Data Protection & Privacy in the EU and Ireland - a moving landscape

In the EU the overarching general privacy law is the Data Protection Directive (Directive 95/46/EC) which is implemented by all Member States in the EU, however national data protection legislation varies from state to state.

The relevant data protection law in Ireland consists of the Data Protection Act 1988 and 2003 and the enforcing authority in Ireland is the Data Protection Commissioner. Ireland gives effect to the ePrivacy Directive 2002/58/EC and the Irish courts recognise an implicit constitutional right to privacy.

There have been significant developments over the past 15 months alone in relation to data protection and privacy issues in Europe and I consider below some key developments to watch.

1. What is the “right to be forgotten”?

As a result of the ECJ ruling in Google Spain v AEPD and Mario Costeja Gonzalez an individual now has a right to request a search engine provider to erase the information and links concerned from search results when that information is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine” 

Google created a straightforward web form to be completed for a search removal request in Europe which is considered on a case-by-case basis by a panel of reviewers.

  • Onus on search engines to act as Adjudicator: Search engine providers must now consider requests from individuals who want links to pages that mention them hidden when someone searches their name and in effect make value judgments based on an individual’s right of privacy vs public right to know.
  • The right to be forgotten is not absolute and will always need to be balanced against other fundamental rights, such as the freedom of expression and of the media.
  • Evolving process: The case didn’t establish a formal process for service providers to follow and it will therefore continue to be an evolving process with service providers making the final decision in an area of which there are huge issues to consider regarding an individual’s right to privacy when such requests are being considered.
  • “Right to be forgotten” applies to EU states only: individuals must have a connection to the EU to make a request for removal, the law therefore applies to EU states only.

2. Is your site compliant with the EU user consent policy?

There is increased scrutiny from the EU data protection authorities which is evident by the recent change in Google’s user consent policy. For further information/guidance check out Google’s website here.

3. Key features of the proposed new General Data Protection Regulation (GDPR)?

  • Introduction of a single set of rules on data protection in the EU.
  • The rules will apply for companies from the EU and from outside the EU. Therefore where the non-EU established company offers goods or services to EU residents or monitors EU resident’s behaviour, thus many non-EU companies will be caught and must apply European rules.
  • Significant financial consequences for companies that fail to comply with the new rules. Fines could reach up to 2% of a company’s annual turnover, depending on the seriousness of the breach. Under current data protection law in Ireland, breach for noncompliance can lead to a maximum fine of EUR 100,000 for indictable offence.

4. EU’s Digital Agenda for Europe

The Digital Single Market strategy, adopted on 6 May 2015 includes 16 initiatives to be delivered by the end of 2016. The three priority areas to be tackled by the end of 2016 are as follows:

Better access for consumers and businesses to digital goods and services across Europe:

  • Includes legislative proposals for the simple and effective cross border contract rules for consumers and business; reform of the copyright regime; review of the Regulation on Consumer Protection and Co-operation and review of the Satellite and Cable Directive.

Shaping the right environment for digital networks to flourish:

  • Initiatives include a comprehensive analysis of the role of platforms in the market including illegal content on the internet; legislative proposals to reform the current telecoms rules; review of the Audio-visual Media Services Directive; Review of the e-privacy Directive (which regulates cookies and spam) and establishment of a Cybersecurity contractual Public- Private Partnership.

Maximising the growth of the Digital economy:

  • Adoption of a Priority ICT Standards Plan; Initiatives on data ownership and free flow of data (e.g. between cloud providers).

It is clear there is a heightened public awareness of data-protection issues and is a priority among many business organisations. In particular the Irish Government views the potential risk to cyber security very seriously, as is evidenced by the recently announced National Cyber Security Strategy from 2015 – 2017. The Strategy presents a cross-government framework for ensuring cyberspace remains safe, secure and reliable and sees the potential for Ireland to become a cyber-security hub.

It will be important to watch how data protection and privacy law issues develop at EU level especially with the ongoing advancements in technology (Manufacturers and operators should be alert to the recent adopted Article 29 Working Party's opinion on Privacy and Data Protection issues relating to the Utilisation of Drones!).

Author - Ursula Mulvaney, Solicitor, Dublin

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.

Elaine Fletcher


I specialise in data protection and freedom of information law. I believe that compliance done well is a business facilitator not a blocker, and that privacy by design brings commercial benefits.