knowledge 8 June 2026 |

Irish Exemptions from GDPR Rights Upheld – Key Takeaways for Organisations

The Irish High Court has held that exemptions from data subjects’ right of access set out in the Irish Data Protection Act 2018 (the “2018 Act”) are compatible with the GDPR, and specifically Article 23.  While this decision, which arose in O'Brien v The Data Protection Commission and Ors (which has been appealed), will be welcomed by organisations who rely on these provisions when dealing with data subject rights requests, it also serves as a reminder that these exemptions are not absolute.  

Background

This case arose from a refusal by Red Flag Consulting Limited to release certain personal data requested by Denis O’Brien. Red Flag relied on exemptions provided for in Sections 60 and 162 of the 2018 Act and Article 15(4) of the GDPR. Mr O’Brien complained about this refusal to the Data Protection Commission and the DPC held that Red Flag was entitled to rely on these exemptions in the circumstances. Mr O’Brien appealed the DPC’s decision to the High Court. 

The relevant Irish exemptions provide that data subjects’ rights:

  • “are restricted to the extent that the restrictions are necessary and proportionate … in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure” (Section 60(3)(a)(iv)).
  • “do not apply (i) to personal data processed for the purpose of seeking, receiving or giving legal advice, (ii) to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings, including personal data consisting of communications between a client and his or her legal advisers or between those advisers, or (iii) where the exercise of such rights or performance of such obligations would constitute a contempt of court” (Section 162).

A key issue was whether these exemptions are compatible with Article 23 of the GDPR. This has been open to debate since the 2018 Act was enacted. Article 23 permits Member States to adopt a law that restricts data subjects’ rights, provided that any such legislative restriction (a) respects the essence of the rights, (b) is a necessary and proportionate measure in a democratic society to safeguard interests listed in Article 23(1) and (c) “contains specific provisions at least, where relevant” as to the factors specified in Article 23(2).

High Court Decision – Key Points

In considering whether Sections 60(3)(a)(iv) and 162 were compatible with Article 23, Ms. Justice Lankford applied Irish principles of interpretation and considered how Article 23 should be interpreted. Despite the absence of detailed consideration of the interpretation of Article 23(2), in particular, by the Court of Justice of the European Union, Ms. Justice Lankford considered there was no need to refer questions regarding the interpretation of Article 23 to the CJEU.  

It was held that:

  • The Irish provisions benefit from the presumption of constitutionality and should be interpreted, insofar as possible, in a manner that is consistent with the requirements of the GDPR.
  • The inclusion of the words “where necessary and proportionate” in Section 60(3) is significant, since this qualifies the exemptions set out in this provision in a way that aligns with one of the requirements of Article 23(1).  The absence of equivalent wording from Section 162 was not addressed in the decision.
  • Article 23(2) does not require that any national law that restricts data subjects’ rights must address all of the factors listed in Articles 23(2)(a) to (h).  The use of the words “at least, where relevant” in Article 23(2) is significant.  This means that these factors need only be addressed in the applicable national legislation where they are relevant to the specific exemption in question.
  • Based on the arguments put to the Court, there was no need to annul or alter the DPC’s decision.

Conclusion

Most organisations will welcome the DPC’s decision being upheld, since questions regarding the validity of the exemptions set out in Sections 60 and 162 would give rise to substantial legal uncertainty. However, it is necessary to bear in mind that their validity was upheld partly on the basis that they have to be interpreted in a manner that is consistent with the GDPR.  This requires that they are construed to apply only where the restriction of data subjects’ rights is “necessary and proportionate” for the reasons specified in the applicable exemption and provided those reasons align with the requirements of Article 23. This means that these exemptions (and others set out in the 2018 Act) are more qualified than many organisations might assume when applying them. A reliance on them as if they were absolute will be vulnerable to challenge.

It remains to be seen whether this decision will be upheld on appeal.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key Contacts
Adam Finlay

Adam Finlay

Partner

Amy Brick

Amy Brick

Partner

Related Content
Knowledge 21 April 2026

Blocking Bad-Faith DSARs: The Brillen Rottler Ruling

Read more
Knowledge 28 January 2026

Signposts from Luxembourg: GDPR Judgments from EU Courts in 2025

Read more
Knowledge 19 January 2026

Digital Omnibus Regulation – Missed Opportunity

Read more