The State of Your Privacy in Ireland: Everything You're Not Being Told

If someone publishes your home address online tomorrow to encourage people to show up at your door, there is no law in Ireland that specifically makes that a crime.

That's not a gap in the system. It is the system.

Ireland is the data protection capital of Europe. Apple, Google, Meta, Microsoft, TikTok — they're all headquartered here. The Irish Data Protection Commission regulates their privacy practices for 450 million EU citizens. Ireland has imposed over €4 billion in GDPR fines.

It has collected less than €20 million of it.

This article is the full picture. Every privacy law that exists in Ireland, every law that doesn't, every enforcement mechanism that works, every one that's broken, and every bill that's been passed but never switched on. No jargon, no legal theatre, no pretending.

You have a right to know exactly where you stand. Here's where you stand.

Part 1: The Laws That Exist

GDPR and the Data Protection Act 2018

The General Data Protection Regulation is the foundation of privacy law in Europe. It's directly applicable — meaning it doesn't need to be transposed into Irish law — but the Data Protection Act 2018 fills in the gaps where member states are allowed to make their own choices.

What it gives you:
- The right to know what data is held about you (Article 15)
- The right to have your data deleted (Article 17 — the "right to be forgotten")
- The right to object to processing (Article 21)
- The right not to be subject to automated decision-making (Article 22)
- The right to move your data to another provider (Article 20 — data portability)
- The right to be notified within 72 hours if your data is breached

What it actually does:
All of these rights are reactive. You have to know who has your data, contact them, make a request, wait for a response, and if they refuse or ignore you, complain to the Data Protection Commission. The DPC then investigates — eventually.

Ireland chose to set the digital age of consent at 16, the highest permitted under GDPR. This means children between 13 and 16 cannot consent to data processing even with parental permission — a stricter standard than most EU countries, but one that is almost impossible to enforce when platforms don't verify age.

What it doesn't do:
GDPR gives you no way to declare your rights in advance. There is no register, no mechanism for companies to check your preferences before processing your data, and no automatic enforcement. Every single exercise of your rights requires you to initiate contact, prove your identity, and wait.

Coco's Law (2020)

The Harassment, Harmful Communications and Related Offences Act 2020, known as Coco's Law, was named after Nicole "Coco" Fox Fenlon, who died by suicide after intimate images were shared without her consent.

What it covers:
- Sharing intimate images without consent — up to 7 years imprisonment and an unlimited fine
- Threatening to share intimate images
- Sending threatening or grossly offensive communications with intent to cause harm
- Extended harassment law to cover communications about a person, not just to them

Since commencement in February 2021, approximately 99 cases have been prosecuted by the DPP.

What it does not cover:
- Doxxing. Publishing someone's home address, phone number, workplace, or family details is not specifically criminalised. Amendments to include doxxing were proposed during the bill's passage in 2020. They were not included.
- AI-generated intimate images. Deepfake pornography — where someone's face is placed on explicit content using AI — is not explicitly addressed. The law covers real images. The distinction matters.
- Time limit. Offences must be reported within two years. If you discover intimate images were shared three years ago, it may be too late.

Coco's Law was a genuine step forward. It was also the minimum viable response to a specific tragedy, passed under public pressure. The gaps it left — doxxing, deepfakes, time limits — remain open.

The Online Safety and Media Regulation Act 2022

This Act established Coimisiún na Meán (the Media Commission), replacing the Broadcasting Authority of Ireland, with a mandate that extends to online safety.

What it does:
- Gives Coimisiún na Meán the power to create binding Online Safety Codes
- The first Online Safety Code came into full effect on 21 July 2025, covering video-sharing platforms (Facebook, Instagram, YouTube, TikTok, LinkedIn, Pinterest, Tumblr, and others)
- Requires these platforms to implement content moderation, age assurance, and reporting mechanisms
- Penalties: fines of up to €20 million or 10% of global revenue

The limitation:
The first Code only covers video-sharing platform services. Other categories of online services — general social media, messaging apps, online marketplaces — are not yet covered. Further codes are expected but have not been published.

X (formerly Twitter) challenged the Code in court and lost. That's a good sign for enforcement. But the Code is narrow in scope and covers only the most visible platforms.

The ePrivacy Regulations (S.I. No. 336 of 2011)

These regulations implement the EU ePrivacy Directive and cover cookies, electronic marketing, and communications confidentiality.

What you'd expect: Robust enforcement of cookie consent, restrictions on electronic direct marketing, and penalties for non-compliance.

What actually happens: The maximum fine on conviction is €250,000. Not €250 million. Not a percentage of turnover. A quarter of a million euro. For companies with revenues in the billions, this is not a deterrent. It is a line item.

The DPC is the enforcement authority, but enforcement of cookie consent in Ireland has been minimal compared to France (which has fined Google €150 million for cookie violations) or other EU jurisdictions.

The Criminal Justice (Surveillance) Act 2009

This Act governs covert surveillance by state agencies — An Garda Síochána, the Defence Forces, Revenue, and the Garda Ombudsman (GSOC).

What it permits:
- Authorised personnel may covertly enter a location and place surveillance devices
- Tracking devices can be deployed for up to 4 months with a superior officer's approval
- Judicial authorisation (from a District Court judge) is required for surveillance device deployment, though in urgent cases a senior officer can authorise first and seek judicial confirmation within 72 hours

The concern:
The Act's oversight relies on a "designated judge" model — a single sitting judge who reviews surveillance authorisations. This model has been criticised as structurally inadequate. The designated judge reports annually, but the reports are general and cannot name specific operations. There is no equivalent to the UK's Investigatory Powers Tribunal or a standing oversight body with investigative capacity.

Compliance failures have been documented, including cases where recordings were not properly authorised under the Act.

The Garda Síochána (Recording Devices) Act 2023

Enacted in December 2023, this Act provides the legal basis for Garda body-worn cameras, CCTV, and automatic number plate recognition (ANPR).

What it does:
- Body-worn cameras must be visible and a light must indicate recording
- Officers should inform people that recording is occurring
- Use is restricted to criminal investigation and public safety

What it explicitly excludes: Facial recognition technology. The Act does not authorise it.

What's coming next: A separate Garda Síochána (Digital Management and Facial Recognition Technology) Bill is being drafted. As of April 2025, the Minister described the work as "well advanced." This bill would allow retrospective facial recognition searches — comparing recorded footage against databases.

The ICCL has described facial recognition as "highly intrusive, invasive, faulty, unreliable and discriminatory." Body-worn cameras have been trialled at five Garda stations since 2024. National rollout is pending.

The Electoral Reform Act 2022

This Act established An Coimisiún Toghcháin (the Electoral Commission) and includes an entire section — Part 4 — on online political advertising transparency.

What Part 4 requires:
- Platforms must flag political advertisements
- Platforms must maintain a public archive of political ads
- Each ad must link to a transparency notice disclosing micro-targeting and spending
- Persons outside the State are prohibited from purchasing political ads targeting Irish elections

The catch: Part 4 has never been commenced. The provisions exist in law. They are not in force. Online political advertising in Ireland operates without the transparency requirements that were legislated for in 2022.

The Electoral Commission published a voluntary framework ahead of the June elections, but voluntary frameworks are not the same as binding regulation. The law is there. It has not been turned on.

Part 2: The Laws That Don't Exist

No Doxxing Law

There is no specific criminal offence of doxxing in Ireland. Publishing someone's home address, phone number, employer, children's school, or daily routine with the intent to facilitate harassment is not a named crime.

It may fall under general harassment provisions in some circumstances. It may constitute a data protection violation. But there is no offence called doxxing, no specific penalty, and no expedited takedown mechanism.

Proposals to criminalise doxxing were raised during the passage of Coco's Law. They were not adopted.

No Deepfake-Specific Law

AI-generated intimate imagery — placing someone's face on explicit content — is not explicitly covered by Coco's Law or any other Irish statute. The 2020 Act criminalises sharing intimate images without consent, but the legal definition of "intimate image" was written before generative AI made photorealistic fakes trivial to produce.

The EU AI Act, which applies directly in Ireland, prohibits AI systems that create deepfakes without disclosure. But the enforcement mechanism is still being established, and the specific prohibition on non-consensual intimate deepfakes relies on the intersection of the AI Act and existing member state law — which, in Ireland, has the gap described above.

No Standalone AI Rights

Ireland has no national AI legislation. The EU AI Act (Regulation 2024/1689) applies directly:

• February 2025: Prohibitions on unacceptable-risk AI systems took effect (social scoring, emotion recognition in workplaces/schools, untargeted facial recognition scraping)
• August 2026: Rules for high-risk AI systems apply
• August 2027: Product-linked high-risk AI systems provisions apply

Ireland has designated 15 existing regulators as National Competent Authorities under a "distributed model" and plans to establish a National AI Office by August 2026. The General Scheme of a Regulation of Artificial Intelligence Bill 2026 has been published.

But right now, if an AI company scrapes your photos from the internet to train a model, your only recourse is a GDPR objection under Article 21 — which requires you to know who scraped your data, contact them, and wait. There is no register of AI training data sources. There is no opt-out mechanism. There is no way to declare in advance that your data, images, or likeness may not be used.

Part 3: The Enforcement Crisis

€4 Billion in Fines. €20 Million Collected.

This is the single most important fact about privacy enforcement in Ireland.

The DPC has imposed over €4 billion in GDPR fines since 2018. Here are the big ones:

Under Irish law, fines cannot be collected until confirmed by a court. Every major fine is appealed. The appeals take years.

In 2024: €652 million imposed. €582,000 collected.

In 2023: €1.55 billion imposed. €815,000 collected.

The ICCL has described Ireland as the "worst bottleneck" for GDPR enforcement in Europe. Spain, with a smaller budget, produces ten times more draft decisions than the DPC. The European Data Protection Board had to issue a binding decision to force the DPC to impose the €1.2 billion fine on Meta — the DPC's original draft decision did not include a fine of that magnitude.

The fines make headlines. The collection rate makes the headlines meaningless.

Six Years of Unlawful Surveillance

In 2014, the Court of Justice of the European Union struck down the EU Data Retention Directive in the Digital Rights Ireland case. In 2016, the CJEU confirmed in Tele2/Watson that member states could not impose general data retention on telecoms providers.

Ireland continued enforcing the Communications (Retention of Data) Act 2011 for six more years.

In 2022, in a case referred by the Irish Supreme Court (Graham Dwyer v Commissioner of An Garda Síochána, Case C-140/20), the CJEU confirmed that the 2011 Act's blanket retention regime was incompatible with EU law. The court ruled that access to retained data for criminal investigations must be authorised by a court or independent body — not by a Garda officer.

The implications are serious. Graham Dwyer was convicted of murder in 2015 using mobile phone location data retained under the 2011 Act. The CJEU ruled that the admissibility of evidence obtained under an invalid law is a matter for national courts — meaning past convictions that relied on this data may be vulnerable to appeal.

The government eventually passed the Communications (Retention of Data) (Amendment) Act 2022, commenced in June 2023, which introduces judicial authorisation for data access and limits general retention to national security purposes. But the fact remains: Ireland enforced a law it knew to be unlawful for six years after the EU's highest court told it to stop.

The Encryption-Breaking Bill

The Communications (Interception and Lawful Access) Bill is being drafted. It would replace the 30-year-old Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993.

What it would do:
- Apply lawful interception powers to all communications "whether encrypted or not" — including WhatsApp, iMessage, Signal, Instagram DMs, gaming consoles, connected cars
- Empower Gardaí, Defence Forces, and GSOC to intercept live encrypted communications
- Establish a legal framework for spyware use in cases of "strict necessity"
- Introduce judicial authorisation for the first time (the 1993 Act relies on ministerial warrants)

The Global Encryption Coalition has issued an open letter opposing the bill's encryption provisions. The tension is real: law enforcement needs tools to investigate serious crime, but breaking encryption for everyone to catch some people undermines the security of every person who relies on encrypted messaging — which is everyone.

The General Scheme is expected during 2026. This will be one of the most consequential privacy debates in Irish legislative history.

Part 4: The Constitutional Foundation

The Irish Constitution does protect privacy — but not explicitly.

Article 40.3.1 of Bunreacht na hÉireann guarantees that the State will protect the personal rights of citizens. The right to privacy is not named in the Constitution. It exists as an "unenumerated right" — recognised by the courts as implicit in the broader guarantee of personal rights.

The key cases:

• McGee v Attorney General (1974): The Supreme Court recognised marital privacy as a constitutionally protected right. Walsh J held that the right to privacy "inheres in the individual by reason of their human personality."

• Kennedy and Arnold v Attorney General (1987): Journalists' phones had been tapped on ministerial warrants. The court held that private communications — written and telephonic — are constitutionally protected and cannot be deliberately and unjustifiably interfered with.

• Ryan v Attorney General (1965): Established the broader doctrine of unenumerated rights — the principle that the Constitution protects rights beyond those explicitly listed.

The constitutional right to privacy is real but limited. It can be restricted by legislation "in the interests of the common good." And it creates no positive obligation on the State to build infrastructure that makes privacy enforceable in practice. It protects you from the government violating your privacy. It does nothing about companies violating your privacy.

Part 5: The Digital Services Act and Digital Markets Act

These EU regulations apply directly in Ireland and are enforced at both national and EU level.

The Digital Services Act (DSA):
- Coimisiún na Meán is Ireland's Digital Services Coordinator
- Penalties: fines of up to 6% of annual global turnover
- The European Commission has opened 14 investigations into Very Large Online Platforms, including Facebook, Instagram, TikTok, Temu, and X
- First DSA fines are expected in 2026

The Digital Markets Act (DMA):
- Enforced directly by the European Commission (not national authorities)
- Apple was fined €500 million and Meta €200 million under the DMA in 2025
- The DMA targets "gatekeeper" platforms — those with significant market power

Both Acts are relatively new and enforcement is still ramping up. But they represent a shift from the GDPR model: instead of relying on complaints and national regulators, the Commission can investigate and fine directly. Whether this produces faster, more effective enforcement than the DPC model remains to be seen.

Part 6: Where This Leaves You

Here is your privacy situation in Ireland in 2026:

You have the right to know what data companies hold about you. But you have to ask each company individually, prove your identity, and wait up to 30 days for a response. There is no central register.

You have the right to have your data deleted. But only after you've discovered who has it, and only if they don't invoke one of GDPR's many exemptions (legal obligation, public interest, freedom of expression, etc.).

You have the right to object to data processing. But you have to object to each processor individually, and there is no mechanism to object in advance.

You have the right not to be subjected to automated profiling. But you probably don't know when you're being profiled, by whom, or based on what data.

If someone shares intimate images of you without consent, that's a crime. If someone publishes your home address to encourage harassment, it's not — at least not specifically.

If an AI company scrapes your photos to train a model, you can object under GDPR. But you have to know they did it first. There is no notification requirement for training data.

The DPC has fined companies billions. It has collected almost none of it.

The government wrote a law to make online political ads transparent. It never turned the law on.

The government enforced a surveillance law for six years after the EU's highest court said it was unlawful. Then it wrote a new law.

A bill is being drafted that would let the Gardaí break encryption on your private messages. Another bill would enable facial recognition technology.

This is not a system that protects your privacy. It is a system that describes your privacy, on paper, in legislation that either isn't enforced, isn't commenced, or isn't collected.

Part 7: What Would Actually Work

We built a Privacy Rights Registry — a working prototype of what real, proactive privacy infrastructure could look like. Not because we think a prototype solves the problem, but because the government can't say "it's too complicated to build" when it's already built.

Here's what it does, in plain terms:

You register your rights. You pick a display name (not your real name — this is a proof of concept, we don't want your personal data). You tick the rights you want to declare: no doxxing, no AI training, no deepfakes, no facial recognition, no profiling, no data sale, no direct marketing, data portability. You hit Register.

You get a registration number. Think of it like a PPS number for privacy. It's a unique reference — proof that you've declared your rights. In a government-backed system, this number would be linked to your identity through the same kind of verification used for Revenue Online or MyGovID.

Companies check the registry before processing your data. In the demonstrator, you can simulate this yourself — pretend to be a data broker, enter a registration number, and watch the system block the request. In a production system, this check would be mandatory. Companies that don't check would be in breach, and the fact that they didn't check would be logged.

Every attempt is recorded. Timestamp, company name, stated purpose, result. An immutable audit trail. If a company violates your declared rights, the evidence is already there — ready for a DPC complaint or a court filing.

Try it yourself. It takes thirty seconds.

Why This Works: The Precedents

This isn't a novel idea. Ireland and the EU have built exactly this kind of infrastructure before:

• The Lobbying Register (Regulation of Lobbying Act 2015): If you lobby a public official, you must register and report the communication. Non-compliance is a criminal offence. Before 2015, lobbying was invisible. After, it was documented and searchable. Same model. Different domain.

• App Tracking Transparency (Apple, iOS 14.5): Apps must ask permission before tracking you. Apps that don't comply are removed from the App Store. Opt-in tracking rates dropped to ~25%. Proof that gatekeepers can enforce privacy rules.

• Payment processor sanctions (Mastercard/Visa vs Pornhub, 2020): After the New York Times reported non-consensual content, payment processors cut off revenue. The platform changed its policies within weeks. Proof that financial enforcement works when regulatory enforcement doesn't.

A statutory Privacy Rights Registry would combine all three: mandatory registration (like the Lobbying Act), gatekeeper enforcement (like ATT), and financial sanctions for non-compliance (like payment processor intervention).

What It Can't Do

We're not pretending this solves everything. It doesn't.

• Without legislation, it's voluntary. Companies can ignore a prototype. They can't ignore a statutory obligation.
• Social media strips metadata. Rights declarations embedded in image files are removed on upload. Until platforms preserve metadata, the registry works through API lookups, not embedded in content.
• Determined adversaries bypass everything. A state actor or skilled attacker won't be stopped by a registry. Most privacy violations aren't committed by state actors. They're committed by companies running cost-benefit analyses.
• The DPC needs resources. Adding registry enforcement to an already stretched regulator without additional funding is just adding another queue.

Realistic effectiveness: 50–70% with statutory enforcement. 20–30% voluntary. The current rate is 0%.

Part 8: What Happens Next

Every registration on the demonstrator is a person saying: "I want this right, and I want the state to enforce it."

This is how it always starts:

• The Mahon and Moriarty Tribunals revealed political corruption → public demand → the Lobbying Register.
• The Snowden revelations showed mass surveillance → public demand → GDPR.
• Nicole Fox Fenlon's death → public demand → Coco's Law.

Public demand creates political will.

The technology for a Privacy Rights Registry is built. The enforcement model has precedents in Irish law. The legal basis exists in GDPR. The only thing missing is the demand.

Register your rights. It takes thirty seconds. Every name on the list makes the case stronger.

Read the Accountability Toolkit. Sixty resources for holding power accountable in Ireland — all legal, all public, all free or low-cost.

Contact your TD. Tell them you want a statutory Privacy Rights Registry. Point them to the Lobbying Act as the template. Point them to App Tracking Transparency as the enforcement precedent. Point them here as the proof of concept.

Got something? If you have evidence of privacy violations, data misuse, or corporate misconduct in Ireland, send it to us securely. We investigate. We publish. We follow up.

Every law cited in this article is referenced by its full title, enactment date, and — where applicable — the specific provision. Every claim about enforcement is based on published DPC annual reports, CJEU judgments, and Oireachtas records. Every gap identified is documented. This is the state of your privacy in Ireland. Now you know.