legal limitation not be exceeded for what would ultimately be classified as a contract dispute.
26 Europol, Eurojust and European Judicial Network, “SIRIUS EU Electronic Evidence Situation Report 2024”, available at https://www.europol.europa.eu/cms/sites/default/files/documents/SIRIUS_E_Evidence_Situation_Report_2024.pdf (last accessed 4 December 2024).
27 Consolidated Version of the Treaty on European Union (OJ 2008 C 326 p. 13), art. 2 (hereafter, “TEU”).
28 European Commission, “Why Do We Need the Charter?”, available at https://commission.europa.eu/aid-development-cooperation-fundamental-rights/your-fundamental-rights-eu/eu-charter-fundamental-rights/why-do-we-need-charter_en#:~:text=The%20Charter%20enshrines%20the%20fundamental,and%20scientific%20and%20technological%20developments (last accessed 21 November 2024).
29 Charter of Fundamental Rights of the EU (OJ 2012 C 326 p. 391), preamble (hereafter, “The Charter”).
30 Ibid., art. 52(1). Directive 2002/58/EC (OJ 2002 L 201 p. 37), art. 15(1) reflects a similar provision (hereafter, “ePrivacy Directive”).
31 The Charter, art. 47.
32 Europol, Eurojust and European Judicial Network, “SIRIUS Report”, 16.
33 Ó Griofáin v Éire [2009] IEHC 188, [2009] 4 J.I.C. 2308, at [10]: “Is é an ceartas an aidhm atá le gach imeacht dlíthiúil. Is í an fhírinne an cuspóir atá ag gach cleachtas breithiúnach” (Charleton J.) (Justice is the aim of every legal proceeding. Truth is the target of all judicial practice).
34 Katz v United States 289 U.S. 347 (1967).
35 The People (D.P.P.) v Patrick Quirke [2023] IESC 5, [2023] 1 I.L.R.M. 225.
36 R. v C.B. [2020] EWCA Crim 790, [2021] 1 W.L.R. 725.
37 J.A. Fontana and D. Keeshan, The Law of Search and Seizure in Canada, 8th ed. (Markham, Ont. 2010), 1181.
38 In England and Wales, the Civil Procedure Rules 1998, Part 31, and in Ireland, the Rules of the Superior Courts, SI 1986/15, order 31, rule 29 require non-parties to disclose relevant documents or data that may support civil litigation.
39 E.g. the German state of Hesse adopted the first law on data protection in 1970, only applicable there.
40 Council of Europe, “Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data” (ETS No. 108, adopted 28 January 1981).
41 European Commission, “Proposal for a Council Directive Concerning the Protection of Individuals in Relation to the Processing of Personal Data” (OJ 1990 C 277 p.3).
42 Ibid., rec. 5.
43 Ibid., rec. 7.
44 Directive 95/46/EC (OJ 1995 L 281 p.31). Data protection law was modernised in 2016 by the adoption of Commission Regulation (EU) 2016/679 (OJ 2016 L 119 p.1) (hereafter, “GDPR”). The General Data Protection Regulation also repealed the Data Protection Directive. Discussion of this Regulation is beyond the scope of this analysis.
45 Directive 97/66/EC (OJ 1997 L 24 p.1).
46 ePrivacy Directive, art. 15.
47 E. Kosta and I. Kamara (eds.), Data Retention in Europe and Beyond (Oxford 2025).
48 S. Thierse and S. Badanjak, Opposition in the EU Multi-Level Polity, Legal Mobilization Against the Data Retention Directive (Cham 2021), 15.
49 The council explicitly stated that “the priority should be given to the proposals under the retention of communication and traffic data and exchange of information on convictions with a view to adoption by June 2005”; see Council of the European Union, “Declaration on Combatting Terrorism”, available at https://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/ec/79637.pdf (last accessed 29 July 2025).
50 Directive 2006/24/EC (OJ 2006 L 105 p.54) (hereafter, “Data Retention Directive”). The legal basis for the Data Retention Directive was controversial from the start. The Irish government initiated the first challenge of the Directive before the CJEU on the basis that the Data Retention Directive was not appropriately adopted; see Judgment of 10 February 2009, Ireland v European Parliament and Council of the European Union, C-301/60, EU:C:2009:68.
51 Data Retention Directive, art. 5.
52 Anderson, Question of Trust, at [1.7].
53 Judgment of 8 April 2014, Digital Rights Ireland Ltd. v Minister for Communications, Marine and Natural Resources and Others, C293/12, EU:C:2014:238 (hereafter, “Digital Rights Ireland”).
54 Ibid., at [37].
55 Ibid., at [58]–[59].
56 Ibid., at [60].
57 Ibid., at [61]–[62].
58 Ibid., [63]–[64].
59 Ibid., at [66]–[68].
60 Judgment of 21 December 2016, Tele2 Sverige A.B. v Post-och Telestyrelsen and others, C-203/15 and C-698/15, EU:C:2016:970 (hereafter, “Tele2”).
61 Ibid., at [108].
62 Ibid., at [109].
63 Ibid., at [62].
64 Ibid., at [114].
65 Judgment of 6 October 2020, La Quadrature du Net and Others v Premier Ministre and Others, C-511/18, C-512/18 and C-520/18, EU:C:2020:791 (hereafter, “La Quadrature du Net”).
66 Ibid., at [168].
67 V. Mitsilegas et al., “Data Retention and the Future of Large-Scale Surveillance: The Evolution and Contestation of Judicial Benchmarks” (2023) European Law Journal 176, 191.
68 Judgment of 6 October 2020, La Quadrature du Net, C-511/18, C-512/18 and C-520/18, EU:C:2020:791, at [139].
69 Ibid., at [145].
70 Ibid., at [149].
71 Ibid., at [150].
72 TEU, art. 4.
73 Judgment of 20 September 2022, Bundesrepublik Deutschland v SpaceNet A.G. and Telekom Deutschland GmbH, C-793/19 and C-794/19, EU:C:2022:702 (hereafter, “SpaceNet”).
74 Judgment of 30 April 2024, Procura della Repubblica presso il Tribunale di Bolzano, C-178/22, EU:C:2024:371.
75 Cited in ibid., at [21].
76 Ibid., at [46].
77 Ibid., at [50].
78 Ibid., at [60]. Prior to this ruling, Article 132(3) of Italian Legislative Decree No. 196/2003 was amended to classify offences for which telephone records may be obtained as “serious”, punishable by at least three years imprisonment. As to the criteria for assessing the existence of a serious interference with the rights guaranteed in Articles 7 and 8 of the Charter, the court held, at [41], the “fact that the data to which the Public Prosecutor’s Office requested access may not be the data of the owners of the mobile telephones at issue, but the data of the persons who communicated with each other by using those telephones after their alleged theft, is irrelevant”.
79 The People (D.P.P.) v Caolan Smyth [2024] IESC 22, [2024] 6 J.I.C. 1705, at [97] (Collins J.).
80 L.D. Corte, “A Critical Comment on Proportionality in the Mass Surveillance Jurisprudence of the CJEU and the ECtHR” in Kosta and Kamara (eds.), Data Retention, ch. 4.
81 Judgment of 30 April 2024, La Quadrature du Net and Others v Premier Ministre, Ministère de la Culture, French Data Network and Others, C-470/21, EU:C:2024:370 (hereafter, “French Data Network”).
82 Ibid., at [75]–[76].
83 Ibid., at [76].
84 Judgment of 6 October 2020, La Quadrature du Net, C-511/18, C-512/18 and C-520/18, EU:C:2020:791, at [153].
85 Judgment of 30 April 2024, French Data Network, C-470/21, EU:C:2024:370, at [119].
86 Judgment of 6 October 2020, La Quadrature du Net, C-511/18, C-512/18 and C-520/18, EU:C:2020:791, at [46].
87 Judgment of 30 April 2024, French Data Network, C-470/21, EU:C:2024:370, at [86].
88 Ibid., at [87].
89 Ibid., at [88]
90 Ibid., at [89].
91 Judgment of 5 April 2022, G.D. v Commissioner of An Garda Síochána and Others, C-140/20, EU:C:2022:258 (hereafter, “G.D.”).
92 The People (D.P.P.) v Graham Dwyer [2024] IESC 39, [2024] 7 J.I.C. 3116 (hereafter, “Dwyer”).
93 Judgment of 5 April 2022, G.D., C-140/20, EU:C:2022:258, at [56].
94 G. Westkamp, “Data Retention, Information Disclosure and Intellectual Property Enforcement: A Truly ‘High Standard’ of Protection?” (2025) 1 Intellectual Property Quarterly 48.
95 European Commission, Final Report, 25.
96 Judgment of 8 April 2014, Digital Rights Ireland, C293/12, EU:C:2014:238.
97 Judgment of 20 September 2022, SpaceNet, C-793/19 and C-794/19, EU:C:2022:702.
98 Judgment of 21 December 2016, Tele2, C-203/15 and C-698/15, EU:C:2016:970.
99 Judgment of 2 October 2018, Ministerio Fiscal, C-207/16, EU:C:2022:702 (hereafter, “Ministerio Fiscal”).
100 European Council, “Document 14319/18”, available at https://data.consilium.europa.eu/doc/document/ST-14319-2018-INIT/en/pdf (last accessed 27 July 2025). While Member States broadly agree on what constitutes metadata, some classify points such as IP addresses and device identifiers as subscriber data, others as traffic data.
101 Judgment of 6 October 2020, La Quadrature du Net, C-511/18, C-512/18 and C-520/18, EU:C:2020:791.
102 Judgment of 2 March 2021, H.K. v Prokuratuur, C-746/18, EU:C:2021:152; see also judgment of 2 October 2018, Ministerio Fiscal, C-207/16, EU:C:2022:702.
103 Judgment of 6 October 2020, La Quadrature du Net, C-511/18, C-512/18 and C-520/18, EU:C:2020:791, at [134]–[135].
104 Judgment of 5 April 2022, G.D., C-140/20, EU:C:2022:258.
105 Note that the authors express no view as to the validity of such assertion or as to any legal proposition debated.
106 Dwyer v The Commissioner of an Garda Síochána [2020] IESC 4, [2020] J.I.C. 2401, at [7.2] (Clarke C.J.). In the final analysis, although this data was accessed illegally, the court applied a principle that where the law had changed, this could not be regarded as such an egregious breach of the rules of evidence to require exclusion. The problem, however, is with future cases.
107 Judgment of 5 April 2022, G.D., C-140/20, EU:C:2022:258, at [83].
108 Ibid., at [84].
109 See The People (D.P.P.) v Meehan [1999] 7 J.I.C. 2901 (S.C.C.), The People (D.P.P.) v Gilligan [2005] IESC 78, [2005] 11 J.I.C. 2301.
110 Judgment of 6 October 2020, La Quadrature du Net, C-511/18, C-512/18 and C-520/18, EU:C:2020:791, at [152].
111 The People (D.P.P.) v Colm Murphy [2002], judgment of 22 January 2002, not reported (S.C.C.). Note that this decision was overturned on appeal due to a legal error made by the trial court; see D.P.P. v Murphy [2005] IECCA 52, [2005] 4 I.R. 504.
112 The People (D.P.P.) v J.T. (1998) 3 Frewen 141 (Circ. Ct. (Crim.)).
113 J. Bentham, Rationale of Judicial Evidence, Specially Applied to English Practice, vols. 1–5 (London 1827), 209.
114 G. Williams, The Proof of Guilt: A Study of the English Criminal Trial, 3rd ed. (London 1963), 208. Article 1358 of the French Civil Code “except where the law provides otherwise, proof may be provided by any means”. Similarly, Article 286 of the German Civil Code allows a court to analyse any evidence, but it must give reasons as to why it finds evidence probative.
115 J.H. Wigmore, A Treatise on the Anglo-American System of Evidence in Trials at Common Law, 3rd ed. (Boston 1940).
116 D. Nardi, “Proportionately and Strict Proportionality in the Case-Law of the Court of Justice of the European Union on Data Retention” in Kosta and Kamara (eds.), Data Retention, ch. 5.
117 Ibid., at 64.
118 Tele2 Sverige v Post-och Telestyrelsen [2017] Q.B. 771, at [172] (Saugmandsgaard Øe A.G.)
119 Judgment of 24 November 2011, Scarlet Extended S.A. v Société Belge des Auteurs, Compositeurs et Éditures S.C.R.L., C-70/10, EU:C:2011:771.
120 Ibid., at [50]–[51].
121 P. Charleton and S. Reilly, “Passing Off: An Uncertain Remedy” in European Union Intellectual Property Office (ed.), 20 Years of the Boards of Appeal, Celebrating the Past, Looking Forward to the Future Liber Amicorum (EUIPO 2017), 136.
122 O’Leary, “Balancing Rights”.
123 KU v Finland (Application no. 287/02), Judgment of 2 March 2009, not yet reported, at [49].
124 Judgment of 2 March 2023, Norra Stockholm Bygg A.B. v Per Nycander A.B., C-268/2, EU:C:2023:145 (hereafter, “Norra Stockholm Bygg”).
125 Usually, retention periods for personal data are outlined by legislation, with the GDPR derogating the decision to data controllers.
126 Judgment of 5 April 2022, G.D., C-140/20, EU:C:2022:258, at [45].
127 The European strategy for data explicitly states that it will “ensure that more data becomes available for use in the economy and society”; see “A European Strategy for Data”, available at https://digital-strategy.ec.europa.eu/en/policies/strategy-data (last accessed 10 December 2024).
128 As may be the transfer of data under the Safe Harbour Agreement, see Judgment of 6 October 2015, Maximilian Schrems v Data Protection Commissioner, C-362/14, ECLI:EU:C:2015:650. If not available in Europe, perhaps the information being transferred minute by minute to the US may be requested.
129 Woolmington v Director of Public Prosecutions [1935] A.C. 462, 481 (Viscount Sankey L.C.) (H.L.).
130 C. Kuner, “A ‘Super-Right’ to Data Protection? The Irish Facebook Case & the Future of EU Data Transfer Regulation”, available at https://blogs.lse.ac.uk/medialse/2014/06/24/a-super-right-to-data-protection-the-irish-facebook-case-the-future-of-eu-data-transfer-regulation/ (last accessed 2 May 2025).
131 The People v Caolan Smyth [2024] IESC 22, at [95] (Collins J.).
132 European Commission, Commission Impact Assessment on Proposals for a Regulation for Electronic Evidence in Criminal Matters and a Directive on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings (Brussels 2018).
133 Anderson, Question of Trust, at [7.51].
134 C. Dupont et al., “Study of the Retention of Electronic Communications Non-Content Data for Law Enforcement Purposes: Final Report”, available at https://op.europa.eu/en/publication-detail/-/publication/081c7f15-39d3-11eb-b27b-01aa75ed71a1 (last accessed 29 July 2025).
135 “Concluding Report of the High-Level Group on Access to Data for Effective Law Enforcement”, available at https://home-affairs.ec.europa.eu/document/download/4802e306-c364-4154-835b-e986a9a49281_en?filename=Concluding%20Report%20of%20the%20HLG%20on%20access%20to%20data%20for%20effective%20law%20enforcement_en.pdf (last accessed 4 December 2024).
136 “Recommendations of the High-Level Group on Access to Data for Effective Law Enforcement 2024”, 8, available at https://home-affairs.ec.europa.eu/document/download/1105a0ef-535c-44a7-a6d4-a8478fce1d29_en (last accessed 4 December 2024).
137 Ibid., at 27.
138 E.g. Dynamic IP addresses and Carrier Grade Net Address Translation were not developed at the time of the CJEU judgments positing data retention based on geographic targeting; see ibid., at 7.
139 A.E. Boustead and M.B. Kugler, “Juror Interpretations of Metadata and Content Information: Implications for The Going Dark Debate” (2023) 9 Journal of Cybersecurity 1.
140 Service providers are alarmed by the costs of the technical implementation of targeted retention and by frequently changing legislation; see “Concluding Report of the High-Level Group”, 27.
141 Judgment of 5 April 2022, G.D., C-140/20, EU:C:2022:258, at [78].
142 Judgment of 20 September 2022, SpaceNet, C-793/19 and C-794/19, EU:C:2022:702, at [112]–[113].
143 Dwyer v The Commissioner of An Garda Síochána [2020] IESC 4, at [4.5] (Clarke C.J.).