Irish Chapter Of Digital Business 2024

1.1 What are the key e-commerce legal requirements that apply to B2B e-commerce in your jurisdiction (and which do not apply to non-e-commerce business)? Please include any requirements to register, as well as a summary of legal obligations specific to B2B e-commerce.

B2B e-commerce in Ireland is treated very much the same as non-e-commerce B2B business and much of the same legislation will apply. The Sale of Goods Act 1893 and Sale of Goods and Supply of Services Act 1980 is the basic legislation covering either type of transaction. These cover buyer's rights in terms of merchantable quality, right to free possession and the like.

However, there are some laws that apply particularly to e-commerce transactions. These are a mix of directly applicable EU law and Irish implementations of EU legislation, including:

1. The Electronic Commerce Act 2000, which regulates the manner in which business is to be conducted online and introduced electronic signatures.
2. The European Communities (Directive 2000/31/EC) Regulations 2003 (E-Commerce Regulations) further governs the use of online contracts.
3. The Eidas Regulation ((EU) 910/2014) regulates electronic signatures and electronic transactions, to provide a safe way for conducting business online.
4. The General Data Protection Regulation ((EU) 679/2016) (GDPR) applies as does the Data Protection Act 2018, which transposes EU provisions into Irish law.
5. Ireland is also subject to the Geo Blocking Regulation ((EU) 2018/302), under which a trader may not restrict access to its website using geo-factors such as location or IP address.
6. The European Union (Copyright and Related Rights in the Digital Single Market) Regulations 2021 transposed the Copyright Directive (EU) 2019/790 into Irish law. The Regulations intend to make copyright fit for the digital age. They give content creators new rights to be rewarded for their efforts through licensing arrangements with information society service providers (ISSPs). They impose new responsibilities on ISSPs and other platform providers to negotiate those licences fairly. These Regulations also oblige them to prevent infringing content appearing in their services or on their platforms.
7. The Consumer Protection Act 2022 (CPA22) is discussed at question 1.2 below and applies to e-commerce businesses.
8. The online safety and digital services legislation referred to in question 1.3 below will also apply to relevant e-commerce businesses in Ireland.

There is no registration required in Ireland to conduct an e-commerce business, though it would be wise to register the business name under which it is trading with the Companies' Registration Office. See also question 11.2 for the regulations applicable to online payment providers.

1.2 What are the key e-commerce legal requirements that apply to B2C e-commerce in your jurisdiction (and which do not apply to non-e-commerce business)? Please include any requirements to register, as well as a summary of legal obligations specific to B2C e-commerce.

The legislation described in question 1.1 also applies to B2C e-commerce transactions; however, there are also additional legal provisions designed to protect consumers, including:

1. The Consumer Protection Act 2007 (CPA) provides general protection for consumers in transacting through e-commerce or offline. These include provisions prohibiting a trader from making false claims about a product or service. It also prohibits misleading advertising. In all, the Act lists 32 practices that are prohibited, backed up by a series of fines and other enforcement measures.
2. The European Union (Consumer Information, Cancellation and Other Rights) Regulations 2013 implemented Directive 2011/83/EU (the Consumer Rights Directive) in Ireland. It governs so-called "distance contracts". The Regulations provide consumers with a 14-day "cooling off period" during which they can change their mind and cancel a purchase (with limited exceptions, such as for perishables and digital products). Goods must be delivered within 30 days. A trader cannot force a consumer to use a premium rate phone number in connection with his/her purchase. In addition, the Regulations set out certain information that a trader must provide to a consumer, such as a full description of the goods, the total price, including any taxes and certain information required to identify the trader.
3. The European Communities (Unfair Terms in Consumer Contracts) Regulations 1995 (as amended) introduced a test of fairness for consumer contracts. They require that standard terms be written in plain and understandable language. The Regulations list certain terms that may be considered unfair, for example, terms that provide for an automatic renewal of a contract without the consumer's agreement.
4. The European Communities (Certain Aspects of the Sale of Consumer Goods and Associated Guarantees) Regulations 2003 further strengthened consumers' rights. They stipulate that goods must comply with their description and provide for repair and replace remedies where that is not the case.
5. The Consumer Protection (Gift Vouchers) Act 2019 introduced a minimum five-year validity period for most gift vouchers.
6. The e-Privacy Regulations 2011 introduced regulation around direct marketing communications and the application of privacy laws to such communications.
7. The Consumer Insurance Contracts Act 2019 introduced specific requirements for insurance contracts with consumers (note for the purposes of this Act, "consumer" also includes small businesses with an annual turnover of less than €3 million).
8. The Consumer Rights Act 2022 (CRA) was commenced in November 2022 and, among other things, transposes the provisions of the Enforcement and Modernisation Directive (EU) 2019/2161 into Irish law. Highlights include the introduction of GDPR-type fines and the amendment of some existing, but quite old, EU Directives aimed at protecting consumer rights, such as the Unfair Contract Terms Directive (93/13/EEC) and the Consumer Rights Directive (2011/83/EU). The aim of the CRA is to put purchasers and subscribers of digital products and streaming services on a par with purchasers of more traditional goods and services. New digital rights include greater rights and remedies for consumers, including the right to a full refund, exchange or repair when goods or services are not as described or not fit for purpose. Another benefit for consumers from the CRA is increased transparency obligations for traders and platforms. For example, in search results and rankings, paid-for advertising and rankings must now be disclosed. There is a ban on seeking or submitting fake reviews, and submitted reviews must be verified to a reasonable extent. Any personalised pricing (based on automated decision-making) has to be disclosed.
9. The Consumer Protection (Regulation of Retail Credit and Credit Servicing Firms) Act 2022 (S.I. No. 229 of 2022) implements most of the provisions of the Tutty Report on personal contract plans and brings providers of "buy now pay later services" within the regulation of the Central Bank of Ireland (CBI) as "retail credit firms".
10. In March 2024, the European Parliament approved a new Directive on Liability for Defective Products,¹ which is intended to replace the existing Directive that was adopted into Irish law in 1991. The new Directive aims to update product liability rules to reflect the rise of digital business, reflect the circular economy model currently being adopted and reduce the burden of proof on consumers seeking to make claims. This Directive is currently at consultation stage. Once formally approved by the European Council and signed into law, the Directive will apply to products placed on the market 24 months after it comes into force.
11. In July 2023, the Irish Government signed the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 into law (on foot of an EU Directive). This Act aims to introduce a new approach to litigation where a group of consumers can be represented by a "Qualified Entity" in a "representative action" against a trader. This will operate as a type of class action suit for consumers in the High Court if enacted in its current form and will have substantial impact on the potential claims that a B2C digital trader may face once enacted.

1.3 Please explain briefly how the EU's Digital Services Act and Digital Markets Act and/or equivalent local legislation, such as the UK's Online Safety Act and Digital Markets, Competition and Consumers Bill, may affect digital business in your jurisdiction.

Digital Services Act

The Irish Digital Services Act 2024 (DSA) was signed into law in Ireland earlier this year and became fully operative on 17 February 2024. The EU Regulation² on which it is based requires that a Digital Services Co-Ordinator (DSC) be appointed by each Member State. The Irish Government has appointed the newly formed Coimisiún na Meán (CnM) to this role. CnM is also tasked with overseeing the Online Safety and Media Regulation Act 2022, which has some overlap with the DSA. The Competition and Consumer Protection Commission (CCPC), along with CnM, are designated as competent authorities under the DSA and the DSA provides both entities with certain supervisory and enforcement roles.

CnM has already commenced work in this area, publishing substantial guidance on its role and providing details on how members of the public can make a complaint to them.³ The DSA mainly impacts large technology and intermediary services companies and will be unlikely to impact newly established digital businesses in Ireland. However, if a digital business involves a hosting service, online marketplace or intermediary services (such as internet access providers or domain name registrars), the DSA may apply and a thorough examination of this should be carried out.

Given Ireland is home to the European headquarters of a number of large technology companies and online marketplaces such as Facebook, Instagram and Pinterest, it is expected that Ireland will play an active role in the application of the EU's Digital Services Act and the decisions of CnM will be closely watched across the EU.

Digital Markets Act

The EU's Digital Markets Act (DMA) took effect in early March 2024. Similar to the EU's Digital Services Act, the DMA will have a significant impact on Ireland as it is home to the European headquarters of a number of large technology companies that will fall under the "gatekeeper" classification in the DMA. Smaller businesses operating in Ireland should also be aware of the possibility of being considered an "emerging gatekeeper" and regular assessments on this should be carried out to determine the extent to which a digital business falls within the remit of the DMA.

Whilst the enforcement element of the DMA will be carried out by the European Commission, Ireland may play a role in hearing cases of private parties taking claims against "gatekeepers" for damages as a result of a breach of the DMA, given it is the headquarters of many such "gatekeepers" within the EU. In addition, Ireland is the only English-speaking country within the EU and has what is regarded as a generous discovery regime for litigation. All of these factors may contribute to Ireland playing a central role in the hearing of disputes brought in connection with the DMA.

Member States of the EU can also require their national competition authority to initiate investigations into infringements of the DMA and report these back to the European Commission. This means the CCPC may play an important role in investigating potential breaches of the DMA.

2.1 How has the domestic law been developed in your jurisdiction in the last year?

At the time of writing, the Data Protection Commission (DPC) has yet to issue its Annual Report covering developments and statistics from 2023 and we are therefore dependent on the 2022 Annual Report issued in March 2023 for the latest insight into the DPC's work.⁴

In 2022, the DPC dealt with an increasing number of investigations and accounted for two-thirds of the fines issued across the EU, EEA and UK in 2022.

The DPC received 9,370 new cases in 2022 made up of 6,660 queries and 2,710 complaints (a decrease of 14% from 2021).

The DPC concluded 10,008 cases in 2022 including 3,133 complaints. Most of the queries and complaints received by the DPC were in connection with Data Access Requests but a proportion of these also related to Fair Processing, Direct Marketing and the Right to be Forgotten.

The total number of valid breach notifications received in 2022 was 5,695, a decrease from 2021. As in previous years, unauthorised disclosures of personal data accounted for a high proportion (62%) of complaints. Of these, the most common were unauthorised disclosure to an incorrect postal address or unauthorised disclosure to an incorrect email address. There has also been an increase in e-Privacy breaches following the introduction of the European Union (Electronic Communications Code) Regulations 2022 in Ireland (S.I. No. 444/2022) expanding the range of service providers that are required to notify breaches to the DPC.

In 2022, according to the Annual Report, the DPC concluded 17 large-scale inquiries, a significant increase from 2021. Based on the DPC website it appears a similar number of large-scale inquiries took place in 2023. In 2023, these included very high-profile inquiries into Meta (the parent company of Facebook and Instagram), TikTok, Microsoft and Airbnb, which resulted in significant fines being payable by these companies. Given Ireland's position as European headquarters for a number of large tech companies, the DPC is in a unique position in addressing alleged breaches of the GDPR.

The DPC is the Lead Supervisory Authority for a number of multinationals, and under the "One-Stop Shop" (OSS) system set out in the GDPR. Between 2018 and 30 September 2023, the DPC received 1,604 valid cross-border processing complaints.⁵ Of the complaints where Ireland acted as Lead Supervisory Authority, 79% have been concluded; this is a continual increase and the figure for April 2023 was 75%.

The DPC continued to be involved with assistance requests from other EU data protection supervisory bodies.

The introduction of the DSA and DMA (as set out in question 1.3 above) are of key importance to the DPC.

2.2 What privacy challenges are organisations facing when it comes to fintech, retail, AI and digital health?

Fintech

Given Ireland is home to some of the world's largest tech giants, it is no surprise there is a large amount of interest and investment in fintech in Ireland. This is evidenced by the Irish Government naming fintech and digital finance as one of its priorities in the "Ireland for Finance Action Plan 2021".^6,7 This plan proposes that a national fintech steering group be established and nominates Enterprise Ireland as the body responsible to roll out a new pre-seed funding offer for Irish fintech start-ups.

Now more than ever, the use of personal data is a key consideration for customers and as such, fintech companies should be investing in cybersecurity products and training given that the majority of data breaches remain the result of human error.

Privacy challenges faced by fintech companies are not dissimilar to those in other industries. However, one key area where they may be ahead is the drive to use biometric data to increase security. Biometric data is regarded as "special category data" under Article 9 of the GDPR (section 2/45 DPA). As such, it would require the explicit consent of the data subject before it can be processed.

The systems for deploying biometric data would need to be developed on the basis of "privacy by design" set out in Article 25 of the GDPR (section 76 DPA), which requires embedding data privacy features and data privacy-enhancing technologies directly into the design of projects at an early stage.

It is also likely that a Data Protection Impact Assessment would need to be carried out and documented under Article 35 of the GDPR (section 84 DPA) to analyse the risks involved for a data subject's rights and to determine whether a deployment could go ahead based on the benefits involved.

In addition to the GDPR, the EU's AI Act will have to be considered before utilising any AI biometric products.

Many fintech companies operating in Ireland are part of much bigger international organisations and they face the challenge of ensuring that any transfers of data outside of the jurisdiction meet the requirements for international transfers under Chapter 5 of the GDPR (Chapter 5 DPA). New blockchain technologies may also pose bigger challenges in the future as they are developed.

Retail

The DPC's continued focus on the use of cookies will challenge retailers to ensure that their cookie policies and cookie banners do not fall foul of the DPC guidelines. Many retailers have a long way to go in this regard.

As a result of the COVID-19 pandemic, there was an explosion in online shopping in Ireland, which continues to grow. For example, many retailers who previously did not have transactional websites have introduced them. There has been a consequent need to introduce appropriate privacy policies and deal with the security issues that come with accepting and storing credit card details and the like.

Brexit continues to bring its own problems for British retailers who target the Irish market. If they do not have a presence in Ireland or another Member State of the EU, then as a result of Brexit, they are obliged under Article 27 of the GDPR to appoint a representative for GDPR compliance purposes inside the EU.

AI

2023 saw AI become a key topic for discussion given the rise in popularity of generative AI models that are available to the public such as ChatGPT. 2023 also saw the AI Act progress to the final stages of approval, with it being approved by an overwhelming majority of MEPs on 13 March 2024.⁸ This means the AI Act will proceed to become law across the EU in mid-2024 despite concerns from various stakeholders on the impact the AI Act may have on the development of AI-based technologies in the EU.

This legislation will have a direct effect in Ireland and prohibits certain AI systems (including social scoring and emotion detection AI systems). The AI Act also seeks to regulate, in particular, the development of "high-risk" AI systems as well as introduce certain protections for users of general purpose AI models and the owners of copyrighted materials that may be trained to use AI.

Once fully enacted, significant fines will apply to entities found in breach of the AI Act with the maximum fine being €35 million or up to 7% of a company's total worldwide annual turnover for the preceding financial year, whichever is higher. The formal publication of the AI Act will be a significant legislative development in 2024.

The European Commission also intends to publish practical guidelines on the implementation of the AI Act this year.

Notwithstanding the enactment of the AI Act, there are at least two requirements of the GDPR that will continue to be regularly applicable when using AI.

The first is Article 25 of the GDPR (section 76 DPA), which obliges a controller to build privacy by design and default into any new systems.

The second is Article 35 (section 84 DPA), which states that where a type of processing uses new technologies likely to result in a high risk to the rights and freedoms of people, the controller must carry out a risk assessment. In particular, for instances of automated processing on which decisions are based that produce legal effects, a Data Protection Impact Assessment (DPIA) must be conducted.

In deploying an AI system, a company will also have obligations pursuant to Article 22 (sections 57/89 DPA) and the European Data Protection Advisory Board's guidance to explain the logic behind an automated processing system. In terms of transparency, a controller will need to explain its processing anyway. Where the machine itself is making the rules, that may be difficult.

The fact that a machine may make decisions without human involvement may make any need to obtain specific consent much more difficult, unless of course that too is built into the algorithm.

Digital health

In May 2021, the Health Service Executive (HSE), Ireland's equivalent of the UK's NHS, suffered a devastating ransomware attack. It affected the personal records of almost 5 million people and severely reduced the HSE's ability to provide critical care for a substantial period, having to rebuild systems from scratch. This is one example of the serious impact such attacks can have in Ireland.

This called into question the readiness of Irish state institutions to withstand a cyber-attack, and in response the Irish Government undertook to invest more in cybersecurity technology.

A recent report issued by Hiscox,⁹ which includes companies from across the globe, indicates that Ireland is one of the most vulnerable countries to a cyber-attack and over 70% of Irish companies were hit by at least one cyber-attack over the 12 month period included in the report. The median cost of a cyber-attack to an Irish business is €9,600 according to the same report.

As Ireland's health system continues to adopt more technological solutions and moves further away from an unconnected and manual approach, it will face the same challenges as other industries in terms of cybersecurity and protection of information that is now stored in the cloud.

New digital technologies that allow for remote patient monitoring, consultations by video link, and real-time data being obtained from medical devices and wearables, with the ensuing increase in the volume of data, will undoubtedly provide more privacy and security challenges, including the use of AI in healthcare, which will require a high level of oversight.

Stakeholders in the digital health industry, whether controllers or processors, will need to continually review their internal procedures, training and technology to ensure that they can meet the demands of an explosion of data and data sources.

However, the HSE attack was a wake-up call for Ireland, and the National Cyber Security Centre (NCSC) doubled its staff quickly to 45 with plans to reach 70 by 2026.¹⁰ Ireland now has a National Cyber Emergency Response plan for future attacks and indeed advises other countries on their preparedness for similar attacks.¹¹

2.3 What support are the government and privacy regulators providing to organisations to facilitate the testing and development of fintech, retail, AI and digital health?

Fintech

The Irish Government updated its International Financial Services Strategy for 2022–2025 (IFS2025)¹² in September 2023. IFS2025 aims to further develop the international financial services sector in Ireland. One of the four pillars of IFS2025 centres around technology and innovation, which aims to aid the development of fintech. For example, a new Fintech Foresight Group was set up and new MSc programmes in fintech innovation will be delivered in certain third level institutions, which will enhance the growing footprint of financial service organisations and bring talent into the pipeline.

Retail

Enterprise Ireland operates the Online Retail Scheme.¹³ The purpose of this Scheme is to enable Irish-owned retailers to enhance their digital capability and to develop a more competitive online offer. Grants of up to €25,000 or 50% of project costs are made available to help small retailers develop a sophisticated and transactional online presence. This is to include research, consultancy costs for strategy development, implementation and training.

AI

Ireland continues to be very active in encouraging the indigenous development of AI technologies and its use across industry and the public sector.

In July 2021, Ireland launched the first National AI Strategy – "AI – Here for Good"¹⁴ ("AI Strategy"), which aims to put all necessary enablers in place to leverage the benefits of AI. The establishment of AI testbeds and experimentation facilities is one of the many changes envisaged by IFS2025. For example, ICON PLC, the Nasdaq quoted company with a base in Ireland, secured €4 million from Enterprise Ireland to conduct research and development (R&D) for the purpose of enhancing digital health technology and data analytics solutions.

As part of the AI Strategy, Ireland, among other initiatives: appointed its first AI Ambassador (Dr Patricia Scanlon) in 2022; established the Enterprise Digital Advisory Forum to focus on industry adoption of AI; established an AI Innovation Hub (CeADAR) to provide services such as specialist training and project feasibility work in particular to small and medium-sized enterprises (SMEs); and joined the Global Partnership on AI, a multi-stakeholder initiative originating in the Organisation for Economic Co-operation and Development (OECD).

In July 2023, the National Standards Authority of Ireland launched Ireland's Artificial Intelligence Standards and Assurance Roadmap. Its purpose is to set out a clear path for the expansion of Ireland's international leadership role in AI Standards development, and will form a key part of the country's readiness initiatives to successfully implement the AI Act.

In January 2024 the Government launched the Artificial Intelligence Advisory Council to provide independent expert advice to Government on AI policy. Its members were recruited to represent a spectrum of experience and expertise from academia, business, law, security, social sciences, economics and civil society.

Digital health

Ireland is already home to 195 companies engaging in digital health, 450+ MedTech companies including nine of the top 10, 100+ pharma companies including 10 of the top 10 and 900+ tech companies including 16 of the top 20.¹⁵

The Irish Minister for Health stated in January 2024 that (as part of the Government's commitment to support eHealth), a new digital health strategy for Ireland (Digital Health Strategic Framework (2024–2030)) is currently being finalised by the Department of Health. It will set out a shared vision and guide a clear roadmap for investment in digital health, including delivery of digital patient records. The framework is to be supported by rolling delivery plans developed by the Health Service Executive (HSE, Ireland's equivalent of the UK's NHS) to achieve the desired level of accelerated digitalisation of health and social care services in future years.

General

In respect of regulators, the DPC, in its Regulatory Strategy for the years 2022–2027,¹⁶stated that guidance and engagement with organisations was crucial to drive accountability and promote the culture of data protection compliance more generally. To this end, it intends to promote a cultural shift toward compliance by extensive engagement with stakeholders, so that data protection rights are upheld as a matter of normal business practice.

In February 2022, the Irish Government launched its new national digital strategy, "Harnessing Digital – The Digital Ireland Framework",¹⁷ to drive and enable the digital transition across the Irish economy and society. This was last updated in March 2024.

Though high level, the strategy declares its aim as supporting Ireland's ambition to be a digital leader at the heart of European and global digital developments; it places a strong emphasis on inclusiveness, security and safety, underpinned by strong governance and a well-resourced regulatory framework.

3.1 Please provide details of any cybersecurity frameworks applicable to e-commerce businesses.

There are a number of international standards applicable to e-commerce that also operate in Ireland:

• PCI DSS (Payment Card Industry Data Security Standard): This sets out a widely accepted international set of security controls that was established to help businesses safely process credit card, debit card, and cash card transactions. The standards are applicable to any businesses that store, process or transmit cardholder data.
• Payment Services Regulations 2018 (S.I. No. 6/2018 – European Union (Payment Services) Regulations 2018): This implemented the revised Payment Services Directive – Directive on payment services in the internal market (EU) 2015/2366 (PSD2). For further details, see question 11.1.
• ISO 27001/27032 (International Organization for Standardization): This sets out the specification for an information security management system. This is seen as the "gold standard". Its best-practice approach helps organisations manage their information security by addressing people and processes as well as technology. It is mostly for large organisations, and was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.
• The National Institute of Standards and Technology (NIST) is a common framework, which is more direct than the ISO specification set out above and involves a practical structure for organising cyber security comprising of five key elements: identify, protect, detect, respond and recover.¹⁸

3.2 Please provide details of other cybersecurity legislation in your jurisdiction. If there is any, how is that enforced?

The Criminal Justice (Offences Relating to Information Systems) Act 2017

This piece of legislation sets out essentially five types of hacking or cyber-crime offences. These are:

1. accessing an information system without lawful authority;
2. interference with an information system without lawful authority;
3. interference with data without lawful authority;
4. intercepting the transmission of data without lawful authority; and
5. use of a computer program, password, code or data for any of the above.

The GDPR/Data Protection Act 2018

The Data Protection Act 2018 implemented the GDPR in Ireland and governs how personal data is collected. It requires that businesses keep personal data secure and only permits third parties' access to personal data subject to sufficient guarantees regarding the security of the processing services. Businesses must implement measures that are both technical (e.g., firewalls, anti-virus programs, perimeter scanning tools) and organisational (e.g., policies and procedures that must be followed by personnel regarding cybersecurity) to safeguard personal data. Businesses are required to protect against unauthorised or unlawful use of personal data and against loss, destruction and damage of the same.

Article 32 GDPR (section 72 DPA) requires controllers and processors to implement technical and organisational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data.

The e-Privacy Regulations (S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011)

The e-Privacy Regulations govern the use of electronic communications. In particular, they set out the rules applicable to marketing emails, texts and phone calls; they also govern the use of cookies. However, note that the consent required for the use of cookies has now changed to a GDPR standard (see question 2.1 above). In addition, they also cover the security of public electronic communications services and data privacy.

A new EU e-Privacy Regulation has been under discussion for a number of years now, but at the time of writing is still in draft form. It will be broader in scope than the current regime, applying to all communications service providers including instant messaging apps.

The NISD Regulations (the European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018)

The NISD Regulations implement the Security of Network and Information Systems Directive 2016/1148/EU in Ireland. This sets out to harmonise cybersecurity measures for operators of "essential services" (such as businesses in the energy, transport and/or health sector) and "digital service providers" (such as cloud service providers and providers of online marketplaces) that offer services to individuals. Businesses subject to the NISD Regulations are required to implement appropriate and proportionate measures to manage risks posed to network and information systems and to prevent, and minimise the impact of, incidents affecting the security of the network and information systems.

The NIS2 Regulations (Directive (EU) 2022/2555) (NIS2) came into force in January 2023, expanding the remit of the existing Regulations. Member States have 21 months to transpose NIS2 to their national legislative framework and this timeframe will expire on 17 October 2024. NIS2 applies to a larger group than the original NIS Directive and now includes, among others, manufacturers of certain products and digital services. It also contains more expansive and explicit cybersecurity and reporting requirements than the original Directive.

The Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554

DORA was published by the European Commission in early 2023 and will come into effect in Member States from 17 January 2025. This Regulation aims to regulate "operational resilience" in financial institutions across the EU, which will mean that certain rules must be followed in connection with the protection and detection of ICT risks and incidents. This includes extending reporting requirements currently in place for financial institutions.

4.1 What are consumers' attitudes towards e-commerce in your jurisdiction? Do consumers embrace e-commerce and new technologies or does a more cash-friendly consumer attitude still prevail?

In general, Irish people have embraced new technologies and the numbers shopping online continue to grow despite the current pressures on the cost of living. Cost is a big factor driving consumers to shop online according to the recent KPMG Next Gen Retail Survey, which indicates that 54% of people feel it is cheaper to shop online rather than in a physical store.¹⁹ According to a study by the Central Statistics Office, online shopping by Irish consumers has decreased slightly, from 81% of internet users in 2022 to 78% in 2023.²⁰ In addition, a recent survey completed by the Economic and Social Research Institute (ESRI) found that 30% of sales by Irish enterprises are e-commerce sales, a significant increase above the EU average of 20%.²¹ This is driven by a high amount of household internet access and smartphone usage for purchases. With the surge in mobile commerce, retailers are launching mobile apps to expand their reach in the market. Digital Business Ireland (DBI), the not-for-profit representative body for the digital commerce sector recently conducted a survey on e-commerce trends in Ireland that produced some interesting findings, such as:

• E-commerce is more prevalent in rural areas. Research shows a growing preference for e-commerce, largely due to convenience, flexibility and security. Those in rural areas are opting for online shopping more so than those in urban areas. The pandemic paved the way for a rise in the use of e-commerce; even now with physical stores open again, online shopping in certain areas remains the dominant form of commerce.
• Sustainable considerations are not a driving force. Despite the current climate crisis, research suggests that consumer attitudes toward online shopping are not swayed by sustainable living considerations. One in every four (23% of) consumers have never considered sustainability when purchasing goods and services online. Meanwhile, fewer than one in five consumers in Ireland ever consider the sustainability credentials of the businesses they are purchasing from.

Brexit has had a major impact on online shopping in Ireland. Many Irish shoppers would have used sites like Amazon UK to buy goods, but instead now look to sites like Amazon Germany, which has introduced an English language version. There is a requirement on Irish shoppers to pay VAT on goods received from the UK at the same rate as payable in Ireland. Customs duties are also potentially payable if the value of the goods and the category of product requires this (orders must be valued at over €150 for customs duty to apply and many popular goods such as books and computers are not liable for import duty given the categorisation they fall into).

4.2 Do any particular payment methods offer any cultural challenges within your jurisdiction? For example, is there a debit card culture, a direct debit culture, a cash on delivery-type culture?

Ireland has a relatively young population that adapts quickly to change and new opportunities. While cash may have been key for the older generation, even most of those have become comfortable with the use of cards, with cash being the preferred payment method for only 34% of Irish adults in 2023.²² The Access to Cash Billwas published in 2023 requiring Irish businesses to accept cash with the aim of promoting a "financially inclusive" society.

Domestic debit and credit card spending totalled €6.8 billion per month in the first half of 2023 according to the Central Bank of Ireland.²³ The use of contactless card payments continues to grow with 84% of point-of-sale transactions being completed by contactless card payment methods.²⁴ Apple Pay and Google Pay are now also increasingly popular, with digital wallet transactions now being the preferred payment method for 15% of Irish adults.²⁵

According to the most recent data available in a 2020 AIB survey, Apple Pay and Google Pay then accounted for 37% of all in-store transactions by those who are under 25. Customers over the age of 45 were then spending 31% more using their digital wallets. We presume that these figures have increased substantially in the intervening period.

The rise in the use of Revolut has revolutionised the banking sector in Ireland. This will only continue to grow in 2024 as Revolut has introduced loans, car insurance and credit cards. According to an article in Silicon Republic,²⁶ with the exit of KBC and Ulster Bank from the Irish market, it is expected that the use of Revolut as a preferred payment method and banking function will continue to steadily increase here, particularly among young people.

4.3 Do home state retailer websites/e-commerce platforms perform better in other jurisdictions? If so, why?

According to the Irish Central Statistics Office (CSO), more than one-third (35%) of all enterprises in Ireland received orders from customers located in Ireland in 2022, 11% received orders online from countries in the EU (excluding Ireland) and 12% of enterprises received orders from customers located in the rest of the world, which includes the UK. This illustrates that the home state retailers perform better in the home jurisdiction of Ireland rather than further afield.

In a recent survey, Irish consumers surveyed said that they view international retailers as more competitive on price, range and online experience, but they view Irish SME retailers as more reliable and trustworthy.

The DBI Survey found, disturbingly, that in 2022, only 27% of consumers made a conscious effort to purchase from Irish websites online; this is a significant drop from 2020 during the COVID-19 pandemic.

4.4 Do e-commerce firms in your jurisdiction overcome language barriers to successfully sell products/services in other jurisdictions? If so, how and which markets do they typically target and what languages do e-commerce platforms support?

Ireland has a huge technology base with many of the world's largest technology and social media companies having their EMEA headquarters or manufacturing facilities here. Therefore, it is no surprise that companies such as Apple and Microsoft are among Ireland's biggest exporters. Ireland's place as the only English-speaking EU Member State is also helpful in promoting exports to large markets such as the UK and US.

Enterprise Ireland assists companies in their drive into global markets through a range of methods. Language is not seen as a barrier as most Europeans have English as a second language.

4.5 Are there any particular web-interface design concepts that impact on consumers' interactivity? For example, presentation style, imagery, logos, currencies supported, icons, graphical components, colours, language, flags, sounds, metaphors, etc.

There are no particular trends that are unique to Ireland. All website operators are encouraged to make navigation simple and their websites must be mobile-friendly. In April 2023, of the top 10 most popular websites in Ireland, only two, according to a survey by Similarweb, belong to Irish entities, both of which are news websites.

4.6 Has the COVID-19 pandemic had any lasting impact on these cultural norms?

COVID-19 has revolutionised online retail in two ways. Firstly, whilst online shopping was always going to grow in popularity over time, the pandemic accelerated that growth faster than anyone would have predicted. Second, COVID-19 has brought new people into the e-commerce economy who likely would not have participated otherwise. For example, wealthy over-65s were seen pre-COVID as the least likely to shop online. They are now a large proportion of the Tesco delivery spots.

Since 2019, it is estimated that the online spend in Ireland has increased by 30–40%. Amazon opened its first fulfilment centre in Dublin in late 2022²⁷ to supply customers in Ireland and the EU and has plans to expand this further. In doing so, Amazon is expected to remain a leading contributor in the e-commerce market in Ireland.

The pandemic proved to be a great opportunity for digital-enabled companies. Enterprise Ireland support the ongoing digitalisation of Irish business to help recovery and growth. They offer the Digital Ready Scorecard – an online self-assessment tool to evaluate gaps in digital capabilities, as well as a €6,300 grant, which funds companies developing a digital roadmap.

While there continues to be significant delays in bringing high-speed internet connections to some Irish households in line with the National Broadband Plan, this is unlikely to dim the growth in online trading.

5.1 What is the process for online brand enforcement in your jurisdiction?

There are a number of pieces of legislation that can be used to protect brands and enforce the rights that traders have in their brands.

Trademarks

These can be registered in Ireland by the Intellectual Property Office of Ireland (IPOI), the European Union Intellectual Property Office (EUIPO), or the World Intellectual Property Office (WIPO) depending on the jurisdictional scope of protection required.

Actions for infringement can be brought by the trademark owner under the Trade Marks Act 1996, or the EU Trademark Regulation (Regulation (EC) 207/2009) for EUIPO trademarks.

The Director of Public Prosecutions can also initiate criminal proceedings under the Trade Marks Act 1996 for trademark infringement.

Unregistered trademarks can be protected by taking an action for passing off, which is a common law tort where one party attempts to mislead the public into thinking that their brand is associated with another brand.

Copyright

Copyright is protected in Irish law by the Copyright and Related Rights Act 2000 (CRRA). Protection is automatic and there is no system of registration in Ireland.

Subject to some small fair dealing exceptions, a copyright owner can prevent another party from using its work without permission (usually granted by way of a licence for a royalty). A copyright owner can sue for infringement under the CRRA.

Domain names

These are now a crucial part of a company's branding. The most common issues are first cyber-squatting, where someone registers a name to thwart a genuine user's ability to register it in the hope of extracting a large price for it; the second is where different companies may have legitimate interests in the same domain name.

Under ICANN rules, an aggrieved trademark holder can use the Uniform Domain Name Dispute Resolution Policy to try and resolve these issues.

Designs

For infringement of design rights in the EU, an injured party can avail of the regime under the European Community Designs Regulation (6/2002/EC) (CDR). The CDR is augmented by EUIPO guidelines issued from time to time.

Patents

These can be registered in Ireland by the IPOI or the European Patent Office (EPO), depending on the jurisdictional scope of protection required.

Actions for infringement can be brought by the patent owner under the Patents Act 1992, as amended.

The European Union introduced a Unitary Patent System in June 2023 to provide uniform protection for all Member States. This is supported through a Unified Patent Court (UPC). Because the Irish Constitution gives primacy to Irish courts and the UPC would involve transferring some of their jurisdiction (patent litigation), a referendum is required. This was scheduled to take place on 7 June to coincide with the European Parliament Elections. However, it has now been postponed by the Government so a separate, informed debate can take place.

5.2 Are there any restrictions that have an impact on online brand enforcement in your jurisdiction?

Up until 2021, Ireland did not have a separate court for large intellectual property (IP) litigation, and instead such disputes had to go through the regular court system. However, this changed in October 2021 when an Intellectual Property List with dedicated judges was added to the Commercial Court, which is designed to be a fast-track court.²⁸

Litigation in Ireland nonetheless tends to be an expensive undertaking, especially in the higher courts; further, many digital businesses are early-stage companies, which may not have the resources to fund a long court case. Alternative dispute mechanisms such as mediation are available in Ireland and many such companies now seek to use these as an initial step before pursuing litigation.

6.1 What are the legal considerations and risks in your jurisdiction when contracting with third party-owned data centres or cloud providers?

If a company is using the infrastructure located in a data centre to run its business or contracting with a cloud services provider for that purpose, it will need to ensure its data will remain secure, available and accessible. This is typically done through a services agreement, which should contain a commitment to those matters as well as to service levels.

If a company is a controller of personal data, then it will be required to include a data processing agreement or addendum as part of its contractual arrangements with the service provider, to meet its obligations under Article 28 of the GDPR (section 80 DPA).

The DPC has published guidance on its website as to what conditions it considers to be mandatory for such contracts.²⁹

6.2 Are there any requirements in your jurisdiction for servers/data centres to be located in that jurisdiction?

There are none. However, a controller is subject to Chapter 5 of the GDPR, which governs transfers of personal data to third countries and international organisations. Article 44 of the GDPR (and a number of sections of the DPA) states that if a controller transfers personal data out of the EU, it must enjoy the same level of protection as it gets under the GDPR.

In the absence of an adequacy decision or consent, personal data may still be transferred to a non-EEA country subject to the putting in place of one of the appropriate safeguards set out in Article 46 of the GDPR (section 98 DPA). These include the "Standard Contractual Clauses" or "Binding Corporate Rules". The safeguards must be outlined in a legally binding contract between the transferring and recipient parties.

7.1 What, if any, are the technologies being adopted by private enterprises and government border agencies to digitalise international (cross-border) trade in your jurisdiction?

In 2017, Ireland adopted a new trade and investment strategy, "Ireland Connected: Trading and Investing in a Dynamic World".³⁰ Part of that strategy includes the idea of "connectedness" and the harnessing of digital technologies to increase and facilitate trade.

Irish Revenue and Customs already only use automated processes for interacting with traders importing goods into Ireland.

Enterprise Ireland has a "Digital Island" strategy and encourages Irish companies on their "digital journey".

As described in question 4.6 above, to help Irish exporters in formulating a digital strategy, it provides a "Digital Ready Scorecard", a short self-assessment online tool enabling businesses to assess their current digital readiness along with a Digitalisation Voucher of up to €6,300 with the aim of increasing the digital maturity of Irish enterprise. It facilitates Irish companies' engagement with third-party consultants to assess where they are and what they need to do. The output is a strategic, digital roadmap for their businesses.

Enterprise Ireland has also introduced Digital Process Innovation grants, which aim to help "[b]usinesses seeking greater integration of digital technology for improved productivity".³¹ This grant is for SMEs and will cover 50% of eligible costs up to a maximum of €150,000.

InterTrade Ireland is a cross-border agency between Ireland and Northern Ireland, which is funded by governmental agencies on both sides of the border and seeks to help SMEs to develop cross-border markets and exporting.

Ireland is also a part of, and currently chairing, the D9+, a group of "digitally ambitious" EU Member States who are working together with the aim of progressing the EU Digital Single Market. The themes of Ireland's six-month chairmanship were announced in February 2024 and include "effective and coherent digital regulation as a foundation for innovation and growth in the EU" and "the importance of stability and predictability in fostering investment and growth".³² These themes evidence the continued commitment to growing digital cross-border trade in Ireland.

7.2 What do you consider are the significant barriers to successful adoption of digital technologies for trade facilitation and how might these be addressed going forward?

General barriers include restrictions on the transfer of data, for example. In Ireland, like the rest of the EU, the GDPR governs how personal data is transferred across international boundaries, and this may slow trade as the required safety mechanisms are reviewed and put in place.

Also, while many goods can now be bought digitally (e.g., a hard copy book or clothing), they still have to be delivered by some form of parcel post and are susceptible to delays in customs.

Brexit and the Windsor Framework (which was formally adopted in March 2023)³³ continue to be a major issue for Ireland. Northern Ireland has remained within the EU for the purpose of the supply of goods, whilst Great Britain (the rest of the UK) is now a so-called "third country". The Windsor Framework is intended to simplify the process for checking goods from the UK when they enter Northern Ireland to ensure that only those goods that will continue on to Ireland as part of the EU are checked.

It was hoped that technological advances would make the border between the Republic of Ireland and Northern Ireland seamless, but so far this has not been the case. While many solutions have been promulgated in general terms, none of the stakeholders have so far come up with a technological solution that all parties can agree as workable; however, the implementation of the Windsor Framework may encourage further development in this area.

8.1 Please give a brief description of any tax incentives of particular relevance to digital businesses in your jurisdiction. These could include investment reliefs, research and development credits and/or beneficial tax rules relating to intellectual property.

Ireland has a number of tax incentives that are available to digital businesses.

There is a 30% tax credit available to companies for R&D expenditure incurred during accounting periods commencing on or after 1 January 2024 (previously 25%). This credit, which can include certain expenditure incurred prior to trading, is claimed via a three-year fixed payment schedule. Companies may elect to have any part of each yearly instalment set against their annual tax liabilities. The credit can be claimed in addition to a 12.5% deduction for the expenditure, resulting in an attractive effective tax deduction of 42.5%.

The tax legislation also provides for a tax deduction for trading companies that expend capital on qualifying IP assets. IP is defined quite broadly and includes patents, trademarks, copyright goodwill, domain names and customer lists.

The Knowledge Development Box provides for a lower corporation tax rate of 10% on profits arising from qualifying assets, which are themselves the product of qualifying R&D. This incentive is fully compliant with the OECD's modified nexus approach (linking the relief to R&D and IP). To avail of the relief, a company must be earning income from those qualifying assets (such as through licensing or other exploitation).

Under the Taxes Consolidation Act 1997 (as updated each year by the Finance Act), there is also currently a tax relief available for start-up companies, in certain sectors, with corporation tax due of €40,000 or less in a tax year (and partial relief if it is between €40,000 and €60,000). The amount of the relief depends on the number of employees in the company.

Acquisitions of IP are also exempt from stamp duty in Ireland.

Companies investing in qualifying digital gaming projects can avail of a 32% tax credit, capped at €25 million per project.

There are additional grants and services made available through the IDA Ireland (Ireland's agency for inward investment) to foreign companies who are considering investing in Ireland.

Finally, Ireland has a low corporate tax rate of 12.5%, which makes it attractive for companies to locate here. However, in 2021, it signed up to the OECD's global tax regime, meaning that from 1 January 2024, companies with a turnover in excess of €750 million will have to pay corporate tax at a 15% rate.

8.2 What areas or points of tax law do you think are most likely to lead to disputes between digital businesses and the tax authorities, either domestically or cross-border?

VAT would seem the most likely area where disputes will arise for a number of reasons.

VAT distinguishes between goods and services (services being everything that is not a good!). In the world of digital and downloads, the distinction can be difficult, making it challenging to determine place of supply and accountability.

A single EU-wide threshold of €10,000 has replaced the individual VAT thresholds that applied to traders in each Member State. Once the trader has achieved those sales across the whole of the EU, it must apply the VAT rate applicable in the customer's home country. This will require knowledge of all the different VAT rates applicable in the different Member States. This is by no means a simple task and leads to miscalculations and disputes.

A recent amendment to the 2011 Directive on Administrative Cooperation (2021/514) (DAC7) may also lead to disputes. The amending Directive has extended the automatic exchange of information to apply to digital businesses that provide a platform for the following:

• sale of goods;
• rental of immovable property;
• provision of personal services; and
• rental of any mode of transport.

Irish companies operating in this space are required to disclose information about the aforementioned transactions that occur on their platform to the Irish tax authorities. These new provisions came into effect on 1 January 2023, with the first reporting under these new rules due by 31 January 2024.

9.1 What legal and practical considerations should businesses take into account when deciding on the best way of resourcing work in your jurisdiction? In particular, please describe the advantages and disadvantages of the available employment status models.

In Ireland, individuals are either employees or self-employed, independent contractors; there is no intermediate or hybrid status. How the relationship is described in the written agreement between the parties is only one of a number of factors that will be taken into account when determining whether an individual is an employee or an independent contractor; what is important is how the relationship works in practice. There are a number of tests considered by the Workplace Relations Commission (WRC)/Court and Revenue in determining whether an individual is an employee or an independent contractor. In recent years, the question of whether there is a mutuality of obligation between the parties is a key test. Mutuality of obligation means that, under the contract, the employer must provide a reasonable amount of suitable work to the employee, who in turn must perform all such work provided. If there is mutuality of obligation, it is indicative of an employment arrangement. A company should consider how the arrangement works in practice and should ensure that the written agreement accurately reflects this.

The EU (Transparent and Predictable Working Conditions) Regulations 2022³⁴ were signed into law in 2022. The Regulations provide that certain independent contractors must be treated as employees for the purposes of the Terms of Employment (Information) Act 1994.³⁵ Contractors who are personally obliged to provide a service must be given a statement of terms like the statement that is given to a (conventional) employee.

The vast majority of employment rights are afforded to employees only; for example, the right to be paid for annual leave and minimum wage, protection from unfair dismissal and the right to a redundancy payment. Both employees and independent contractors will benefit from the protections afforded by whistleblowing and equality legislation. Independent contractor arrangements work best where the individual is in business on their own account and they provide services to more than one client. This type of agreement provides flexibility to both parties and can be advantageous from a tax perspective as no employer PRSI (social insurance) is payable. However, mis-classifying an individual as self-employed when in reality they are an employee could result in significant costs for a company that will be liable for any underpayment of tax and social security, plus interests and penalties. It also means that the individual will have accrued statutory employment law rights as against that company.³⁶

There are a number of different types of employment arrangements, depending on what type of resourcing a company requires. For example, a company may want to employ individuals on a part-time basis or for a specific project or fixed duration. Alternatively, companies may choose to engage an employment agency to supply staff, rather than hire them directly. Irish employment law generally does not distinguish between these different categories of employees and there is much legislation in place to ensure that these categories of employees are treated no less favourably than permanent, full-time employees.

"Zero-hour" contracts, which require individuals to be available for work but with no guaranteed hours, are prohibited by the Employment (Miscellaneous Provisions) Act 2018, except for in very limited circumstances.

9.2 Are there any specific regulations in place in your jurisdiction relating to carrying out work away from an organisation's physical premises?

The Work Life Balance and Miscellaneous Provisions Act 2023 introduced a right for employees to request remote working, which became effective 7 March 2024. This gives a right to request remote working on day one of employment but confirms you must have a period of six months continuous service before commencing remote working. The legislation is clear on not being a right to work from home but rather a right to request this and it is up to employers to approve or deny this. An employer has an obligation to consider the needs of the business and the needs of employees along with the Workplace Relations Commission Code of Practice³⁷ when making a decision on an employee's request. This legislation also provides employees a right to request flexible working arrangements for caring purposes and introduces domestic violence leave and unpaid leave for the medical care of young children.

A company has obligations under employment law in Ireland in respect of all its employees, whether they carry out work remotely or from its physical premises. While there is not yet any specific regulation in place in Ireland that regulates remote working, employers should pay particular regard to their obligations under health and safety, working time and data protection legislation.

Under the Safety, Health and Welfare at Work Act 2005, employers have specific duties to ensure the safety, health and welfare at work of all employees, whether or not that work is being done at the employer's premises. This includes providing and maintaining a safe workplace, preventing any improper conduct or behaviour likely to put the safety, health and welfare of employees at risk and providing instruction and training to employees on health and safety. Employers must carry out a risk assessment of the workplace, even where this is not the employer's premises (for example, an employee's home office). Organisations should have policies in place that clearly set out the employer's and employees' health and safety obligations, including an obligation on employees to report health and safety risks and work-related accidents.

The Organisation of Working Time Act 1997 governs minimum working hours and rest breaks. Under the Act, employers are obliged to record employees' working time on a daily basis including start and finish times and rest breaks. Remote working can make it particularly challenging for organisations to comply with their working time obligations. Employers should put in place policies and systems for recording employees' working hours and rest breaks when working away from their premises.

Compliance with the GDPR/DPA will also be an issue where employees are not based at a company's premises. Companies should put in place robust data protection policies including procedures for reporting data breaches and ensure ongoing training for all staff on their data protection obligations. Extra security measures may need to be taken for employees working remotely, such as the provision of encrypted laptops.

As part of the Strategy for Remote Work (a policy launched by the Government to acknowledge the changes to the working environment brought about by COVID-19), the Department of Enterprise Trade and Employment has introduced a new Code of Practice on the right to disconnect. Its purpose is to promote a culture of good work/life balance and breaking bad habits whereby people feel obliged to respond to messages out of hours. The Code primarily addresses rights that already exist under Irish employment law. However, it does go slightly further, to address the fact that working outside of normal working hours has become a "bad habit" that needs to be broken.

The Code emphasises that employers cannot generally allow employees to work for more than an average of 48 hours a week and should be keeping records of hours worked. It highlights the employer's duty to "manage and conduct work activities in such a way as to prevent, so far as is reasonably practicable, any improper conduct or behaviour likely to put the safety, health and welfare [of employees] at risk". Further it reaffirms that employment contracts should include the hours of work that the employer reasonably expects the employee to work in a normal working day and a normal working week. The Code helpfully makes clear that the right to disconnect is not an absolute right and recognises that there may be occasional legitimate situations where business and operational reasons require contact out of normal working hours.

9.3 What long-term effects or changes are likely to result from the COVID-19 pandemic?

In Ireland, the Government has recognised the permanent shift towards remote and home working following COVID-19 as evidenced by the introduction of new legislation referenced in question 9.2. A BNP Paribas Real Estate Analysis of Eurostat data from a 2022 survey reveals that the proportion of employees in Ireland who said they sometimes or usually work from home jumped from 7% in 2019 to 25% in 2022, the biggest percentage point increase of any EU country.³⁸ The Strategy for Remote Work referred to in question 9.2 above aims to build on the progress made in adopting remote work during the pandemic. Highlights include: mandating that home and remote work should be the norm for 20% of public sector employment; mapping and investing in a network of remote working hubs across Ireland; and legislating for the right to request remote working.

Managing mental health issues arising from home working is also likely to be a key requirement for employers as part of their health and safety obligations.

A longer-term consideration as a result of these changes is that employers will have to consider whether remote working should include allowing employees to work from a different country. It would be necessary first to have knowledge of an employee's local laws and whether they could automatically apply. Such local laws could, for example, specify longer holiday periods or minimum pay. Employers would also need to be aware of any implications for payroll taxes along with any permanent establishment risks from a corporate tax perspective, depending on the type of work the employee carries out.

10.1 What are the key legal barriers faced by a digital business operating in your jurisdiction?

There are no real legal barriers to entry for digital businesses, such as registration. However, there are significant amounts of legislation and regulation to deal with for digital businesses as set out elsewhere in this chapter.

A B2B offering will of course be easier to set up and mange than a B2C offering, as in the latter, the trader will not have to deal with consumer legislation.

10.2 Are there any notable advantages for a digital business operating in your jurisdiction?

There are considerable advantages for a digital business operating in Ireland.

In section 8, the various tax incentives are described, as well as the grants available from IDA Ireland for foreign companies setting up in Ireland.

In addition, we have a well-educated and trained workforce able to work easily in the technology industry generally. Ireland is also the European headquarters of many large, well-established technology companies.

Ireland is strategically situated between Europe, the UK and the US and since Brexit, Ireland is the only English-speaking country in the EU.

10.3 What are the key areas of focus by the regulator in your territory in respect of those operating digital business in your territory?

There is currently no designated regulator in Ireland tasked with overseeing digital business. The most relevant regulators are the DPC and the CCPC, but these focus solely on privacy issues and competition and consumer protection, respectively.

The Advertising Standards Authority for Ireland (ASAI) is a non-statutory body that reviews and reports on advertising, including digital advertising. While it can request changes to or the withdrawal of adverts, it has no enforcement powers.

A couple of recent changes also impact the operation of digital business in Ireland. Firstly, the OSMR introduces new online safety laws to bring legislation up to date with the EU Audio-visual Media Services Directive. This legislation introduces a new regulatory body, the Media Commission, which will include an Online Safety Commissioner to police online safety codes and how online video-sharing services deal with harmful content.

The DSA (as set out in the response to question 1.3) is another developing area of regulation in Ireland given the role of CnM as Ireland's DSC to oversee compliance.

11.1 What regulations, if any, apply to the online payment sector in your jurisdiction?

Payment Services Regulations 2018 (S.I. No. 6/2018) – European Union (Payment Services) Regulations 2018

These Regulations implemented PSD2 (referred to in question 3.1) and replaced the 2009 Regulations (PSD1). This is the most important piece of legislation in respect of online payments.

PSD2 is intended to reduce fraud while opening up payment markets to new entrants. Its operation in Ireland is governed by the CBI.

PSD2 is intended to be a positive development for all users of payment services, but particularly consumers. It introduced the concept of Strong Customer Authentication (SCA), which includes two-factor authentication for certain card payments. The SCA provisions came into effect in Ireland in March 2022. The applicable payments are mainly recurring card payments such as subscription payments or transactions where the cardholders' details are retained for future use.

E-Money Regulations (the European Communities (Electronic Money) Regulations 2011)

The E-Money Regulations transposed Directive 2009/110/EC into Irish law and apply to providers of e-money services. The E-Money Regulations have been further updated by PSD2.

The GDPR/Data Protection Act 2018

This will also be applicable to online payment service providers. For more detailed analysis, see elsewhere in this chapter.

The Markets in Crypto-Assets (MiCA) Regulation and Crypto Payments

The MiCA Regulation was proposed by the European Commission in September 2020 and will commence in two phases in June 2024 and December 2024. Once commenced, the MiCA Regulation will provide legal certainty around crypto-assets, place obligations on the issuers of such assets and create a harmonised legal structure for dealing with previously non-regulated crypto-assets. In creating this framework, the EU will support fair competition and innovation.

The CBI issued a consumer warning in March 2022 about the risks of investing in crypto-assets as part of an EU-wide campaign by the European Supervisory Authorities. However, there is currently no ban or restriction on cryptocurrencies in Ireland.

11.2 What are the key legal issues for online payment providers in your jurisdiction to consider?

Online payment providers must comply with the provisions of PSD2 as described in question 11.1. This will initially involve an authorisation and approval process carried out by the CBI, before any service can begin. An authorisation process is also required for e-money service providers under the E-Money Regulations.

PSD2 and the E-Money Regulations set out various capital and probity measures that a company must meet in order to be authorised.

The CBI places much emphasis on having "hearts and minds" located in Ireland. This essentially means that the CBI will need to be satisfied that the applicant will be properly run in Ireland and that the CBI will be able to supervise it effectively. As a minimum, it requires a senior management team overseen by a strong board and an appropriate organisation structure with reporting lines.

Online payment providers will also need to be mindful of the GDPR, anti-money laundering legislation and, where applicable, consumer legislation, described elsewhere in this chapter. In addition, the CBI has published a number of consumer codes that may be relevant to the operation of online payments.

12.1 With the current global emphasis on the environment and sustainability, is there any current or anticipated legislation in that area that is likely to impact digital business in your jurisdiction?

There is not currently any specific legislation in Ireland dealing with the environment or sustainability with direct application to digital business. The ongoing European Green Deal discussed at question 12.3 below will introduce certain directly effective legislation into Ireland, which may affect businesses from a sustainability standpoint. In March 2024, the Directive on Empowering Customers for the Green Transition ³⁹ entered into force, which aims to tackle unfair practices and misinformation provided to consumers by traders in connection with sustainability; for example, claiming certain products have lower environmental impact than alternative products, known colloquially as "green washing".

Presently, consumers who feel that they have been misled by claims that products are "green", "sustainable" or "eco-friendly" would have to rely on more general protection such as the CPA if they want to make a claim. Under the CPA, a seller must not make false claims about any goods or services they are selling.

The CPA has been updated and amended by the CPA22. This Act significantly overhauls the area of consumer protection in Ireland and incorporates the EU Directive on Enforcement and Modernisation to allow for higher-level penalties for breaches for certain consumer protection law, including misleading commercial practices.

Under the CPA22, the CCPC, which is charged with policing consumer protection law in Ireland, has gained increased enforcement powers as against traders who fail or refuse to provide a remedy or reimbursement to which a consumer is entitled.

The Sale of Goods and Supply of Services Act 1980 includes an implied term in any contract for sale that goods will correspond with their description, which would cover claims of sustainability or eco-friendly products.

ASAI also sets rules and issues decisions in respect of false or misleading advertising. However, unlike its UK counterpart, it has no power to enforce those decisions.

In December 2019, the European Commission published the European Green Deal to tackle environmental challenges with a bold aim to become the first climate neutral-continent by 2050.

12.2 Are there any incentives for digital businesses to become 'greener'?

Ireland has a target to reduce carbon emissions by 51% by 2030, and to achieve a climate-neutral economy by 2050.⁴⁰ Therefore, businesses are being actively encouraged by the Department of the Environment to prepare for this by adopting appropriate business models and investing in more sustainable products and services.

To help drive this change, Enterprise Ireland, a state agency, has introduced the Green Transition Fund to support the decarbonisation of Irish companies and move towards more sustainable options. There are two elements to this fund: the Climate Planning Fund for Businesses; and the Enterprise Emissions Reduction Investment Fund.

There are three supports available as part of the Climate Planning Fund for Business:

1. Climate Action Voucher: up to €1,800 to assist companies in receiving advisory support to develop an initial sustainability and decarbonisation plan.
2. GreenStart: up to €5,000 to fund consultancy work to begin the transition towards sustainability and decarbonisation best practice.
3. GreenPlus: grant funding for 50% of costs of training projects including developing climate change and sustainability plans in SMEs.

The Enterprise Emissions Reduction Investment Fund seeks to provide financial support to companies to track and reduce their carbon emissions and includes R&D grants, capital investment for decarbonisation processes and investment for energy monitoring and tracking systems.

The Sustainable Energy Authority of Ireland (SEAI), another state agency, has introduced the "Excellence in Efficiency Design Scheme" (EXEED), which is an incentive programme to promote energy efficiency in business. Grants of up to €1 million per project are available and this is available to all sectors, organisations and projects.

The SEAI also facilitates the Accelerated Capital Allowance tax incentive that allows a company to deduct the full cost of qualifying energy-efficient products and equipment from their profits in the year of purchase as well as support schemes for renewable heating sources.

The Environmental Protection Agency (EPA) operates another state fund known as "Green Enterprise: Innovation for a Circular Economy". It supports businesses to develop and demonstrate innovative practical applications and solutions that prevent waste and stimulate the circular economy. Grants of up to €100,000 are available.

12.3 What do you see as the environmental and sustainability challenges facing digital businesses?

All businesses, digital or otherwise, have to play their part if Ireland is to achieve its 2030 and 2050 environmental goals to reduce its carbon footprint to net zero. This will involve undertaking energy-efficient projects of the type for which grants are now being made available as discussed in question 12.2 and moving towards more sustainable business practices.

According to research by BitPower, as of June 2023, there were 82 operational data centres in Ireland,⁴¹ with 40 more having received planning permission and 14 under construction. Tech giants such as Amazon, Facebook and Google all have storage facilities here in Ireland. Some €1.9 billion was spent on the construction of data centres in 2023 alone,⁴² with this projected to continue to grow in the coming years.

The development of these data centres brings welcome jobs in construction, operation and maintenance; however, there is also a downside – these data centres use a huge amount of energy. Bitpower's research shows that data centres accounted for 18% of Ireland's electricity usage in 2022, with this figure expected to continue to rise. The challenge is finding sufficient renewable sources of energy to meet this demand and keep Ireland's carbon goals on track.

A challenge for companies that sell products digitally is and will continue to be the increasing emphasis on the circular economy and being able to verify claims that products are sustainable and escape claims of green washing.

Legislation at an EU level is being finalised that will have a major impact on both those issues.

The first part is the EU's European Green Deal, which was approved in 2019 and is an ongoing initiative to make the EU the first climate-neutral continent by 2050. As part of this project, the EU has promised legislation to compel companies to substantiate environmental claims about their products, improve packaging and move towards climate neutrality.

The EU also published its "Circular Economy Action Plan" in October 2020. It proposes new legislation requiring environmental claims to be substantiated by using the EU Product and Organisation Environmental Footprint (PEF and PEO) methods, developed by the Commission's Joint Research Centre. In addition, it wants to see a change in both supplier and consumer behaviour by extending the lifetime of goods, repairing defective goods, and by encouraging people to purchase more second-hand and refurbished goods.

Digital suppliers will need to watch the above developments and ensuing legislation carefully and aim to develop more sustainable business practices in line with this EU-led shift towards a more sustainable and carbon-neutral future.