Irish Data Protection Act
In order to protect its citizens, Ireland released its Data Protection Act of 1988with very heavy standards of protection. The Act was amended in 2003, and that amended version currently serves as the basis for Irish data protection. As with other acts of this nature, Ireland’s goal is to make sure that its citizens’ data is only in the hands of the proper intended recipients and only used for its intended purposes.
Background and Definitions
Before discussing Section Eight of the Act, which details certain rights of data subjects, it’s important to introduce some vocabulary. A data subject is the individual from whom the data originates. A data controller is a person or entity that has been given authorization to handle the data of another person. Processing refers to any operation taken with regard to the data; this could mean collection, storage, organization, dissemination, or destruction of the data.
Section Eight Compliance
Section Eight of Ireland’s Data Protection Act deals with rights provided to a data subject. Subsection one of part A of this section gives the data subject power to request that a data controller stop processing certain data that the subject has provided. This type of request must be served on a data controller in writing, and it has to be made for specific reasons that involve the risk of unwarranted, substantial damage or distress to the data subject or a third party. Under this section, a data subject can only object to processing that is considered to be necessary for the completion the data controller’s goal for collecting the data or to complete a task that is in the public interest.
Subsection three prevents a data subject from taking action to prevent processing under subsection one if the subject has given explicit permission to the the controller to process the data or if the processing is necessary to fulfill any contractual or legal duties on the part of the subject. That is, if the data subject has previously OK’d the processing, or if the processing is part of an established contract, the subject can’t take back permission later on. Additionally, subsection one does not apply to processing conducted by political candidates running for election or politicians holding office.
Once a notice is served under subsection one, the data controller has 20 days to respond to the notice stating whether or not it will comply with the notice and, if it will not comply, the reasons for noncompliance. If the controller fails to comply with a notice that the Commissioner of the Act thinks is valid, the Commissioner has the ability to order the controller to take the steps necessary to comply with the notice. Any processing that may have any significant or legal effects on a data subject cannot be completed automatically. Put another way, a human must play a role in the processing of data that will have significant or legal effects on the data subject.
For more information about data protection, contact Revision Legal’s team of experienced internet attorneys through the form on this page or call 855-473-8474.
Image credit: Flickr user StockMonkeys.com
The Irish Data Protection Act of 1988, as amended in 2003, has been substantially superseded in practice by the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, which came into force on May 25, 2018, and the Data Protection Act 2018 (Ireland’s implementing legislation). While the 1988 and 2003 Acts remain technically operative for matters not fully covered by the GDPR framework, practitioners advising Irish data controllers or processors, or companies processing data about Irish residents, should work within the GDPR framework as interpreted and enforced by Ireland’s Data Protection Commission (DPC).
The practical significance for companies doing business with Irish residents — or for any company whose EU data processing is conducted through an Irish entity — is substantial. Ireland is home to the European headquarters of many major technology companies, which means the DPC is the lead supervisory authority under GDPR’s one-stop-shop mechanism for those companies. The DPC’s enforcement decisions set precedent for data protection standards across the EU.
The rights described in Section 8 of the 1988 Act — the right to object to processing — have been expanded and reformulated under Articles 17, 18, and 21 of the GDPR. Key distinctions include:
The Data Protection Commission has emerged as one of the most consequential data protection regulators in the world, precisely because of its jurisdiction over the Irish establishments of major technology companies. DPC enforcement actions have resulted in record-setting GDPR fines: Meta was fined €1.2 billion in May 2023 for unlawful transfers of EU personal data to the United States; WhatsApp was fined €225 million in 2021 for transparency failures; and Instagram was fined €405 million in 2022 for mishandling children’s data. These decisions are binding across the EU under the consistency mechanism.
For smaller companies, the DPC’s enforcement approach has been to issue reprimands, compliance orders, and warnings before escalating to financial penalties. However, under Article 83 of the GDPR, fines for the most serious violations — including failure to respect data subject rights under Articles 17–21 — can reach €20 million or 4% of global annual turnover, whichever is higher. Companies that systematically ignore data subject objection or erasure requests face this maximum tier.
Any company that transfers personal data from Ireland (or the EU more broadly) to the United States must comply with GDPR Chapter V transfer restrictions. The Court of Justice of the EU’s 2020 decision in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II) invalidated the EU-U.S. Privacy Shield framework and created substantial uncertainty about whether Standard Contractual Clauses (SCCs) could adequately protect data transferred to the U.S. given the scope of U.S. surveillance authorities.
The EU-U.S. Data Privacy Framework, adopted in 2023, provides a new adequacy mechanism for transfers to participating U.S. companies. However, its long-term durability is uncertain — the Privacy Shield, its predecessor, was invalidated twice by EU courts. Companies relying on the DPF should maintain SCCs as a backup transfer mechanism and conduct transfer impact assessments that document the supplementary measures in place to protect transferred data.
If your company processes personal data about individuals in Ireland or elsewhere in the EU, compliance obligations include: (1) identifying the lawful basis for each category of processing under GDPR Article 6; (2) maintaining records of processing activities under Article 30; (3) implementing a process for responding to data subject rights requests within the GDPR’s one-month deadline; (4) conducting data protection impact assessments for high-risk processing activities; (5) ensuring data processing agreements are in place with all processors; and (6) verifying that cross-border data transfer mechanisms are in place and documented.
The transition from the 1988/2003 Act framework to the GDPR was not merely procedural — it substantially increased both the scope of data subject rights and the penalties for non-compliance. Companies that have not updated their data governance programs since the GDPR came into force are operating with significant legal exposure.
For guidance on GDPR compliance, data subject rights management, or responding to a DPC inquiry, contact Revision Legal’s internet law attorneys through the form on this page or call 855-473-8474.
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
The EEOC confirmed that employers reopening businesses may conduct COVID-19 health screenings without violating disability discrimination laws. Here’s what’s allowed.
Read more about EEOC: Businesses Can Screen for COVID-19
Competitors scraping your e-commerce prices and SKUs is a growing legal problem. Revision Legal’s e-commerce attorneys explain your legal options for stopping scrapers and protecting your product data.
Read more about Protect Your E-Commerce Store from Price Scraping