Ireland

Note: Ireland is a member of the European Union and is therefore subject to the EU Framework, including the General Data Protection Regulation (GDPR), ePrivacy Directive, and other EU-level data protection instruments. This page focuses on Ireland’s role as lead supervisory authority for the world’s largest technology companies and the Irish-specific implementation of EU privacy law.

Overview

Ireland’s Data Protection Commission (DPC) serves as the lead supervisory authority under the GDPR’s one-stop-shop mechanism for Meta (Facebook, Instagram, WhatsApp), Google, Apple, Microsoft, LinkedIn, TikTok, and Twitter/X, most of the world’s largest technology companies, which have European headquarters in Dublin.^[1] This concentration of regulatory responsibility has made the Irish DPC both one of the most influential and one of the most scrutinized data protection authorities in Europe.

Since the GDPR came into force in May 2018, the DPC has issued €4.04 billion in total fines, almost four times more than second-placed France. Eight of the top 10 GDPR fines ever issued have been imposed by the Irish DPC.^[2] However, of this total, only €20 million has actually been paid due to ongoing legal appeals by the tech companies.^[3]

Ireland’s role as Big Tech’s regulator is no accident. The country’s 12.5% corporate tax rate (among the lowest in the EU), highly educated English-speaking workforce, robust university system with strong government investment in STEM education, and access to the European Single Market have made Dublin the preferred European headquarters location for US technology companies since the 1990s.^[4] Critics argue that Ireland’s economic dependence on Big Tech creates a conflict of interest that has historically manifested in slow enforcement and lenient draft decisions, a pattern that earned the DPC the nickname of the “bottleneck” of European data protection.^[5]

The tension between Ireland’s economic interests and its enforcement obligations has repeatedly escalated to the European Data Protection Board (EDPB), which has overridden the DPC’s draft decisions in multiple high-profile cases, most notably increasing the fine against Meta from the DPC’s proposed amount to €1.2 billion, the largest GDPR fine in history, for unlawful data transfers to the United States following the Schrems II ruling.^[6]

Ireland’s privacy framework is governed by the Data Protection Acts 1988 to 2018 and the directly applicable GDPR. The country also maintains a modest intelligence apparatus (the Irish Military Intelligence Service (IMIS) and Garda Síochána’s Crime and Security Branch) and has been reported to participate in the ECHELON signals intelligence network as an information-sharing partner.

Data Protection Authority: Data Protection Commission (DPC)

Structure and Leadership

Ireland transitioned from a single Data Protection Commissioner to a three-commissioner model in 2024-2025:^[7]

• Dr. Des Hogan – Commissioner for Data Protection and Chairperson (appointed February 2024)
• Dale Sunderland – Commissioner for Data Protection (appointed February 2024)
• Niamh Sweeney – Commissioner for Data Protection (appointed September 2025, commenced October 13, 2025)

Sweeney’s appointment proved controversial due to her prior employment at Meta/Facebook, where she served as director of public policy for EMEA at WhatsApp and held senior roles at Meta. The Irish Council for Civil Liberties filed a complaint with the European Commission arguing the appointment created a conflict of interest given the DPC’s role as lead supervisory authority for Meta.^[8]

Helen Dixon served as Data Protection Commissioner from 2014 until February 2024. Her tenure was marked by record-breaking fines (27 fines totaling nearly €3 billion) but also significant criticism for slow enforcement and perceived leniency toward Big Tech companies.^[9]

The DPC employs 251 staff (as of 2024, with 70 new employees onboarded during the year) and operates on a budget of €28.126 million.^[10]

Enforcement Powers

The DPC has full investigative and enforcement powers under GDPR Articles 58 and 83, including:

• Administrative fines up to €20 million or 4% of global annual revenue, whichever is higher
• Power to issue reprimands, warnings, and compliance orders
• Power to order cessation of unlawful processing and prohibition of data transfers
• Power to conduct data protection audits and compel information production

Major Enforcement Actions

Meta/Facebook – €1.2 Billion (May 2023): The largest GDPR fine ever issued. Meta violated Article 46(1) by continuing to transfer personal data from the EU to the US using Standard Contractual Clauses without addressing the risks identified in the Schrems II judgment regarding US surveillance laws. The EDPB issued a binding decision directing the DPC to impose a fine between 20-100% of the legal maximum, overriding the DPC’s draft.^[11]

TikTok Technology Limited – €530 Million (May 2025): The largest fine of 2025. TikTok unlawfully transferred EEA user data to China through remote access practices that allowed European user data to be accessed by employees in China without adequate safeguards (€485M for Article 46(1) violation, €45M for Article 13(1)(f)). TikTok was granted a High Court stay on the decision pending appeal.^[12]

Meta/Instagram & Facebook – €390 Million (January 2023): €210 million for Facebook and €180 million for Instagram for using an unlawful legal basis for behavioral advertising. Meta cannot rely on “performance of a contract” (Article 6(1)(b)) to justify personalized advertising. Following EDPB binding decision requiring the DPC to increase the fines.^[13]

TikTok – €345 Million (September 2023): Non-compliance with GDPR rules regarding processing of personal data of child users.^[14]

LinkedIn Ireland – €310 Million (October 2024): Unlawful behavioral analysis and targeted advertising. Lack of valid lawful basis; consent not “freely given, sufficiently informed or specific, or unambiguous.” Sixth largest GDPR fine by any EU authority since 2018.^[15]

Meta – €251 Million (December 2024): 2018 “View As” feature data breach affecting 3 million EU/EEA accounts. Violations of Articles 5(1)(f) (security), 25 (data protection by design), and 32 (security of processing). Fine breakdown: €8M for breach notification failures, €130M for data protection by design failures, €110M for failing to limit processing by default.^[16]

WhatsApp Ireland – €225 Million (September 2021): Failure to meet transparency requirements of Articles 12-14; infringement of Article 5(1)(a) transparency principle. Eight EU regulators objected to the DPC’s draft decision; EDPB adopted a binding decision requiring the DPC to increase the fine. As of February 2026, WhatsApp’s appeal resulted in the European Court of Justice returning the case to the General Court for merit ruling.^[17]

Meta – €91 Million (September 2024): Inadequate security for storing user passwords; violations of Articles 5(1)(f), 25, and 32.^[18]

Total Meta Group Fines: Approximately €2.031 billion across Facebook, Instagram, WhatsApp, and Meta entities.

Legal Framework

Data Protection Acts 1988 to 2018

Ireland’s data protection framework evolved through three major legislative acts:^[19]

• Data Protection Act 1988 – Original implementing legislation
• Data Protection Amendment Act 2003 – Updated the 1988 framework
• Data Protection Act 2018 – Enacted May 25, 2018 to give further effect to the GDPR in Ireland

The Data Protection Act 2018 supplements the directly applicable GDPR and provides for derogations permitted under GDPR, the DPC’s structure and powers, criminal offenses and penalties, and specific sectoral provisions.^[20] References to the earlier acts remain for limited circumstances, including processing for safeguarding security of the State and national security/defence purposes.

ePrivacy Regulations

The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336/2011) transpose the EU ePrivacy Directive into Irish law. The regulations cover cookies and tracking technologies, electronic marketing communications, and security of communications. Explicit consent is required for non-essential cookies, and marketing via electronic means without consent is prohibited (with limited exceptions for existing customers).^[21]

In 2024, the DPC undertook 146 investigations under the ePrivacy Regulations and prosecuted eight companies.^[22]

Data Retention

Following the CJEU’s invalidation of the EU Data Retention Directive in Digital Rights Ireland (2014), Ireland revised its data retention regime through the Communications (Retention of Data) Act 2011 and the Communications (Retention of Data) Amendment Act 2022.

The 2022 Amendment institutes retention of “user data” and “internet source data” for 12 months for combating crime, safeguarding state security, protecting life and safety, and locating missing persons. General indiscriminate retention is only permitted for national security purposes with judicial approval. The act implements a “quick freeze” system allowing judges to order telecommunications companies to retain data of suspects in serious offenses.^[23]

National Cyber Security Bill 2024

A proposed National Cyber Security Bill 2024 (under consideration as of early 2026) would grant extensive powers to scan networks, collect communications data in bulk, and block domain names. The bill would permit gathering of communications metadata from telecom networks and social media platforms with retention up to 18 months. It has been criticized by the Irish Council for Civil Liberties and Digital Rights Ireland for going beyond the EU NIS2 Directive requirements and undermining privacy and free expression.^[24]

Lead Supervisory Authority Role

Why Big Tech Chose Ireland

The factors that attracted tech companies to Ireland—low corporate tax rates, an English-speaking talent pool, STEM investment, and Single Market access—have had a compounding effect over the decades.^[25] Meta, Google, Microsoft, Apple, LinkedIn, Twitter/X, and TikTok all now have European headquarters in Dublin, making Ireland the de facto GDPR regulator for much of the global technology industry.

One-Stop-Shop Mechanism

Under GDPR Article 60, the one-stop-shop (OSS) mechanism allows organizations engaged in cross-border EU data processing to deal with a single lead supervisory authority for their data protection compliance obligations. The lead supervisory authority is determined by the location of the organization’s main establishment in the EU.^[26]

For companies based in Ireland, this means the DPC acts as the primary regulator for all EU-wide processing activities. When the DPC investigates a cross-border case, it must consult with concerned supervisory authorities (CSAs) in other affected member states, share draft decisions, and consider any reasoned objections. If consensus cannot be reached, the case may be referred to the EDPB for binding decision under Article 65.^[27]

Cross-Border Performance

As of end of 2024:^[28]

• The DPC concluded 145 cross-border complaints
• Submitted 115 notifications through the Article 60 mechanism
• None of the concerned supervisory authorities objected to draft decisions (suggesting improved consensus)
• 82% of cross-border complaints received since 2018 (where DPC is LSA) have been concluded
• 89 active statutory inquiries, including 53 cross-border inquiries

In October 2024, the DPC appointed a deputy commissioner to lead “EDPB and International Affairs,” recognizing the increasing importance of international engagement.

The Schrems Litigation

Austrian lawyer and privacy activist Max Schrems filed his original complaint with Ireland’s DPC in June 2013 regarding Facebook Ireland’s transfer of his personal data to Facebook Inc. in the US, arguing the data was vulnerable to NSA surveillance under PRISM.^[29] The resulting litigation has fundamentally reshaped EU-US data transfer law.

Schrems I (2015)

The DPC initially rejected the complaint, believing the US ensured adequate protection. Schrems appealed to the Irish High Court, which referred the case to the Court of Justice of the European Union (CJEU). In October 2015, the CJEU invalidated the US-EU Safe Harbor Framework, overturning the DPC’s rejection of the complaint.^[30]

Schrems II (2020)

On May 31, 2016, the DPC commenced proceedings in Irish High Court seeking a reference to the CJEU regarding the validity of Standard Contractual Clauses (SCCs) for data transfers to the United States. Following oral hearings in July 2019, the CJEU issued its judgment on July 16, 2020:^[31]

• Invalidated: EU-US Privacy Shield (Commission Decision 2016/1250)
• Upheld: Validity of Standard Contractual Clauses, BUT with conditions
• Requirement: SCCs must include effective mechanisms ensuring an “essentially equivalent” level of protection to the GDPR; data exporters and supervisory authorities must assess adequacy in practice

The Irish High Court directed the DPC to pay Schrems’ costs for the High Court and CJEU proceedings.

Post-Schrems II Enforcement

Following the Schrems II ruling, the DPC set up an inquiry and ordered Facebook Ireland to suspend data transfers to US servers pending revisions. This ultimately led to the €1.2 billion fine in May 2023 for Meta’s continued unlawful transfers.^[32] The European Commission adopted new SCCs in June 2021, requiring organizations to assess whether third countries provide adequate protection and implement supplementary measures if necessary.

Controversies and Criticism

The “Bottleneck” Criticism

As of May 2021, the Irish DPC was lead supervisory authority for 164 cases of Europe-wide significance, with 98% remaining unresolved. Cases referred to Ireland in 2018 had not reached draft decision stage by 2021.^[33] German and French regulators expressed frustration about the one-stop-shop bottleneck, with some regulators penalizing Big Tech companies within their territorial scope out of frustration with the DPC’s pace.

The Irish Council for Civil Liberties published a report highlighting the “Economic & Reputational Risk of the DPC’s Failure to Uphold EU Data Rights,” raising concerns about Ireland’s standing in the EU due to enforcement delays.^[34]

EDPB Article 65 Overrides

When the DPC as lead supervisory authority drafts a decision, concerned supervisory authorities in other member states can raise “reasoned objections.” If consensus cannot be reached, the case goes to the European Data Protection Board for binding decision under Article 65.^[35]

Notable EDPB overrides of DPC draft decisions include:

• WhatsApp (2021): Eight EU regulators objected; EDPB required DPC to increase fine to €225M
• Meta Data Transfers (2023): EDPB directed DPC to impose fine between 20-100% of legal maximum, resulting in €1.2B
• Meta Instagram (2022): EDPB required changes increasing fine to €180M
• Twitter (2020): First case through Article 65 process, resulting in €450K fine

The DPC challenged EDPB jurisdiction in Meta investigations, but courts upheld the EDPB’s authority.^[36]

Resource Challenges

The DPC characterized itself as “acutely strained” by Big Tech cases in 2021.^[37] A major ICT overhaul remained chronically delayed five years after announcement, with costs exceeding €1 million by end of 2021, while the DPC continued using antiquated technology to handle complex GDPR complaints.^[38]

Intelligence and Surveillance

Garda Síochána Intelligence

Ireland’s police force, the Garda Síochána, operates the Crime and Security Branch (CSB) based at Garda Headquarters in Dublin. The CSB is responsible for national security, counterterrorism, and serious crime investigations, and maintains a National Intelligence Database linked to military intelligence.^[39]

The National Surveillance Unit (NSU) is the principal clandestine intelligence gathering and surveillance operations unit, operating under the Crime & Security Branch. It focuses on counterterrorism, militant/subversive groups, serious crime, and counterintelligence, increasingly using technical and electronic espionage.^[40]

Irish Military Intelligence Service (IMIS)

The Irish Military Intelligence Service, formerly known as G2 and later J2, was founded in the mid-1920s following the Anglo-Irish Treaty. In July 2025, it was renamed IMIS. The service is responsible for the safety and security of the Defence Forces and supporting national security. Computer systems are linked with Garda CSB for information sharing.^[41]

A March 2025 Irish Times article characterized Ireland’s intelligence services as having “no strategy, ad hoc structures, mutual distrust.”^[42] Irish intelligence officers have been sent to train at US military facilities.

ECHELON Membership

Ireland has been reported to be a member of the ECHELON signals intelligence network, sharing and receiving information with members Australia, Canada, New Zealand, United Kingdom, and United States.^[43] The Defence Forces CIS (Communications and Information Services) Corps is jointly responsible with IMIS for SIGINT and cyber operations within the Defence Forces.

Surveillance Powers

The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 provides the Defence Forces with authority to conduct intelligence-led operations involving surveillance, electronic communications interception, and stored electronic information access for the purpose of safeguarding and maintaining security of the State.^[44]

Commercial Surveillance Infrastructure: The Intellexa Connection

Ireland's role in the global surveillance industry extends beyond its own intelligence activities. The country serves as the corporate headquarters for Intellexa Limited, the surveillance technology consortium responsible for the Predator spyware—a commercial surveillance tool comparable to NSO Group's Pegasus.^[49]

Intellexa Limited and Predator Spyware

Intellexa Limited is registered in Dublin and operates as the holding company for a network of surveillance technology vendors spanning Greece, Israel, North Macedonia, and other jurisdictions. The consortium's flagship product, Predator, is a sophisticated mobile device exploitation tool capable of remotely accessing encrypted communications, activating cameras and microphones, and extracting all data from targeted smartphones—functionally equivalent to NSO Group's Pegasus.

Predator has been deployed by governments worldwide, and investigative reporting has documented its use against journalists, politicians, and civil society activists across Europe, the Middle East, and beyond. Notable cases include:

• Targeting of opposition politicians and journalists in Greece (the "Greek Watergate" scandal)
• Deployment against civil society activists in Egypt
• Use by European governments including Spain and other EU member states

The Meta security team documented Predator infections across multiple countries and published technical analysis of the spyware's capabilities in December 2021, demonstrating that it operates through sophisticated zero-click exploits requiring no user interaction.^[50]

Ireland as a Surveillance Technology Hub

Intellexa's choice of Ireland as its corporate domicile reflects the country's favorable corporate tax regime, English-language business environment, and notably robust data protection framework that provides legal legitimacy to surveillance technology vendors. By incorporating in an EU member state with strong data protection laws, Intellexa operates from within a regulated jurisdiction, while its technologies have been deployed in contexts documented as violating fundamental rights.

Ireland's status as both the EU headquarters for major US technology companies (Meta, Google, Apple, Microsoft) and the corporate home for a major surveillance technology consortium creates a tension: the DPC enforces GDPR compliance against technology platforms while Ireland simultaneously hosts the corporate infrastructure enabling commercial spyware deployment against European citizens.

US Export Controls and Irish Jurisdiction

In March 2024, the United States Department of Commerce added Intellexa and several of its subsidiary entities to the Entity List, effectively blocking US companies from providing technology or services to the consortium. The US government cited Intellexa's role in developing and trafficking cyber exploits used to gain unauthorized access to information systems, with specific reference to targeting of US government officials, journalists, and policy experts.^[51]

However, Intellexa Limited remains a validly registered Irish company, and Ireland has not imposed equivalent export controls or sanctions. This creates a jurisdictional gap: the company operates from Dublin, processes transactions through Irish corporate infrastructure, and benefits from EU regulatory legitimacy, yet faces no domestic Irish restrictions on its activities beyond general corporate compliance obligations.

The Accountability Gap

Ireland's dual role—as both an aggressive data protection enforcer and as the corporate host for a major surveillance technology vendor—illustrates a limitation in how privacy law addresses the surveillance industry. The DPC can investigate and sanction companies that violate GDPR in their data processing activities. But when a company's core business is manufacturing surveillance tools deployed by other governments against their populations, that activity falls outside GDPR's scope.

The result is that Ireland hosts Intellexa, receives corporate tax revenue from the surveillance industry, and faces no domestic political pressure to restrict surveillance technology exports—while the human rights violations enabled by Predator spyware occur in other jurisdictions. This creates a market-based externalization of harm: Ireland captures the economic benefits of hosting surveillance vendors while other countries bear the human rights costs of the technologies those vendors produce.

International Data Sharing Agreements

Despite Ireland’s position as GDPR enforcer for many of the world’s largest tech companies, the country participates in international data sharing frameworks that provide foreign agencies with pathways to access Irish person data.

Mutual Legal Assistance Treaty with the United States

As an EU member, Ireland is part of the EU-US MLAT framework covering all EU member states. The Criminal Justice (Mutual Assistance) Act 2008 sets out how Ireland engages with other countries for law enforcement requests, with the Minister for Justice serving as the Central Authority.^[52]

Because many US service providers have their European headquarters in Ireland (Meta, Google, Apple, Microsoft, and others), Irish authorities receive an exceptionally high volume of MLAT requests from the United States and other countries seeking data held by these companies. Search results indicate an “increase in time needed to access electronic evidence from Ireland under MLAT procedures, apparently due to high number of requests to Irish authorities.”

The Microsoft Ireland Case and the Path to the CLOUD Act

In a landmark case, the US Department of Justice sought a warrant for emails stored in Microsoft’s Ireland datacenter. Microsoft challenged the extraterritorial reach of the warrant, arguing that US law enforcement should use the MLAT process to request data held in Ireland. The DOJ argued against using MLAT due to “efficacy concerns” and the “drawn-out waiting period.”^[53]

The Microsoft Ireland case directly led to the passage of the CLOUD Act in March 2018, which allows the DOJ to compel US companies to produce data from anywhere in the world with a US warrant, regardless of where it is stored. The CLOUD Act mooted the Microsoft case, but the legal controversy illustrated the tension between MLAT processes (diplomatic channels, 10-month processing) and US law enforcement demands for immediate access to data held abroad.

Ireland’s Opt-Out from the European Investigation Order

Ireland is NOT participating in the European Investigation Order (EIO), having opted out due to perceived inconsistencies with Irish law. While other EU member states use the EIO framework for binding cross-border evidence requests based on mutual recognition, Ireland continues to rely on traditional MLAT channels for international cooperation.^[54]

This opt-out means that Irish judges cannot use the EIO to make binding requests to other EU member states for evidence, and other EU member states cannot use the EIO to compel Irish authorities to produce evidence. Instead, Ireland processes requests through the Criminal Justice (Mutual Assistance) Act 2008 and bilateral MLATs, a slower process than the EIO’s mutual recognition framework.

Schengen and Common Travel Area

Ireland is not participating in Schengen, maintaining instead the Common Travel Area (CTA) with the United Kingdom, which predates both the EU and Schengen. This means Ireland does not participate in the Schengen Information System (SIS II), Prüm Convention, or other Schengen-specific law enforcement data sharing frameworks.

The CTA creates a unique bilateral relationship with the UK for border control and some data sharing, but Ireland’s non-participation in Schengen means it has less automatic data sharing with EU member states than Schengen countries enjoy.

EU-US Data Sharing Frameworks

EU-US Umbrella Agreement: Entered into force February 1, 2017, governing personal data exchanged between EU and US law enforcement. Grants Irish citizens judicial redress rights before US courts.

SWIFT/TFTP Agreement: US Treasury can subpoena SWIFT for financial transaction data, affecting Irish persons’ international wire transfers, with Europol verification.

PNR Agreements: Ireland participates in the EU-US PNR agreement, enabling transfer of passenger data from Irish air carriers to US CBP.

Multilateral Frameworks

Interpol I-24/7: Ireland participates in Interpol’s global network (195 countries, 100,000+ messages daily) for criminal intelligence sharing.

Egmont Group: The Irish FIU participates in the Egmont Group network of 164+ Financial Intelligence Units, sharing financial intelligence on money laundering and terrorist financing.

Cumulative Effect on Irish Persons

Taken together, the frameworks described above mean that data nominally protected by GDPR and DPC enforcement can be accessed through multiple alternative channels: MLAT requests processed through the Minister for Justice (with exceptionally high volumes due to tech company headquarters), CLOUD Act demands compelling US companies to produce data from Irish datacenters without Irish judicial oversight, SWIFT/TFTP financial surveillance, and PNR passenger data agreements. Ireland’s opt-out from the EIO and Schengen means it has less automatic EU data sharing than Schengen countries, but its position as tech company headquarters creates unique exposure to US extraterritorial data demands. Meanwhile, Ireland continues to host surveillance technology companies like Intellexa while imposing no export controls on their products.

Recent Developments

2025 Enforcement: Total European GDPR fines in 2025 reached approximately €1.2 billion, with Ireland and France accounting for over €1 billion of the total. The largest fine of 2025 was the DPC’s €530 million against TikTok for data transfers to China.^[45]

Pending Investigations (Commenced 2024): Google (training of AI models using personal data), Irish Health Service (security of sensitive health data), Ryanair (use of biometric data).^[46]

AI Regulation: The DPC was designated as fundamental rights body under the EU AI Act (2024) and is proposed as market surveillance authority (effective 2026). The expansion to three commissioners was partly driven by AI Act responsibilities.^[47]

Microsoft Azure Surveillance Complaint (December 2025): The Irish Council for Civil Liberties filed a complaint alleging that Microsoft’s Azure cloud services facilitated mass surveillance of Palestinians, with data stored on Azure allegedly used for Israeli military intelligence including intercepted mobile phone calls from Gaza and the West Bank. Investigation pending.^[48]

Case Statistics (2024): 7,781 valid data breach notifications (11% increase over 2023), 2,357 formal complaints concluded, 8,418 cases resolved through amicable means, 145 cross-border complaints concluded.^[49]

DPC Grok/X Deepfake Investigation (February 2026): The DPC opened a large-scale inquiry under Section 110 of the Data Protection Act 2018 into X Internet Unlimited Company over Grok AI generating non-consensual sexualized deepfake images of EU/EEA data subjects, including children. The Gardaí are separately investigating over 200 reports of CSAM-related Grok-generated images.^[55]

CJEU WhatsApp Ruling (February 2026): The Court of Justice of the European Union Grand Chamber ruled that WhatsApp has standing to challenge EDPB binding decisions at the General Court, overturning the lower court’s dismissal. The case has been sent back for merits review of the €225 million fine originally imposed in September 2021.^[56]

TikTok €530M Appeal Stayed (November 2025): The High Court granted a stay on November 14, 2025 on the DPC’s €530 million TikTok decision pending appeal, with hearing scheduled no later than March 2026. Data transfers from the EEA to China continue pending the outcome.^[57]

DPC Fines Department of Social Protection (February 2026): The DPC imposed a €320,000 fine on the Department of Social Protection for unlawful collection of biometric facial data during Public Services Card registration under the SAFE 2 process, affecting approximately 70% of the Irish population.^[58]

Oireachtas AI Committee First Interim Report (December 2025): The Joint Oireachtas Committee on AI published its first Interim Report on December 16, 2025, containing 85 recommendations including the establishment of a national AI Office by August 2026, a Citizens’ Assembly on AI, and algorithmic controls.^[59]

HSE Cyberattack Compensation (December 2025): The Health Service Executive offered €750 per affected individual (90,936 persons notified) in settlement of the 2021 Conti ransomware attack that crippled Ireland’s public health system.^[60]

EU DSA Investigation of X/Grok (January 2026): The European Commission launched a formal probe under the Digital Services Act after X failed to include Grok AI in its systemic risk assessment. Coimisiún na Meán, Ireland’s national Digital Services Coordinator, is associated with the investigation.^[61]

Sources