There have been a number of highly significant regulatory developments in the area of cybersecurity, artificial intelligence and data protection over the past year. We highlight some key developments that you should be aware of below.
KEY THEMES IN DATA PROTECTION, PRIVACY AND TECHNOLOGY
Sed ut pers piciatis unde omnis iste natus error sit volup tatem.
Duis aute irure dolor in repre henderit in voluptate velit esse cillum dolore eu.
Duis aute irure dolor in repre henderit in voluptate velit esse cillum dolore eu.
Duis aute irure dolor in repre henderit in voluptate velit esse cillum dolore eu.
ACTS AWAITING COMMENCEMENT
Consumer Rights Act 2022
Date signed into law: 7 November 2022
This act consolidates and updates existing consumer protection laws that regulate consumer contracts, as well as introducing new and enhanced consumer protection measures, particularly in the area of digital goods and services. The act gives effect to a number of EU consumer rights directives, including, inter alia, the following:
- Directive 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services (The Digital Contents Directive)
- Directive 2019/771 on certain aspects concerning contracts for the sale of goods (The Revised Sale of Goods Directive); and
- The main provisions of Directive 2019/2161 on the better enforcement and modernisation of EU consumer protection rules (The Omnibus Directive). This directive itself amends the Unfair Contract Terms Directive 93/13/EEC; the Unfair Commercial Practices Directive 2005/29/EC; the Consumer Rights Directive 2011/83/EU, and the Price Indication Directive 98/6/EC.
Latest stage: Section 161 is awaiting commencement.
Online Safety and Media Regulation Act 2022
Date signed into law: 10 December 2022
This act provides for the establishment of a Media Commission, Coimisiún na Meán, and the dissolution of the Broadcasting Authority of Ireland. The legislation introduces a regulatory framework for online safety to tackle the spread and amplification of harmful online content, as well as updates to the regulation of audiovisual media services and the implementation of the revised Audiovisual Media Services Directive. The act provides, in particular, for Coimisiún na Meán to make online safety codes to be applied to designated services. The Coimisiún na Meán published the final version of the Online Safety Code was adopted in October 2024.
Latest stage: A number of provisions are awaiting commencement.
IRISH PROPOSED LEGISLATION
Freedom of Information (Amendment) Bill
This bill will update the Freedom of Information legislation arising from the review of the current act.
Latest stage: Work is ongoing. Listed as "all other legislation" in the Spring 2025 Legislative Programme.
Communications (Retention of Data) Bill
This bill will replace the current Communications (Retention of Data) Act 2011 to reflect advances in technology and consolidate the law on retention of and access to data for national security and prevention of crime purposes.
Latest stage: Work is ongoing. Listed as "all other legislation" in the Spring 2025 Legislative Programme.
National Cyber Security Bill
This bill will establish the National Cyber Security Centre of Ireland ("NCSC") on a statutory basis and provide for related matters including clarity around its mandate and role. It will also transpose the NIS2 Directive (2022/2555) into national law.
Latest stage: Pre-legislative scrutiny is ongoing. Listed for priority publication in the Spring 2025 Legislative Programme.
Criminal Justice (Protection, Preservation of and Access to Data on Information Systems) Bill 2024
This bill proposes to give effect to a number of the provisions of the Budapest Convention on Cybercrime 2001, the EU e-Evidence Regulation ((EU) 2021 / 784) and the EU Terrorist Content Online Regulation ((EU) 2021 / 784).
Latest stage: Pre-legislative scrutiny was completed in March 2024. General Scheme published in May 2024. Listed for priority drafting in the Spring 2025 Legislative Programme.
Interception of Postal Packets and Telecommunications Messages (Regulation) (Amendment) Bill
This bill proposes to amend various pieces of legislation in respect of electronic communications.
Latest stage: Work was ongoing. Listed as "all other legislation" in the Spring 2025 Legislative Programme.
Data Governance Bill
The purpose of this bill is to assign certain powers on the Competition and Consumer Protection Commission (“CCPC”) in its role as designated Competent Authority for data intermediaries and data altruism organisations under the EU Data Governance Act.
Latest stage: Heads were in preparation. No reference of this in the Spring 2025 Legislative Programme.
Digital Hub Development Agency ("DHDA") (Dissolution) Bill
This bill aims to put in place the legislation required to give effect to the Government Decision S180/20/10/1136A of 27 April 2021, which approved the dissolution of the DHDA.
Latest stage: Heads were in preparation. Listed as "all other legislation" in the Spring 2025 Legislative Programme.
EU Data Regulation Bill
This Bill will designate the National Competent Authorities responsible for implementing and enforcing the EU Data Act (Regulation (EU) 2023/2854) and will provide for penalties for non-compliance. It will also provide for a levy in respect of ComReg’s regulatory role.
The EU Data Act creates a harmonised framework on fair access and use of data and clarifies who can create value from data and under which conditions, to ensure fairness amongst actors in the data economy. It entered into force on 11 January 2024 and applies from 12 September 2025. Although the Act is directly applicable as an EU regulation, it will still require substantial transposition, in particular due to Member States being obliged to establish a penalties framework for infringement.
Latest stage: Heads were in preparation. Listed for priority drafting in the Spring 2025 Legislative Programme.
Copyright and Related Rights (Amendment) Bill
The purpose of this bill is to encompass the necessary amendments to the Copyright and Related Rights Act 2000 (as amended) following a CJEU judgment in Case C-265/19 in September 2020 and subsequent High Court judgment, [2021] IEHC 22, in February 2021.
Latest stage: Heads of bill approved in July 2024. Listed for priority publication in the Spring 2025 Legislative Programme.
Regulation of Artificial Intelligence Bill
This bill aims to give further effect to the EU Regulation 2024/1689 (EU AI Act) laying down harmonised rules on artificial intelligence. The bill will designate the National Competent Authorities responsible for implementing and enforcing the EU regulation and will provide for penalties and non-compliance.
Latest stage: Heads in preparation. Listed as “all other legislation” in the Spring 2025 Legislative Programme.
Communications Regulation and Digital Hub Development Agency (Amendment) Bill
The purpose of this bill is to address the use of in-contract price increase clauses by electronic communications service providers to increase prices.
Latest stage: Heads in preparation. Listed as "all other legislation" in the Spring 2025 Legislative Programme.
Gigabit Infrastructure Bill
This bill provides national standing for several provisions of Regulation (EU) 2024/1309 (Gigabit Infrastructure Act) including to designate a Dispute Settlement Body and to provide for exemptions to certain provisions.
Latest stage: Work is underway. Listed as "all other legislation" in the Spring 2025 Legislative Programme.
EU DIRECTIVES AWAITING IMPLEMENTATION (TRANSPOSITION)
NIS2: Directive on Measures for a High Common Level of Cybersecurity across the Union
Date published: 27 December 2022
This proposed revision to the Network and Information Security Directive (Directive (EU) 2016/1148) ("NIS2") will strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce stricter enforcement requirements, including harmonised sanctions across the EU to address the growing threats posed by digitalisation and the surge in cyber-attacks. Once adopted, it will replace Directive 2016/1148.
Transposition date: 17 October 2024. The European Commission adopted the first EU implementing rules on cybersecurity of critical entities and networks under the NIS2 Directive on 17 October 2024. The implementing regulation will be published in the Official Journal in due course and enter into force 20 days thereafter. The National Cyber Security Bill that will transpose NIS2 into national law is listed for priority publication on the Spring 2025 Legislative Programme.
EU REGULATIONS
EU Data Act
Procedure reference: 2022/0047/COD
Date published: 23 February 2022
The EU Data Act (Regulation (EU) 2023/2854) aims to increase legal certainty for consumers and businesses to access data generated by the products or related services they own, rent or lease. It will maximise the value of data in the economy and establish fairness by putting in place rules on the use of data created by Internet of Things (“IOT”) devices and related services.
Latest stage: Published in the EU Official Journal on 13 December 2023, and entered into force on 11 January 2024. It will apply from 12 September 2025. The Spring 2025 Legislative Programme notes that the heads of the EU Data Regulation Bill, which will further implement this act, in particular by providing for penalties for infringement, are currently under preparation.
Digital Operational Resilience Act ("DORA")
Date published: 27 December 2022
The Digital Operational Resilience Act (‘DORA’) (Regulation (EU) 2022/2554) is designed to consolidate and upgrade Information and Communications Technology ("ICT") risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations. DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. It will also introduce an oversight framework for critical ICT third party providers, including cloud service providers.
Latest stage: Published in the EU Official Journal on 28 December 2022, and entered into force on 16 January 2023. It applied from 17 January 2025.
EU Digital Services Act ("DSA")
Date published: 27 October 2022
The DSA (Regulation (EU) 2022/2065) is one of two legislative initiatives announced by the Commission as part of the European Digital Strategy, “Shaping Europe’s Digital Future”, announced in December 2020, which aims to upgrade the rules governing digital services in Europe. It is intended to update the eCommerce Directive and regulate the provision of digital services by: (i) online intermediaries; (ii) hosting services; (iii) online platforms; and (iv) very large online platforms (“VLOPs”) and very large online search engines ("VLOEs") ie, online platforms and search engines that reach 45 million or more average monthly users in Europe.
Latest stage: Entered into force on 16 November 2022. It applied from 17 February 2024, except for certain provisions applicable to VLOPs and VLOEs. The DSA started applying to VLOPs and VLOEs four months after their designation as same by the European Commission (ie since the end of August 2023).
The Irish Government have also published a Digital Services Act 2024, which came into effect on 17 February 2024. The act provides for the implementation of supervision and enforcement provisions of the DSA in Ireland. In particular, it designates Coimisiún na Meán as Ireland's Digital Services Coordinator. Coimisiún na Meán shall therefore be responsible for all matters relating to the supervision and enforcement of the DSA in Ireland, and for ensuring coordination at national level in respect of those matters. The Act also designates the Competition and Consumer Protection Commission ("CCPC") as the competent authority for purposes of Articles 30 to 32 of the DSA which relates to the supervision and enforcement of online marketplace obligations.
Data Governance Act
Date published: 3 June 2022
The purpose of the Data Governance Act (Regulation (EU) 2022/868) is to establish a framework to facilitate general and sector-specific data-sharing (including data of public bodies, private companies and citizens). The regulation provides for:
- A reuse regime for certain categories of public sector data
- A framework for data intermediation services which aims to establish commercial relationships for the purposes of data sharing between data subjects, data holders and data users
- Contribution to data altruism and the creation of common safeguards to increase trust in recognised data altruism organisations
The Data Governance Act has been given effect in Ireland by SI No. 272/2024 EU (European Data Governance Act) Regulations 2024 and SI No. 734/2024 EU (European Data Governance Act) (No. 2) Regulations 2024. In particular, they seek to establish a framework for the sharing of "categories of protected data" held by public bodies as set out in Chapter 2 of the Data Governance Act.
Latest stage: Published in the EU Official Journal on 3 June 2022, and entered into force on 23 June 2022. It applied from 24 September 2023.
Digital Markets Act ("DMA")
Date published: 15 December 2020
The DMA (Regulation (EU) 2022/1925) is part of the European Digital Strategy, “Shaping Europe’s Digital Future”, announced in December 2020 which aims to upgrade the rules governing digital services in Europe. This regulation will create harmonised rules defining and prohibiting certain unfair practices by “gatekeeper” platforms (providers of core platform services) and introduces a new competition tool to deal with structural competition problems across markets which cannot be tackled or addressed using existing competition rules. The measures include new powers for the Commission to conduct market investigations.
Latest stage: Published in the EU Official Journal on 12 October 2022, and entered into force on 1 November 2022. Most of the DMA provisions applied as of 2 May 2023.
Artificial Intelligence Act
Procedure reference: 2021/0106 (COD)
Date published: 21 April 2021
The Artificial Intelligence (“AI”) Act establishes a common regulatory and legal framework for AI within the EU. In proposing a regulatory framework on AI, the Commission has identified the following specific objectives:
- to ensure that AI systems placed and used on the EU market are safe and respect existing law on fundamental rights and EU values;
- to ensure legal certainty to facilitate investment and innovation in AI;
- to enhance governance and effective enforcement of existing law on fundamental rights and safety requirements applicable to AI systems; and
- to facilitate the development of a single market for lawful, safe and trustworthy AI applications and prevent market fragmentation.
While acknowledging that AI is a fast-evolving and strategic technology with tremendous opportunities, the Commission believes that some uses of AI pose specific significant risks to the application of various EU rules designed to protect fundamental rights, ensure safety and attribute liability.
Latest stage: The final act, signed by co-legislators on 13 June 2024, was published on 12 July 2024 in the EU Official Journal. The regulation entered into force on 1 August 2024. It will be fully applicable from 2 August 2026, subject to certain exceptions, including the rules on prohibited AI systems (which applied from 2 February 2025); general-purpose AI rules (2 August 2025); and obligations for high-risk AI systems as part of safety components in regulations products (2 August 2027).
Matheson insight:
EU Commission publishes Guidelines on definition of an “AI system”
EU Cyber Resilience Act
Procedure reference: 2022/0272/COD
Date published: 15 September 2022
The EU Cyber Resilience Act introduces cybersecurity requirements for products with digital elements with a view to ensuring that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market. It aims to bolster cybersecurity rules to ensure more secure hardware and software products.
The Act aims to ensure better protection for consumers through increasing the responsibility of manufacturers by obliging them to provide security support and software updates, and providing them with information about the cybersecurity of the products they buy and use. The Act provides a single set of rules for cybersecurity for companies in the EU. It aims to decrease the number of cybersecurity incidents and increase the transparency and trust of consumers, and better protect their data and privacy.
Latest stage: The final act, signed by co-legislators on 23 October 2024, and was published on 20 November 2024 in the Official Journal of the European Union. The Act shall apply from 11 December 2027 with some provisions applying at an earlier stage on 11 June 2026 and 11 September 2026.
EU DRAFT LEGISLATION
ePrivacy Regulation
Procedure reference: 2017/0003 (COD)
Date published: 10 January 2017
This proposal forms part of the EU Digital Single Market Strategy. The proposed regulation has been amended on a number of occasions. An update to the 2002 Marketing ePrivacy Directive was seen as necessary to address new technological and market developments as well as the emergence of new techniques for tracking users’ online behaviour. The proposed ePrivacy Regulation will repeal the 2002 ePrivacy Directive and will complement the GDPR.
Latest stage: On 11 February 2025, the European Commission published its 2025 Work Programme, announcing plans to withdraw the proposed regulation as no agreement is expected from the co-legislators. The European Commission noted that the proposal is outdated in view of some recent legislation in both the technical and legislative landscape.
AI Liability Directive
Procedure reference: 2022/0303/COD
Date published: 28 September 2022
The purpose of this directive is to address shortcomings in liability rules where AI systems are used, setting out standardised rules for access to information and easing the burden of proof in relation to AI claims.
Current liability rules, particularly fault-based rules, are not suitable for handling AI liability claims. Because of the complex nature of AI, specifically the so-called "black box" effect, it is difficult for victims to successfully prove the requirements for their claims. To help claimants overcome the challenges in establishing a causal link between fault, based on non-compliance with duty of care requirements, and output by AI systems, a 'presumption of causality' is introduced in the proposal. The presumption is rebuttable however and claimants are required to meet a number of conditions such as demonstrating that the output produced by the AI system gave rise to the damage in question. In cases where high-risk AI is involved, claimants will also have a right of access to information from companies.
Latest stage: On 11 February 2025, the European Commission published its 2025 Work Programme, announcing plans to withdraw the proposed regulation as no agreement is expected from the co-legislators. The European Commission will assess whether another proposal should be tabled or another type of approach should be chosen.