- ✓Ireland’s data-retention regime was overhauled after two Irish-rooted EU court cases.
- ✓Blanket, indiscriminate retention of everyone’s traffic and location data was ruled unlawful.
- ✓Under the 2022 Act, broad retention is limited to national security, with a High Court judge’s oversight.
- ✓For crime, retention is now targeted, plus IP-address data and “quick freeze” preservation.
- ✓The GDPR and ePrivacy rules, overseen by the Data Protection Commission, govern how providers use your data commercially.
The short version
For years, Irish law required providers to keep a record of everyone’s communications metadata — who you contacted, when, and roughly where — in case it was ever needed. Two court cases that began in Ireland dismantled that blanket approach. Today, under the Communications (Retention of Data) (Amendment) Act 2022, broad retention is limited to national-security grounds with a High Court judge’s oversight, while for ordinary crime the tools are narrower and targeted, and access requires independent court approval. Separately, the GDPR and ePrivacy rules — enforced by the Data Protection Commission — govern how your provider may use your data commercially.
Ireland moved from “keep everyone’s data just in case” to “retain narrowly, and access only with a court’s approval”.
The laws that matter
Four pieces of law shape the picture:
- Communications (Retention of Data) Act 2011. The original regime, which required providers to retain communications metadata — the law used in the Dwyer case and later found wanting.
- GDPR + Data Protection Act 2018. Your baseline data-protection rights: how any organisation, including your ISP, may collect and use your personal data, enforced by the Data Protection Commission.
- ePrivacy Regulations 2011 (S.I. 336). The rules specific to electronic communications and confidentiality — the reason your provider can’t simply sell your browsing history.
- Communications (Retention of Data) (Amendment) Act 2022. The reform, in force from June 2023, that rebuilt the retention-and-access regime around EU case law: court oversight, targeted retention, and national-security limits.
The two landmark cases
What makes this an Irish story is that the two rulings that reshaped data retention across the EU both started here:
- 1Digital Rights Ireland (CJEU, 2014)
In a case brought by the Irish group Digital Rights Ireland, the Court of Justice of the EU struck down the EU Data Retention Directive entirely, ruling that blanket retention of everyone’s communications data was a disproportionate interference with privacy. Ireland is where this landmark challenge began.
- 2The Graham Dwyer case (CJEU, 2022)
Dwyer’s 2015 murder conviction relied partly on mobile phone location data retained under the 2011 Act. His challenge reached the CJEU, which in 2022 confirmed that general, indiscriminate retention of traffic and location data to fight crime is unlawful — forcing Ireland to change the law.
What’s retained now
The 2022 Act replaced blanket retention with a narrower, more targeted set of measures for crime and security:
- Targeted retention of traffic and location data — tied to specific people or geographic areas, not everyone.
- General retention of IP addresses and of users’ civil-identity data is permitted in defined circumstances.
- “Quick freeze” preservation — providers can be required to preserve specific data that they already hold, for a limited time.
- National-security retention — the only route to general, indiscriminate retention, and it needs the approval of a designated High Court judge.
Crucially, all of this concerns metadata — the who/when/where of communications — not the content of your messages or browsing.
Who oversees it
Two kinds of oversight run in parallel. The Data Protection Commission supervises the GDPR and ePrivacy rules — the commercial side of how your data is handled. And access to retained communications data for investigations now requires approval from an independent court rather than a senior Garda, with a designated judge involved in the national-security route. That judicial check is the single biggest change the reform delivered.
What it means for you
In practical terms: your provider still retains some metadata about your connections, but the State can’t trawl it freely — access is targeted and court-supervised, and there’s no general power to read the content of your communications. Your day-to-day privacy from commercial use of your data is protected by the GDPR and ePrivacy rules.
A VPN reduces how much of your browsing your ISP can see and therefore retain in the first place — it records only that you used a VPN, not where you went. It doesn’t change the law, but it shrinks your footprint. See is your ISP tracking you and can Gardaí track VPN use for how this plays out.
See our best no-logs VPN and how to protect your privacy online in Ireland.


