Data Protection in Ireland
Ireland is a centre point of data protection law and policy in Europe, and our Data Protection Commission (DPC) is internationally respected. With Ireland home to the EMEA headquarters of some of the world’s leading technology companies, the DPC plays a leading role in regulating GDPR compliance, and in helping businesses and consumers become more informed of their data protection obligations and rights.
Why choose Irish Law and Irish lawyers for enforcement of Data Protection law?
Irish data protection legal practitioners offer world-class experience in advising on the most complex and cutting-edge data protection issues. Over the last 20 years Ireland has established itself as the data capital of Europe; with an impressive array of leading technology companies serving the EMEA from Ireland; including Apple, Google, Microsoft, Facebook, LinkedIn, Twitter, and Airbnb, with many investing in substantial data centre infrastructure here.
The EU General Data Protection Regulation (GDPR) applies in Ireland and protects the privacy of individuals with regard to the processing of their personal data. The Irish Data Protection Act 2018 gives further effect to the GDPR. The GDPR became applicable in Ireland (and across the EU) on 25 May 2018. It ensures that a uniform set of data protection rules applies across the EU. This makes it easier for multinational companies operating across the EU to comply with data protection law.
In addition, the GDPR provides for a ‘one stop shop’. While supervisory authorities in other EU Member States can be involved in certain cases, generally multinational companies are regulated by the data protection supervisory authority which is located in the EU Member State where they have their main establishment. This means that instead of having to deal with data protection supervisory authorities from each EU Member State in which they operate, multinational companies only have to deal with one lead supervisory authority.
The GDPR has an extra-territorial scope. It applies to all data controllers and data processors in the EU, but also to those outside the EU, where they offer goods or services to, or monitor the behaviour of, EU data subjects. Like other EU data protection authorities, the DPC has the power to impose fines under the GDPR, of up to €20 million or 4% of an undertaking's global turnover of the preceding financial year.
How will Brexit impact on data protection
Since 1 January 2021, the UK no longer applies the EU GDPR to the processing of personal data. Instead, a separate UK legal framework regarding data protection and privacy is in force in the UK.
Data Transfers: Whilst personal data can flow freely between Ireland and other EU/EEA Member States, the GDPR prohibits the transfer of personal data from the EU/EEA to third countries outside the EEA, unless that country benefits from an adequacy decision or the transfer is subject to appropriate safeguards or a GDPR derogation applies.
For the purposes of the GDPR, the UK became a third country from 1 January 2021. However, the EU and the UK agreed in the Trade and Cooperation Agreement that transfers from the EU/EEA to the UK will not be considered transfers of personal data to a third country for the ‘specified period’. This gives the EU Commission and UK time to negotiate an adequacy decision for the UK. The Agreement means that personal data can continue to be transferred freely from the EU to the UK for up to 6 months after January 1, 2021.
Transfers of personal data from the UK to the EU/EEA can continue without additional safeguards. This is provided for in the UK Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended.
One Stop Shop: As noted above, the one stop shop mechanism in the GDPR means that multinational companies only have to deal with their lead data protection supervisory authority, namely the supervisory authority where their main establishment is located in the EEA. As of 1 January 2021, the one stop shop mechanism will no longer apply to the UK. This means that multinational companies whose main establishment is located in the UK will be subject to regulation by the data protection supervisory authority in each Member State in which they operate.
EU/UK Representatives: Multinational companies who are not established in the EEA, but whose processing activities are subject to the application of the GDPR as they offer goods or services to or monitor the behavior of EU data subjects, are required to designate an EU representative. The EU representative may be addressed by data protection supervisory authorities and data subjects on all issues related to processing activities in order to ensure compliance with the GDPR. Similarly, multinational companies that are not established in the UK, but offer goods or services to or monitor the behaviour of UK data subjects, must appoint a UK representative.
The UK’s decision to leave the EU, and the single market, is likely to cause parties to international contracts to consider a different choice of law and/or submission to jurisdiction clause. With the departure of the United Kingdom from the European Union, Ireland will be the only member of the European Union that operates a court system that is both English speaking and based on the common law and the doctrine of precedent. At present, there is uncertainty as to whether judgments of English Courts will be easily enforceable in the EU. English Courts will not be able to make a reference to the Court of Justice of the European Union (CJEU).