Data & Privacy · Ireland
Data protection & privacy laws in Ireland (2026)
Ireland shaded by its data & privacy status
As an EU member state, Ireland applies the directly-effective GDPR as its comprehensive personal-data protection baseline, supplemented nationally by the Data Protection Act 2018, which gives further effect to the GDPR and transposes the EU Law Enforcement Directive into Irish law. The independent Data Protection Commission, established on 25 May 2018, is the national supervisory authority and also enforces the ePrivacy Regulations 2011. Because many global tech companies have their EU headquarters in Ireland, the DPC acts as the EU Lead Supervisory Authority for them and is one of the most active enforcers in Europe.
Key points
The GDPR applies directly in Ireland and is the comprehensive, omnibus data-protection law. The Data Protection Act 2018 gives it further effect domestically, legislating on the areas where the GDPR allows national derogations.
The Data Protection Commission (DPC), established under the Data Protection Act 2018 (in force 25 May 2018), is Ireland's independent national supervisory authority responsible for upholding individuals' data-protection rights and enforcing GDPR.
The Act also transposes the EU Law Enforcement Directive (LED) into Irish law, governing personal-data processing for the prevention, investigation, detection or prosecution of criminal offences, where the GDPR does not apply.
Electronic communications privacy and cookies are governed by S.I. No. 336/2011 (the ePrivacy Regulations), also enforced by the DPC. Cookies generally require GDPR-standard consent unless strictly necessary to deliver a user-requested service (Reg. 5(3) and 5(5)).
Under Article 56 GDPR's one-stop-shop, the DPC is the Lead Supervisory Authority for many major tech firms headquartered in Ireland, coordinating cross-border enforcement with peer EU/EEA authorities and the EDPB.
The DPC has imposed major fines, including €530m on TikTok (May 2025) for unlawful EEA-to-China data transfers under Art. 46(1)/Art. 13(1)(f), €310m on LinkedIn (Oct 2024) and €251m and €91m on Meta (Dec/Sep 2024).
Timeline - major decisions & events
The DPC fined TikTok €530m and ordered corrective measures for unlawfully transferring EEA user data to China without ensuring EU-equivalent protection; TikTok appealed and the High Court stayed the decision on 2025-11-14 pending the outcome.
Data Protection Commission ↗The DPC launched a Section 110 inquiry into X Internet Unlimited Company over whether EU/EEA users' public posts were lawfully processed to train its Grok LLMs, a landmark probe of generative-AI training data.
Data Protection Commission ↗The DPC concluded inquiries into the September 2018 'View As' token breach affecting ~29 million accounts globally, fining Meta €251m for security and breach-notification failings under the GDPR.
Data Protection Commission ↗Following a 2019 inquiry, the DPC fined Meta €91m for storing user passwords in plaintext, breaching GDPR obligations on technical/organisational security measures and confidentiality.
Data Protection Commission ↗The DPC issued the largest-ever GDPR fine, €1.2bn, plus suspension and cessation orders against Meta for transferring EU data to the US under SCCs that failed the Schrems II standard.
Data Protection Commission ↗After an EDPB binding decision overrode the DPC's draft, Meta was fined €390m for unlawfully relying on 'contract' as the legal basis for behavioural advertising on Facebook and Instagram, breaching Article 6 GDPR.
Data Protection Commission ↗The DPC's then-largest fine penalised Meta's Instagram for exposing children's email addresses/phone numbers via business accounts and public-by-default settings for teen accounts.
Data Protection Commission ↗Arising from a complaint to the Irish DPC, the CJEU invalidated the EU–US Privacy Shield and tightened conditions on Standard Contractual Clauses, reshaping how Ireland-based tech firms transfer data abroad.
Data Protection Commission ↗Signed into law to give further effect to the GDPR (applicable 25 May 2018) and transpose the Law Enforcement Directive, the Act replaced the Data Protection Commissioner with the multi-member Data Protection Commission.
Irish Statute Book ↗Following Max Schrems' complaint to the Irish Data Protection Commissioner over Facebook transfers, the CJEU struck down the EU–US Safe Harbour framework, establishing Ireland as the front line of transatlantic data-transfer disputes.
CJEU ↗Transposed the 1995 EU Data Protection Directive into Irish law, modernising the 1988 regime with eight core principles covering fair processing, purpose limitation, security and data-subject access.
Irish Statute Book ↗Ireland's foundational data-protection statute, enabling ratification of the Council of Europe Convention 108, introducing data-handling principles and creating the Office of the Data Protection Commissioner (1989).
Irish Statute Book ↗Ireland - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →