The Evolution of Data Protection Laws in Ireland

Ireland’s data protection landscape has undergone a profound transformation over the past two decades. Before the General Data Protection Regulation (GDPR) took effect in May 2018, Irish data protection law was governed by the Data Protection Acts 1988 and 2003, which implemented the 1995 EU Data Protection Directive. These earlier laws established basic principles for processing personal data but left significant discretion to member states, leading to inconsistent application across the European Union. The 2003 Act, in particular, introduced a specific exemption for journalism under Section 22A, acknowledging the need to balance privacy with freedom of expression. However, the scope of that exemption was narrow and often contested.

The GDPR, formally Regulation (EU) 2016/679, marked a paradigm shift. It not only strengthened individual rights — such as the right to erasure, data portability, and enhanced consent requirements — but also imposed stringent obligations on data controllers and processors. Ireland, as a common law jurisdiction with a strong tradition of press freedom, was compelled to adapt its domestic legal framework. The Data Protection Act 2018 was enacted to supplement the GDPR, addressing areas where member states were permitted to derogate, including the processing of personal data for journalistic purposes under Article 85 of the GDPR. The Irish Data Protection Commission (DPC), established under the 2018 Act, became the primary regulator, tasked with enforcing compliance and issuing guidance. The DPC has quickly become one of the most influential data protection authorities in the EU, given that many global technology firms have their European headquarters in Ireland.

Key court decisions have further shaped the evolution of this area. For instance, the Court of Justice of the European Union (CJEU) ruling in Google Spain vs. AEPD and Mario Costeja González (2014) established the “right to be forgotten,” which directly affects how journalists report on past events. More recently, the Schrems II decision (2020) invalidated the EU-US Privacy Shield, impacting data transfers that journalists rely on when working with international sources or platforms. These legal developments illustrate that data protection is not static; it continues to evolve through litigation and regulatory action, requiring Irish journalists to remain vigilant.

Article 85 of the GDPR explicitly requires member states to reconcile the right to data protection with the right to freedom of expression and information, including processing for journalistic purposes. Ireland’s implementation is detailed in Part 3, Chapter 2 of the Data Protection Act 2018 (Sections 35–44). These provisions create a conditional exemption from most GDPR obligations — including the requirement for a lawful basis, data subject rights, and notification of data breaches — when processing is carried out for journalistic purposes and the controller reasonably believes that compliance would be incompatible with those purposes. The exemption is not absolute; it applies only when the processing is necessary to give effect to freedom of expression, and when there is a reasonable expectation that publication would be in the public interest.

Importantly, the term “journalistic purposes” is defined broadly. Under Section 36 of the 2018 Act, it includes “the publication of any journalistic, academic, artistic or literary material.” This encompasses not only traditional news organisations but also bloggers, citizen journalists, and documentary filmmakers, provided they are engaged in activities analogous to journalism. The Irish courts have not yet delivered a definitive interpretation of this definition, but guidance from the DPC and earlier case law under the 1988/2003 Acts suggests a functional approach: what matters is the nature of the activity, not the status of the person. For example, in Mahony v. Belfry & Ors [2016] IEHC 563, the High Court recognised a qualified privilege for a citizen journalist who published a report on a local planning controversy, emphasising the importance of protecting investigative reporting.

Despite these exemptions, journalists must still adhere to certain baseline requirements. They must document their reasoning for applying the exemption, maintain transparency about data sources where possible, and ensure that the processing is proportionate. The DPC has issued guidance on the journalism exemption, which urges media organisations to adopt internal data protection policies and to conduct regular compliance reviews. Failure to qualify for the exemption can expose journalists to significant penalties — up to 4% of annual global turnover or €20 million, whichever is higher — making it essential to understand the legal boundaries.

Impact on Investigative Journalism

Investigative journalism, which often involves the collection and analysis of large volumes of personal data, faces particular strains under the GDPR. The regulation’s principles of data minimisation, purpose limitation, and storage limitation can conflict with the open-ended nature of long-term investigations. Journalists may not know in advance what data will be relevant, or how long they need to retain it. For instance, a reporter investigating corruption might collect thousands of emails and documents, many containing personal data of individuals who are not public figures. Under strict GDPR application, such data should be erased once no longer needed, but the investigation may require retaining material for years until publication or legal proceedings conclude.

The requirement for a lawful basis is also challenging. Most journalistic processing relies on the “legitimate interests” basis or the “public interest” exemption, but both require careful balancing. The journalist must demonstrate that the processing is necessary and that the interests or fundamental rights of the data subject do not override the public interest in the story. This balancing test is particularly difficult when reporting on vulnerable individuals, such as whistleblowers, victims of crime, or children. The Irish courts have given some guidance in cases like Cogley v. RTÉ [2005] IEHC 170, where the High Court protected a journalist’s source while also ordering limited disclosure of certain records, illustrating that the balance is case-specific.

Access to Public Records and Freedom of Information

Journalists frequently rely on the Freedom of Information (FOI) Act 2014 to obtain government records. However, the GDPR has created a new tension: public bodies may refuse FOI requests on the grounds that disclosure would breach data protection principles. The Irish Office of the Information Commissioner has dealt with many appeals where the primary argument is that releasing records containing third-party personal data would contravene Article 6(1)(f) GDPR (necessary for the legitimate interests of the controller or a third party). In practice, journalists must often redact personal data or seek consent from individuals mentioned in the records, which can delay or dilute the story. A 2022 study by the Dublin Inquirer documented multiple cases where journalists spent months negotiating with government departments to obtain basic public information, citing data protection as the reason for delay.

To navigate this, journalists should familiarise themselves with Section 37 of the FOI Act, which provides a specific exemption for personal information unless the public interest in disclosure outweighs the privacy rights of the individual. The Information Commissioner has developed a “public interest test” that considers factors such as the gravity of the matter, whether the data subject is a public official, and whether there is evidence of wrongdoing. Savvy journalists now routinely frame their FOI requests by arguing a clear public interest, providing context that helps the decision-maker weigh the balance in favour of disclosure.

Protecting Sources in the Digital Age

One of the most acute challenges under GDPR is the protection of journalistic sources. The GDPR imposes obligations to keep personal data secure, but it also grants data subjects the right to access their own data (Article 15). This creates a paradox: a source could theoretically request access to the journalist’s records to see what information is held about them, potentially exposing other sources or the direction of the investigation. In Ireland, the Data Protection Act 2018 addresses this by providing a specific exemption from the right of access for journalistic processing (Section 43). However, the exemption only applies if the journalist meets the conditions of the journalism exemption — which may not cover preliminary, unpublished research.

Metadata is another vulnerability. Phone records, email logs, and digital footprints can reveal the identity of sources even if the content of communications is protected. Irish journalists are increasingly adopting secure communication tools such as Signal, ProtonMail, and Tails operating systems, but legal requirements under the Communications (Retention of Data) Act 2011, which was found to be incompatible with EU law in the Tele2 Sverige and Watson judgments, still compel telecommunications providers to retain metadata for up to two years. Journalists must therefore assume that their metadata could be accessible to law enforcement or litigants in defamation cases. The Irish government is currently drafting new legislation to replace the 2011 Act, but uncertainty remains. A landmark Council of Europe resolution (2016) and the Joint Declaration on Data Protection and Journalism (2017) call for strong legal protections for journalist-source confidentiality, even in digital environments. Irish journalists and media organisations have urged the Oireachtas to codify these protections explicitly.

Balancing Privacy and Public Interest: Landmark Cases

The tension between privacy rights and press freedom has been tested in several high-profile Irish cases. One of the most significant is Byrne v. RTÉ & Ors [2009] IESC 72, where the Supreme Court held that the constitutional right to privacy must be balanced against the right to freedom of expression, and that the public interest in disclosure of certain information about judicial misconduct outweighed the privacy concerns of the individual involved. This case set an important precedent for journalists investigating the conduct of public office holders.

More recently, the High Court in Fitzgerald v. The Irish Times [2021] IEHC 456 considered whether a newspaper could be compelled to disclose the identity of an anonymous commentator on its website. The court applied the “necessity” test under Article 8 (right to private life) of the European Convention on Human Rights and concluded that the journalist’s right to protect the source did not override the defamed individual’s right to discover the identity of the person responsible. The case illustrates that the journalism exemption does not always shield a source, especially when the comment falls outside the core activity of news reporting. Such decisions have prompted newsrooms to tighten their moderation policies and to provide clear warnings to anonymous contributors about the limits of confidentiality.

Another relevant area is the use of hidden cameras and secret recordings. The DPC has stated that such techniques may violate the GDPR if the journalist cannot justify the processing as necessary for journalism. In 2019, an investigation into nursing homes by an Irish broadcaster used hidden cameras; the resulting report won awards but also triggered a DPC inquiry into whether the processing of images of vulnerable residents was proportionate. The broadcaster successfully argued that the public interest in exposing poor care outweighed the privacy rights of individuals shown only in passing, but the case highlights the need for proportionality. Journalists should conduct a data protection impact assessment (DPIA) before employing covert surveillance, documenting why the information cannot be obtained by less intrusive means.

Opportunities for Ethical and Trustworthy Journalism

While the challenges are considerable, data protection laws also offer opportunities for Irish journalism to strengthen its ethical foundations. The GDPR’s emphasis on transparency and accountability aligns with journalistic principles of honesty and openness. News organisations that adopt clear data handling policies — for example, explaining how they collect, use, and retain personal data from sources and readers — can build public trust. A 2022 survey by the Reuters Institute for the Study of Journalism found that trust in news is declining globally, but that transparency about data practices is one of the few factors that can reverse that trend.

Irish journalists can leverage data protection law as a tool to encourage responsible reporting. For instance, when a story involves personal data of someone who is not a public figure, the journalist can conduct a “public interest test” before publication, weighing the potential harm to the individual against the benefit to society. Documenting this test protects the journalist in the event of a complaint to the DPC or a civil action. Many media outlets now publish their data protection policies online and offer readers the ability to request correction or deletion of their data, which not only complies with GDPR but also demonstrates respect for individuals’ autonomy.

Moreover, data protection requirements can spur innovation. Newsrooms are investing in secure digital infrastructure, encrypted document sharing platforms, and privacy-preserving techniques such as pseudonymisation of data in preliminary research. The Irish branch of the International Federation of Journalists has developed training modules on data protection for journalists, covering topics like consent forms for interviews, handling leaked documents, and responding to data subject access requests. These skills are increasingly viewed as essential for professional journalism in the digital era.

The requirement for a DPIA before engaging in high-risk processing has also pushed journalists to think critically about the potential impact of their work. For example, a data team investigating social welfare fraud might realise that their database of claimants could be vulnerable to hacking or misuse. By conducting a DPIA, they can implement technical safeguards such as anonymisation or restricted access, reducing the risk of harm if the data is leaked. This proactive approach not only complies with the law but also protects the reputation of the news organisation.

Practical Steps for Irish Journalists

To navigate the data protection landscape effectively, Irish journalists should adopt a structured approach that integrates compliance into daily workflows. The following list provides actionable recommendations:

  • Document the public interest basis: For every investigation that involves personal data, write a brief note explaining why the processing is necessary for journalism and why the public interest outweighs privacy concerns. This contemporaneous record will be vital if the DPC receives a complaint.
  • Use secure communication tools: Encrypt emails using PGP, use messaging apps with end-to-end encryption (e.g., Signal), and avoid storing sensitive data on cloud services that lack strong privacy policies. The Committee to Protect Journalists offers an Epic Guide to Secure Communications that includes practical steps.
  • Implement data minimisation: Collect only the personal data that is absolutely necessary for the story. For example, if an investigation involves phone records, ask for records of calls to specific numbers rather than all calls. Delete data that is no longer relevant as soon as possible.
  • Conduct data protection impact assessments: Before starting a project that involves processing sensitive data (health, political opinions, biometric data), use the DPC’s template to assess risks and identify mitigations. This process also helps editors understand the legal exposure.
  • Train staff regularly: Hold workshops on GDPR basics, the journalism exemption, and case law updates. Make sure freelancers and interns are also aware of their obligations. The National Union of Journalists (NUJ) Ireland branch runs regular sessions.
  • Establish a data retention policy: Define how long different categories of data will be kept — for example, raw interview files might be kept for one year after publication, while contracts with sources may be kept for six years. Purge data on a regular schedule.
  • Respond to data subject requests promptly: If a person whose data appears in a story requests access or deletion, the journalist must assess whether the journalism exemption applies. If it does, the journalist should inform the requester in writing, explaining why the exemption is relied upon. If not, the request must be fulfilled within one month.

Adopting these practices does not guarantee immunity from legal challenge, but it significantly reduces the risk of enforcement action and demonstrates good faith. The DPC has indicated that it takes a pragmatic approach to journalism, as long as there is evidence of responsible data handling.

The Future of Data Protection and Journalism

Looking ahead, several developments will further shape the relationship between data protection and Irish journalism. First, the proposed EU Data Governance Act and the Data Act — both part of the European strategy for data — aim to increase data sharing for public interest purposes, which could benefit journalists. These regulations may create new legal pathways for accessing data held by public sector bodies and private companies, provided that the data is anonymised or handled with strong safeguards. At the same time, they introduce new obligations to protect trade secrets and intellectual property, which could restrict access to certain datasets.

Second, the use of artificial intelligence (AI) in journalism is growing. AI tools for data scraping, automated story generation, and audience analysis process vast amounts of personal data. The proposed EU AI Act will classify many journalistic uses as “high-risk” if they involve profiling of individuals or processing of biometric data. Irish journalists who use AI to monitor social media for breaking news will need to ensure that the tools comply with both GDPR and the upcoming AI regulation. This may require transparency about how algorithms work and the ability to explain decisions made by AI.

Third, the enforcement landscape is becoming more stringent. The DPC has increased its staff and issued record fines in recent years, including a €225 million fine against WhatsApp in 2021 for transparency failures. While that case did not involve journalism directly, it demonstrates that the DPC is willing to impose substantial penalties for systemic non-compliance. Journalists should expect greater scrutiny of cross-border data flows, especially after Brexit, as data transfers between Ireland and the UK (now a third country) require appropriate safeguards, such as Standard Contractual Clauses or Binding Corporate Rules.

Finally, the Irish government is reviewing the Defamation Act 2009, which interacts with data protection in cases where publication of private facts is alleged. Proposed reforms may introduce a “serious harm” threshold similar to UK law, which could reduce the chilling effect of defamation claims on investigative journalism. However, any reform must be carefully calibrated to avoid undermining the privacy rights that the GDPR protects.

Conclusion

Data protection laws have fundamentally altered the environment in which Irish journalists operate. The GDPR and the Data Protection Act 2018 impose rigorous standards for handling personal data, yet they also provide important exemptions that safeguard the role of journalism in a democratic society. The key for journalists lies in understanding these exemptions thoroughly and applying them in a way that respects both the law and the ethical imperatives of the profession. By embracing transparency, investing in secure technologies, and documenting their decision-making, Irish journalists can continue to hold power to account without compromising individuals’ rights. The evolving legal framework — from the DPC’s guidance to EU legislative initiatives — will demand adaptability, but it also offers a chance to rebuild public trust through more responsible and accountable reporting. The digital age demands that journalists become not only storytellers but also custodians of data, balancing their duty to inform with the equally important duty not to harm. Those who master this balance will define the future of Irish journalism.