Photo of John Cahir

Ireland succeeded in enacting the Data Protection Act 2018 prior to today’s GDPR deadline, with the President signing the Act into law yesterday. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.  This briefing note analyses the key provisions under the Act and its likely impact on businesses operating from Ireland.

Go to Publication


In a much anticipated judgment, the Irish High Court yesterday decided to ask the Court of Justice of the European Union (CJEU) to rule on the validity of Standard Contractual Clauses (SCCs).

What is at stake?

SCCs, also known as “Model Contracts”, are contractual terms approved by the European Commission for validating transfers of personal data to countries outside the EEA region. SCCs are perhaps the most widely used legal instrument supporting EU-US data transfers. For many businesses, they are the only available means of lawfully transferring data to the US or other third countries.

If the SCCs are held to be invalid by the CJEU, many businesses operating from Europe will find themselves unable to lawfully transfer personal data to the US. This will in turn pose severe logistical and economic challenges to EU-US trade.

The legal challenge to the SCCs touches on the politically sensitive areas of data privacy and state surveillance. Therefore, a ruling that invalidates the SCCs will also present a fresh challenge for the EU and US authorities to negotiate a long lasting solution to transatlantic data transfers.

Pending the CJEU’s ruling, businesses can continue to rely on the SCCs.

How did the case come about?

Back in 2013, Mr Schrems complained to the Irish Data Protection Commissioner (DPC) about the transfer of his personal data by Facebook in Ireland to its parent company in the US under the EU-US Safe Harbour mechanism.

That complaint resulted in the invalidation of the EU-US Safe Harbour mechanism by the CJEU (Schrems I). Following the CJEU decision, Facebook placed reliance on the SCCs for making legal transfers of data between Ireland and the US, and Mr Schrems decided to reformulate his complaint against Facebook.

In the course of carrying out the new investigation, the DPC determined that she had “well-founded” objections in relation to the validity of the SCCs. In particular, she was concerned that there was an absence of effective legal remedies for EU citizens whose data are transferred to the US, and she believed that the SCCs do not answer these concerns. Only the CJEU can decide on the validity of European Commission decisions such as the SCCs. Therefore, the DPC applied to the Irish High Court so that questions regarding the validity of the SCCs could be brought before the CJEU.

What did the Irish High Court say?

Ms Justice Costello delivered a wide-ranging 152 page judgement. Of particular note are the following:

Court’s Jurisdiction

  • The Court rejected the argument advanced by Facebook that the case is concerned with processing of data for “national security” purposes and that consequently it falls outside the scope of EU law by virtue of Article 4(2) of the Treaty on the European Union, which reserves competence over national security issues to Member States.
  • In particular, the Court held that this submission was inconsistent with the ruling of the High Court and the CJEU in Schrems I, where the court proceeded on the basis that it had jurisdiction to rule on the reference.
  • The Court also rejected the argument that that the EU-US Privacy Shield precludes the making of a reference to the CJEU.  The Court held that the Privacy Shield is a decision that is confined to data transferred to US organisations that have self-certified as complying with the Privacy Shield principles, and that it is not an unconditional adequacy decision.


  • The Court agreed with the DPC that the SCCs alone cannot ensure an adequate level of protection in third countries for data protection rights. Even when data has been transferred to a third country under the SCCs, “the data is still entitled to a high level of protection” and “DPAs have an obligation to ensure that the data still receives a high level of protection and they are expressly granted powers to suspend or prohibit data transfers” (paragraph 153).
  • The terms of the SCCs do not themselves provide an answer to the concerns raised by the DPC and the Court focussed on the question of whether Article 4 of the SCCs and Article 28 of the Data Protection Directive (the Directive) alleviated those concerns – these provisions enable a national data protection authority to ban or suspend data transfers to third countries.
  • The Court ruled that a referral to the CJEU is necessary to determine whether the existence of the discretionary power conferred on the DPC by Article 4 of the SCCs and Article 28(3) of the Directive to suspend or ban data transfers to a non-EEA country, on the basis of the legal regime in that country, is sufficient to secure the validity of the SCCs.

Article 47/52 of the Charter

  • The Court held that the DPC had raised well-founded concerns that there is an absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter of Fundamental Rights, for an EU citizen whose data are transferred to the US.
  • The Court agreed with the DPC that there are well-founded concerns that the limitations on the Article 47 right, faced by EU data subjects in the US, are not proportionate or strictly necessary within the meaning of Article 52(1) of the Charter.


  • The Court noted the undesirability of having data transfers banned in one Member State under the SCCs on the basis of the inadequate laws of the third country, but without that ban impacting on transfers made to the same third country from other EU member states.  The Court indicated that only a decision of the CJEU can resolve the potential for inconsistent applications of the Directive in this regard.

Privacy Shield Ombudsperson

  • The Court agreed with the DPC that there are well-founded concerns that the Privacy Shield Ombudsperson redress mechanism, which is available to data subjects whose data are transferred under SCCs (as well as the EU-US Privacy Shield), does not respect the essence of EU citizens’ rights under Article 47 of the Charter.
  • The Court held that a decision of the CJEU is necessary to determine whether the mechanism amounts to a remedy satisfying the requirements of Article 47.

What next?

The Court has not yet framed the questions to be sent to the CJEU.  The parties to the proceedings will be afforded an opportunity to make written submissions on the form of such questions to be referred to the CJEU, and the Court will then determine the exact questions to refer.

Once the reference is made, it will be for the CJEU to fix a hearing date. It usually takes an average of 1.5 years before the CJEU rules on a reference, although the CJEU may decide to prioritise the hearing of this case given its importance.

For further information, please contact John WhelanJohn CahirMark Rasdale or Claire Morrissey.

News reports have confirmed that on Wednesday 26 July, after a public consultation period on the issue, the Irish Government have agreed to set the digital age of consent at 13 years of age. Article 8 of the General Data Protection Regulation (GDPR) provides that a child under the age of 16 cannot consent to the processing of their personal data without the express consent of their parents. EU Member States have been granted the discretion to set a lower age under the GDPR provided that it is no lower than 13.

The decision follows consideration of a submission made by Special Rapporteur for Child Protection, Dr Geoffrey Shannon, who had previously called for the lowest age of consent to be adopted in a Joint Oireachtas Committee on Justice, Defence and Equality meeting on 5 July which discussed the General Scheme of the Data Protection Bill 2017. Dr Shannon stressed the importance of protecting a child’s right to participate and have their voice heard when considering the digital age of consent.

A similar decision has been taken in the UK where the Department of Digital, Culture, Media  & Sport have confirmed that they intend to set the age of digital consent at the lower threshold of 13 years of age, in a Statement of Intent released on 7 August, discussing the proposed Data Protection Bill 2017.


The Court of Justice of the European Union (CJEU) has handed down a reference for a preliminary ruling in Case C-610/15 (Stichtin Brein v Ziggo BV, XS4ALL Internet BV), holding that making available and managing an online platform for sharing copyright-protected works may constitute an infringement of copyright.

The case was brought by a Dutch anti-piracy group Stichtin Brein against two internet service providers and was referred to the CJEU by the Supreme Court of the Netherlands to seek clarification on a point of EU law.

The CJEU considered whether an internet sharing platform, such as ‘The Pirate Bay’, which makes available and manages the indexation of metadata relating to copyrighted works, was providing ‘communication to the public’ of copyrighted materials within the meaning of Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society. It was noted that although copyrighted material was placed online by users and not by the operators of ‘The Pirate Bay’, by indexing files to allow users locate and share protected works, it played “an essential role in making the works in question available.”

It was also noted that although ‘The Pirate Bay’ does not host content, it provides a torrent search engine, classifying files under different categories and providing access to protected material “with full knowledge of the consequences of their conduct.”

The case will now return to the Dutch courts for final determination on the issue, but the ruling strengthens the position of copyright holders throughout the EU who wish to hold online sharing platforms accountable.


The General Scheme of the Data Protection Bill 2017 was published last Friday and we have prepared a summary of its main provisions here.

The drafting of the Bill is a complex task. There is a need to repeal the provisions of the Data Protection Acts 1988 and 2003 that are replaced by the directly effective provisions of the GDPR, to transpose the Law Enforcement Directive (2016/680) and at the same time to give effect to provisions of the GDPR that require national implementing measures.

Although not stated definitively, it appears that consideration is being given to having a full repeal of the Data Protection Acts 1988 and 2003 with the new Act to be a consolidating measure. That would be a welcome development.

The stand out proposals of general interest in the Bill include:

  • Confirmation that only public authorities who compete with the private sector will be susceptible to administrative fines.
  • The proposal that additional due process in the form of an oral hearing or a written “right of reply” will be available under the new administrative sanctions procedure.
  • A new power of the DPC to direct that a controller/processer engage an independent reviewer to prepare a written report on any matter specified by the DPC with the cost of the report to be borne by the data controller/processor. This is an entirely new investigative mechanism that has been designed to deal with “large scale cases”.

We will provide regular updates on the Bill’s progress.

As has been reported widely in the world media, the Court of Justice of the European Union (CJEU) this week declared the EU-US Safe Harbour regime to be invalid. The decision has understandably given rise to a lot of concern among European businesses that transfer data to the US.

In this blog post, we seek to answer the main questions that are being asked following the CJEU ruling.

Continue Reading Data in Disarray: The Aftermath of the Safe Harbour Decision

The Advocate General, Yves Bot, of the Court of Justice of the European Union (CJEU) last week delivered his opinion in the Maximillian Schrems v Data Protection Commissioner Case, C362/14 (the Opinion). The Opinion, which is advisory in nature, recommends that the Safe Harbour programme be invalidated and that the Irish Data Protection Commissioner (the DPC) be empowered to carry out a full investigation as to the adequacy of protection afforded to the personal data of Facebook’s EU users. 

Continue Reading Safe Harbour in Danger?

The Irish High Court has issued a significant decision in Aldi Stores (Ireland) Limited & anor v- Dunnes Stores (No.2) [2015] IEHC 551holding that a plaintiff is entitled as of right to an injunction where a trade mark is infringed in the course of a comparative advertising campaign even where the advertising campaign in question has ended. The defendant has indicated that it will be appealing the finding of liability made by the court.

Continue Reading High Court grants injunction prohibiting further trade mark infringement in relation to advertising campaign which has ended.

Following the recent Court of Justice decision in the Costeja case, Google launched a service last Friday that will allow European data subjects to request the removal of search results for queries that include their name where those results are "inadequate, irrelevant, or no longer relevant, or excessive in relation to the purpose for which they were processed". The request form is available online.

Continue Reading Google launches new European privacy removal tool