Last review date: 13 January 2025

The Data Protection Commission ("DPC") is the data protection authority in Ireland (https://www.dataprotection.ie/en).

In respect of obligations under the NIS1 Directive:

• the Central Bank of Ireland (“CBI”) is the national competent authority for the banking and financial market infrastructures sectors; and
• the Department of Communications, Climate Action & Environment is the national competent authority for Operators of Essential Services in all other sectors and in respect of Digital Service Providers.
• A branch of the Department of Communications, Climate Action & Environment, the Computer Security Incident Response Team (“CSIRT”) also serves as the body which must be notified by operators in all sectors, in the event of a notifiable incident under the NIS1 Directive.
• The General Scheme of the draft National Cyber Security Bill (which, as noted above, will transpose the NIS2 Directive) outlines the proposed national authorities which will be responsible for regulatory oversight across different economic sectors, typically assigning existing regulators oversight of their respective sectors. For example it is proposed that the Central Bank will be responsible for the banking and financial markets sectors and the Irish Aviation Authority will be responsible for oversight of the aviation sector. ComReg will have a relatively broad purview under the proposed Scheme - it is responsible for organizations operating in the Digital Infrastructure, Digital Providers, ICT Services Managers and Space sectors.

Last review date: 13 January 2025

1. DPC

Very active

2. CBI

Very active

3. Department of Communications, Climate Action & Environment

Not very 

Last review date: 13 January 2025

1. DPC

The DPC's enforcement activities and priorities in the past 12 months have principally focused on examining GDPR compliance by the multinational technology companies for whom it acts as lead supervisory authority ("LSA") under the GDPR's "one stop shop" mechanism. In this capacity, the DPC has a significant number of ongoing cross-border inquiries into GDPR compliance by multinational technology companies, some of which have arisen out complaints from data subjects; with others initiated on the DPC's "own volition".

Since 2020, several cross-border inquiries have reached their conclusion, with a number of final decisions being adopted by the DPC, including decisions in relation to compliance by multinational technology companies with matters such as transparency, data breach reporting, accountability, international data transfers and security. In those decisions, the DPC exercised a number of its corrective powers, including its power to impose administrative fines, to issue reprimands and to issue orders requiring controllers to bring their processing into compliance.  

It is anticipated that the DPC will continue to prioritize enforcement of the GDPR against multinational technology companies in the near future.

The DPC has also been active in enforcing against domestic Irish controllers, including Irish public authorities, for breaches of GDPR and has adopted a number of decisions since 2020 on matters such as data breach reporting, security and accountability. 2024 again saw the DPC issue a number of significant administrative fines.

2024 also saw the DPC issue urgent proceedings in the Irish High Courts to request an order to require the suspension of the processing of certain personal data in relation to an AI tool. This was the first time the DPC had utilized such powers and potentially indicates that the DPC will be willing to take quite substantial and immediate enforcement actions where it has concerns about the processing of personal data in connection with AI.

The DPC also continued its practice of bringing numerous prosecutions in respect of marketing offences under the EU’s e-Privacy Directive framework. We expect that this will continue to be among its enforcement priorities. The fines which result from such cases are relatively minor (typically less than EUR 10,000) and were brought against a broad range of commercial enterprises.

2. CBI

Although the CBI is a quite active regulator, its primary enforcement focus over the last few years has not been on cybersecurity issues. Its enforcement priorities have centered on financial regulatory compliance.

Given that enforcement actions in respect of NIS1 Directive obligations have been relatively low and the NIS2 Directive has not yet been transposed into Irish law (and is unlikely to be transposed for a few months as a draft bill has yet to be published), it is unlikely that cybersecurity issues will become an immediate enforcement focus for the CBI during 2025.  

However, the list of key priorities provided in the CBI’s 2023 Annual Report (which was published in May 2024) did include:

• Preparing for the implementation of the DORA, in particular in the context of Ireland’s technology sector
  
  
• Developing policy work and supervisory expectations related to the use of artificial intelligence in financial services, including preparing for the implementation of the EU’s Artificial Intelligence Act

We consider it likely that cybersecurity compliance actions will become a more central focus for the CBI in the near future, especially once the transposition of NIS 2 Directive and DORA has been completed.

3. Department of Communications, Climate Action & Environment

The Department of Communications, Climate Action & Environment has not been very active in utilizing its compliance and enforcement powers under the NIS regulatory framework.

The Government established the National Cyber Security Centre ("NCSC") in 2011, as a unit within the Department. It operates as the lead Government agency for cyber security including coordination of the national response to major cyber security incidents and securing critical national infrastructure. CSIRT is the unit within the NCSC tasked with detecting, preventing, and responding to cyber security incidents.

To date, the focus of the NCSC and CSIRT has been on providing general guidance on cybersecurity issues and on coordinating immediate responses to cybersecurity incidents. It has not been heavily focused on engaging in more general regulatory compliance enforcement actions. The National Cyber Security Strategy, produced by the NCSC covering 2019-2024, is focused on developing national cybersecurity capacities and makes little reference to enforcement actions beyond noting that enforcement powers of assessment and audit exist. This attitude to enforcement activity may change after the transposition of the NIS 2 Directive.

Last review date: 13 January 2025

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

☒         Common

Class actions/group actions under data or cyber regulation are:

☒         Rare

Last review date: 13 January 2025

There are:

☒        administrative remedies from regulators and law enforcement

Under the GDPR, administrative fines can be up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

☒        criminal penalties from regulators and law enforcement

Under the DPA 2018, the Irish DPC has the power to prosecute data controllers and processors for summary offences in the District Court (section 147)

The maximum penalty for summary offences under the DPA 2018 is a Class A fine (i.e., EUR 5,000) and/or 12 months' imprisonment. Indictable offences will be prosecuted by the Director of Public Prosecutions in the Circuit Court or Central Criminal Court. The maximum penalty for an indictable offence under the Act is EUR 250,000 and/or 5 years' imprisonment, depending on the nature of the offence.

The Act sets out a number of criminal offences, including:

Enforced Access Requests – It is an offence for a potential or current employer to require a data subject to make a data access request to a specified person or to require a data subject to supply any information obtained as a result of such a request (section 4).

Unauthorized disclosure by processor – It is an offence for a processor, or an employee or agent of the processor, to knowingly or recklessly disclose personal data being processed on behalf of a controller without the prior authority of the controller, unless the disclosure is required or authorized by or under any enactment, rule of law or court order (section 144).

Disclosure of personal data obtained without authority – It is an offence for a person to obtain and disclose personal data to a third party without the prior authority of the controller or processor, unless the disclosure is required or authorized by or under any enactment, rule of law or court order. It is also an offence for a person to sell or offer to sell personal data that were unlawfully disclosed to or obtained by them (section 145).

Offence by directors etc. of bodies corporate – Where an offence under the Act is committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of a person being a director, manager, secretary, or other officer of that body, or a person purporting to act in such capacity, that person, as well as the body corporate shall be guilty of the offence and liable to be punished as if he/she were guilty of the first-mentioned offence (section 46).

Offences knowingly or recklessly processing data relating to criminal convictions or offences – It is an offence to knowingly or recklessly process data relating to criminal convictions or offences in contravention of the processing conditions set down in the Act (section 55(8)).

Failure to co-operate with authorized officers during inspections, audits, and investigations – The Act provides for a number of offences in relation to obstructing an authorized officer of the DPC in the performance of his or her functions (sections 130(7) & 138(12)).

Failing to comply with an information or enforcement notice - It is an offence to fail to comply with a statutory information or enforcement notice served by the DPC (sections 132(6) & 133(10)).

Obstructing a reviewer in the preparation of a report – It is an offence to obstruct an expert in the preparation of their report or to give them false or misleading information (section 135(15)).

Under the NIS Regulations a person guilty of an offence under regulations:

• 18 (Incident reporting obligations of OES);
• 22 (Incident reporting obligations of DSPs);
• 29 (Obligations to comply with requests of an authorized officer);
• 30 (Obligation to comply with a compliance notice); or
• 31 (Obligations to comply with an Information Notice);

is liable on summary conviction to a Class A fine (EUR 5,000) or on conviction on indictment to a fine not exceeding EUR 50,000 in the case of an individual, and EUR 500,000 in the case of a body corporate.

☒        private remedies

Individuals or not-for-profit bodies acting on behalf of an individual may, in regard to an infringement of data protection law:

• lodge a complaint with the DPC
• appeal against a decision of the DPC, or
• bring a civil action against a controller and/or processor seeking an injunction or declaration, or compensation for material or non-material damages

Last review date: 13 January 2025

☒         individual personal actions

☒         representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)