← News
PT

Ireland's Data Protection Landscape: Key Developments in March 2026

The past week has brought significant developments in Ireland's data protection sphere, with a landmark CJEU ruling on access requests, concerning survey findings about breach reporting, and proposed government action on passenger data security.

CJEU Sets Strict Standards for Refusing "Abusive" Data Access Requests

In a pivotal judgment on March 19, 2026 (Brillen Rottler GmbH & Co. KG v TC, Case C-526/24), the Court of Justice of the European Union clarified when companies can refuse data subject access requests (DSARs) under Article 15 GDPR. The case involved an individual who allegedly submitted multiple DSARs to different companies seeking compensation rather than genuine data protection concerns.

The CJEU ruled that even a first-time request can be deemed "excessive" under Article 12(5) GDPR if controllers prove abusive intent—though this exception must be applied strictly. Factors indicating abuse include:

  • Whether data was voluntarily provided
  • The stated purpose of data sharing
  • The timing between data submission and the request
  • Evidence of systematic DSAR submissions for compensation

Crucially, the Court confirmed that wrongful refusal of an access request can lead to damages under Article 82(1) GDPR. However, no compensation is due if the data subject's own conduct—such as deliberately creating conditions for a claim—was the primary cause of harm.

Survey Reveals Persistent Underreporting of Data Breaches

A Compliance Institute survey published on March 24, 2026, found that 51% of Irish compliance professionals suspect data breaches go unreported in their organizations. Of 150 respondents (mainly from financial services):

  • 19% believe "many" breaches are unreported
  • 32% think "a few" slip through
  • 26% cite fear of personal accountability as the top reason
  • 22% blame concerns over brand reputation

While the figure has improved since 2023 (when 65% suspected underreporting), CEO Michael Kavanagh warned that even robust compliance cultures face reporting gaps, urging continued vigilance.

Ireland Moves to Strengthen Air Passenger Data Rules

On March 25, 2026, the Irish government announced plans to close a "security gap" in air passenger data (PNR) handling. Proposed legislative changes will expand the use of PNR data for intra-EU flights, aligning with risk-based counterterrorism measures. The move aims to enhance law enforcement capabilities while ensuring GDPR compliance.

Conclusion

From judicial guidance on DSARs to real-world compliance challenges and legislative updates, Ireland remains at the forefront of data protection debates. Organizations must balance GDPR obligations with legitimate concerns about abuse—while regulators push for greater transparency in breach reporting.