knowledge 20 August 2025 |

Digital Rights Ireland designated as Ireland’s third qualified entity under the Representative Actions Act

Digital Rights Ireland (“DRI”) has been designated as the third “qualified entity” (“QE”) under the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 (the “Representative Actions Act”) with effect from 3 July 2025. All three of the QEs designated so far are active in the privacy and digital rights sphere, with the two others being the European Center for Digital Rights or ‘noyb’ and the Irish Council for Civil Liberties (the “ICCL”). These entities can bring representative actions in Ireland and throughout the European Union on behalf of groups of consumers for infringements of certain consumer protection laws occurring on or after 25 June 2023.

Funding

According to DRI, it is funded primarily through donations from individuals and support from charitable foundations committed to advancing digital rights, such as the Digital Freedom Foundation. As with the other two QEs designated in Ireland, DRI faces the challenge of funding representative actions in the absence of third-party litigation funding in Ireland.

In July, the ICCL lodged a complaint with the European Commission alleging that Ireland is in breach of Article 20(1) of the Representative Actions Directive, which provides “Member States shall take measures aiming to ensure that the costs of proceedings related to representative actions do not prevent qualified entities from effectively exercising their right”, due to Ireland’s prohibition on third party funding, which it states prevents QEs from raising the necessary funds to bring these actions. ICCL note that Ireland is an important venue for representative actions for breaches of GDPR given that many technology firms have their “main establishment” here.

What to Expect from DRI

DRI is a non-profit organisation that aims to defend civil, human and legal digital rights, with a particular emphasis on privacy, data protection, and state surveillance. With a view to anticipating the types of representative actions that DRI may take, we consider below its recent activities in the digital rights space:

DRI has filed complaints with the Data Protection Commission (the “DPC”) in relation to Ireland’s Public Services Card (“PSC”) alleging it breached the GDPR.
In 2021, DRI filed a complaint with the DPC in relation to Facebook user personal data which it alleged had been made available on the internet in breach of the GDPR.
In 2024, DRI raised concerns with proposed laws to enable Garda use of Facial Recognition Technology, which it states poses risks to fundamental human rights such as privacy, protection of personal data and non-discrimination.
It has been involved in litigation before the Irish and EU courts, with one action resulting in the EU Data Retention Directive¹ being declared invalid by the Court of Justice of the European Union in 2014 on the basis that it constituted a disproportionate and serious interference with fundamental privacy rights and the protection of personal data².

Outlook

With the three QEs designated in Ireland operating in the privacy and digital rights sphere, consumer facing businesses should be alert to the potential for representative actions in these areas.

For further information on the Act, see our previous briefings here, here, here and here.

Also contributed to by Clara McKenna

Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks
Joined Cases C-293/12 (Digital Rights Ireland) and C-594/12 (Seitlinger and Others).

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.