Legal & Privacy Guide

Data retention & surveillance laws in Ireland

Who keeps a record of your communications, for how long, and who can see it? Ireland’s answer was rebuilt after two landmark EU court cases that started right here. Here’s the framework, in plain English.

Documents and legal texts on a desk
Two Irish-rooted EU cases reshaped how much of everyone’s data can be kept — and who can reach it.
Key takeaways
  • Ireland’s data-retention regime was overhauled after two Irish-rooted EU court cases.
  • Blanket, indiscriminate retention of everyone’s traffic and location data was ruled unlawful.
  • Under the 2022 Act, broad retention is limited to national security, with a High Court judge’s oversight.
  • For crime, retention is now targeted, plus IP-address data and “quick freeze” preservation.
  • The GDPR and ePrivacy rules, overseen by the Data Protection Commission, govern how providers use your data commercially.

The short version

For years, Irish law required providers to keep a record of everyone’s communications metadata — who you contacted, when, and roughly where — in case it was ever needed. Two court cases that began in Ireland dismantled that blanket approach. Today, under the Communications (Retention of Data) (Amendment) Act 2022, broad retention is limited to national-security grounds with a High Court judge’s oversight, while for ordinary crime the tools are narrower and targeted, and access requires independent court approval. Separately, the GDPR and ePrivacy rules — enforced by the Data Protection Commission — govern how your provider may use your data commercially.

In one line

Ireland moved from “keep everyone’s data just in case” to “retain narrowly, and access only with a court’s approval”.

The laws that matter

Four pieces of law shape the picture:

  • Communications (Retention of Data) Act 2011. The original regime, which required providers to retain communications metadata — the law used in the Dwyer case and later found wanting.
  • GDPR + Data Protection Act 2018. Your baseline data-protection rights: how any organisation, including your ISP, may collect and use your personal data, enforced by the Data Protection Commission.
  • ePrivacy Regulations 2011 (S.I. 336). The rules specific to electronic communications and confidentiality — the reason your provider can’t simply sell your browsing history.
  • Communications (Retention of Data) (Amendment) Act 2022. The reform, in force from June 2023, that rebuilt the retention-and-access regime around EU case law: court oversight, targeted retention, and national-security limits.

The two landmark cases

What makes this an Irish story is that the two rulings that reshaped data retention across the EU both started here:

  1. 1
    Digital Rights Ireland (CJEU, 2014)

    In a case brought by the Irish group Digital Rights Ireland, the Court of Justice of the EU struck down the EU Data Retention Directive entirely, ruling that blanket retention of everyone’s communications data was a disproportionate interference with privacy. Ireland is where this landmark challenge began.

  2. 2
    The Graham Dwyer case (CJEU, 2022)

    Dwyer’s 2015 murder conviction relied partly on mobile phone location data retained under the 2011 Act. His challenge reached the CJEU, which in 2022 confirmed that general, indiscriminate retention of traffic and location data to fight crime is unlawful — forcing Ireland to change the law.

A gavel resting on a desk
Digital Rights Ireland (2014) and the Dwyer ruling (2022) forced the reform now in force.

What’s retained now

The 2022 Act replaced blanket retention with a narrower, more targeted set of measures for crime and security:

  • Targeted retention of traffic and location data — tied to specific people or geographic areas, not everyone.
  • General retention of IP addresses and of users’ civil-identity data is permitted in defined circumstances.
  • “Quick freeze” preservation — providers can be required to preserve specific data that they already hold, for a limited time.
  • National-security retention — the only route to general, indiscriminate retention, and it needs the approval of a designated High Court judge.

Crucially, all of this concerns metadata — the who/when/where of communications — not the content of your messages or browsing.

Who oversees it

Two kinds of oversight run in parallel. The Data Protection Commission supervises the GDPR and ePrivacy rules — the commercial side of how your data is handled. And access to retained communications data for investigations now requires approval from an independent court rather than a senior Garda, with a designated judge involved in the national-security route. That judicial check is the single biggest change the reform delivered.

What it means for you

In practical terms: your provider still retains some metadata about your connections, but the State can’t trawl it freely — access is targeted and court-supervised, and there’s no general power to read the content of your communications. Your day-to-day privacy from commercial use of your data is protected by the GDPR and ePrivacy rules.

A VPN reduces how much of your browsing your ISP can see and therefore retain in the first place — it records only that you used a VPN, not where you went. It doesn’t change the law, but it shrinks your footprint. See is your ISP tracking you and can Gardaí track VPN use for how this plays out.

Top no-logs VPNs for privacy
Proton VPN logo
Proton VPN
Best for privacy
9.3
View →
Mullvad logo
Mullvad
Most anonymous
8.9
View →
NordVPN logo
NordVPN
Best all-rounder
9.6
View →

See our best no-logs VPN and how to protect your privacy online in Ireland.

SB
About the author
Senior VPN Analyst & Editor

Síofra Brennan is a privacy and cybersecurity specialist who has spent nine years testing and reviewing consumer VPNs. She focuses on real-world performance, no-logs policies, and how these tools actually work for people in Ireland.

9+ years in digital privacy & VPN testing60+ VPNs independently reviewedCompTIA Security+ certifiedSpeed-tests on real Irish lines
Reviewed for accuracy by the matched.ie editorial team · General information, not legal advice.

Frequently asked questions

What are Ireland’s data retention laws?+

Irish providers must retain certain communications metadata under the Communications (Retention of Data) (Amendment) Act 2022, which replaced the older 2011 regime after EU court rulings. It permits targeted retention of traffic and location data, general retention of IP addresses, and “quick freeze” preservation for crime — while general, indiscriminate retention is now limited to national-security grounds with High Court oversight. Separately, the GDPR and ePrivacy rules govern commercial use of your data.

Did Ireland’s data retention law change because of Graham Dwyer?+

Yes. Dwyer challenged the use of retained phone data in his 2015 murder conviction, and the case reached the Court of Justice of the EU, which in 2022 ruled that Ireland’s general, indiscriminate data retention was unlawful. Ireland responded with the Communications (Retention of Data) (Amendment) Act 2022, introducing court oversight and narrower, targeted retention.

How long do providers keep my data in Ireland?+

It depends on the category of data and the legal basis. The 2022 Act allows targeted retention of traffic and location data, general retention of IP addresses, and short-term “quick freeze” preservation — rather than the blanket retention of everything that was previously used. Exact periods are set by the framework and the orders made under it.

Can the Government read my messages or browsing?+

There’s no general power to read the content of your communications or browsing. Retention is about metadata (who contacted whom, when, from where), not message content, and access to it requires an independent court’s approval for serious-crime investigations. See our guide on whether the Gardaí can track VPN use for how access works in practice.

Does a VPN help against data retention?+

It limits what your ISP can retain about your browsing. With a VPN, your provider records only that you connected to a VPN and how much data you moved — not the sites you visited, because that traffic is encrypted and the VPN handles your DNS. It doesn’t change the law, but it reduces how much of your activity is visible to be retained.

auto_awesomeFree VPN matcher

Find the right VPN in 60 seconds

Answer five quick questions and we’ll match you to the best VPN for how you actually use it — no sign-up, no spam.

  • bolt
    Five quick questions
    A personalised match in under a minute.
  • verified
    Independently matched
    Based on our testing — never sponsored results.
  • euro
    Free, honest guidance
    The best pick for you, not the priciest one.
Which VPN suits you?
60 seconds

Tell us what matters most and we’ll do the matching:

StreamingPrivacyTorrentingTravelValue
Find your VPN arrow_forward
check_circleFree · No email required · Instant result