Technology & Innovation
"Matheson's advice is always commercial and pragmatic. The team understands our business model, priorities and risk tolerance and provides advice to us accordingly."
Information Technology: Chambers Europe 2025
Circuit Court Dismisses Non-material Loss Claim
The Circuit Court in Walsh v Irish Prison Service [2025] IECC 8, delivered a significant decision concerning compensation for non-material damage under the GDPR in Ireland. The decision shows consistency in the court’s approach, reaffirming the now well-established principle that mere infringements of the GDPR will not give rise to compensation in themselves, and that “mere upset” alone is not compensable.
In this article, we dive more deeply into the background, key issues considered and key takeaways from this decision.
AG Clarifies when a DSAR Constitutes an Abuse of GDPR Rights
Advocate General (“AG”) Spunzar, recently delivered a significant opinion on when a data subject access request (“DSAR”) may be deemed to be an abuse of one’s data protection rights and “excessive” under Article 12(5) GDPR. The Opinion provides some further clarity in regard to the limits to the exercise of the right of access under Article 15 GDPR, and the right to compensation under Article 82 GDPR, where these rights are invoked in an abusive manner. The AG opined that the mere fact that a person has made similar claims for damages for GDPR infringements in the past is not, in itself, sufficient to prove abusive intent.
It is important to note that the draft Digital Omnibus Regulation 2025/0360 proposes amending Article 12(5) GDPR to further clarify when a DSAR constitutes an abuse of data protection law.
You can read more about this Opinion, including further details on the implications for businesses dealing with DSARs here.
CJEU Clarifies Direct Marketing Rules under ePrivacy Directive
In Inteligo Media SA v ANSPDCP (c-654/23), the CJEU clarified the rules on direct marketing to customers. The CJEU considered the exception to the requirement to obtain consent where the organisation obtains the individual’s email address ”in the context of the sale of a product or service” under the ePrivacy Directive. It confirmed that that the term “sale” does not necessarily require direct remuneration for a good or a service, and that indirect remuneration may suffice. The CJEU found that a free newsletter qualifies as “direct marketing”, that creation of a free account may constitute a “sale” and that no separate legal GDPR legal basis is required where ePrivacy rules apply.
Further commentary on this decision is available here.
GDPR Liability of Online Marketplaces for User-Published Advertisements
In X v Russmedia and Inform Media Press (Case C-492/23) , the CJEU confirmed that the operator of an online marketplace cannot invoke the liability exemptions under the eCommerce Directive (now set out in the Digital Services Act) to evade their GDPR obligations. The CJEU held that the operator of an online marketplace may act as a ‘controller’ under the GDPR in respect of the processing of personal data contained in user-posted advertisements published on their platform, and must comply with their data protection obligations in respect of such publication.
We consider the CJEU decision in more detail here.
New National Cyber Risk Assessment and SME Cyber Resilience Report Published
In advance of the transposition of the NIS2 Directive in Ireland, the National Cyber Security Centre published its 2025 National Cyber Risk Assessment (“2025 NCRA”). Additionally, Munster Technological University published a report on the Cyber Resilience of Small and Medium Enterprises, in conjunction with the NCSC (the “Report“). The 2025 NCRA provides a strategic overview of the systemic cyber risks facing Ireland’s critical national infrastructure and the broader ecosystem of supply chains which underpin same.
We examine the key highlights of the 2025 NCRA and the Report, as well as their implications for Irish businesses in this article.
World Data Protection Day 2026
In this briefing note, our Technology and Innovation Group discuss some of the most important data protection-related developments from 2025.
