Global Data and Cyber Handbook

Ireland

Select a Topic
Start Comparison
Artificial Intelligence, Profiling and Automated Decision Making
Jump to
Artificial Intelligence, Profiling and Automated Decision Making Start Comparison
Are there any restrictions or requirements related to creating profiles of data subjects or utilizing automated decision-making for decisions related to data subjects, including with respect to artificial intelligence?

Last review date: 13 January 2025

Yes.

The restrictions or requirements are as follows:

☒        qualified right not to be subject to a decision based solely on automated decision making, including profiling – for example, only applicable if the decision produces legal effects concerning them or similarly significantly affects them

☒        right to information / transparency requirement

If such restrictions or requirements exist, are they subject to any exceptions?

Last review: 13 January 2025

Yes.

The exceptions are as follows:

Under the GDPR, the data subject has a right not to be subject to a decision based solely on automated processing unless the decision is:

  • necessary for entering into, or performance of, a contract between the data subject and a data controller (Article 22(2)(a))
  • based on the explicit consent of a data subject (Article 22(2)(c)), or
  • authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, and:

a) the effect of that decision is to grant a request of the data subject, or

b) in all other cases (where subparagraph (a) above is not applicable), adequate steps have been taken by the controller to safeguard the legitimate interests of the data subject which steps shall include the making of arrangements to enable him or her to:

  • make representations to the controller in relation to the decision
  • request human intervention in the decision-making process
  • request to appeal the decision

(Article 22(2)(b) GDPR and section 57, DPA 2018).

Has the data privacy regulator issued guidance on data privacy and artificial intelligence, automated decision-making or profiling?

Last review date: 13 January 2025

Please refer to the EU Chapter  for detailed information regarding EU-wide guidance.

Yes

The DPC provided limited guidance on AI systems and Large Language Models by way of a blog article in July 2024. It provides a high-level discussion of potential personal data risks that may arise in the development and use of AI systems.

The DPC’s guidance on “Fundamentals for a Child Orientated Approach to Data Processing” (2021) provides data protection interpretative principles and recommended measures in respect of a broad range of elements concerning the processing of children’s personal data. It includes a brief section (Section 6) which is focused on profiling and automated decision making. In summary, the guidance advises that online service providers should seek to avoid profiling children and/ or carrying out automated decision making in relation to children, for marketing/ advertising purposes, due to their particular vulnerability and susceptibility to behavioral advertising, unless they can clearly demonstrate how and why it is in the best interests of the child to do so.

Has the data privacy regulator taken enforcement action in relation to artificial intelligence, including automated decision-making or profiling?

☒         Enforcement activity against AI developer(s)

☒         Enforcement activity under existing privacy law

☒         Enforcement activity by data or cyber regulator

Do other (non-personal data or cybersecurity) laws or regulations impose restrictions on use of artificial intelligence, automated decision-making or profiling?

Last review date: 13 January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

☒         Yes, laws in force

☒         Draft legislation in progress

Ireland is subject to the EU’s Digital Service Act, the EU’s Digital Market’s Act, the EU’s Data Act and the EU’s AI Act (which is discussed further in the EU Chapter). Ireland will also be subject to the EU’s AI Liability Directive once it enters into force.

The Digital Services Act (Regulation 2022/2065 of 19 October 2022 on a Single Market For Digital Services - “DSA”), sets out specific restrictions with respect to certain uses of profiling. In particular, under Art. 26 (3) of the DSA, providers of online platforms may not present advertisements to recipients of the service based on profiling as defined in Art. 4 GDPR using special categories of personal data referred to in Art. 9 (1) GDPR. Furthermore, pursuant to Art. 28 (2) of the DSA, providers of online platforms may not present advertisements on their interface based on profiling (within the meaning of Art. 4 GDPR) using personal data of the recipient of the service when they are aware with reasonable certainty that the recipient of the service is a minor. Lastly, according to Art. 38 DSA, providers of very large online platforms and of very large online search engines that use recommender systems must provide at least one option for each of their recommender systems which is not based on profiling (within the meaning of Art. 4 GDPR).

It is also worth pointing out that according to Art. 15 of the Digital Markets Act (Regulation (EU) 2022/1925 of 14 September 2022 on contestable and fair markets in the digital sector), within 6 months after its designation, a gatekeeper must submit to the Commission an independently audited description of any techniques for profiling of consumers that the gatekeeper applies to or across its core platform services listed in the designation decision. The Commission will transmit that audited description to the European Data Protection Board.

There are no non-privacy or non-cybersecurity national laws which apply specifically to artificial intelligence, automated-decision making or profiling.

{{ $store.state.loadingScreen.message }} ...