This article is written by Jatin K. Chheda, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from LawSikho.
Table of Contents
Throughout evolution, mankind has endeavoured to advance its civilisation. From prehistoric ages, the dark ages to Stone Age, Iron Age, Bronze Age, Industrial Age mankind has used technology in its stride to better its socio-economic purposes.
We are now on the onset of yet another advancement in human evolution, as we step into the most advanced age- the “Digital & Tech Age’. With the advances in technology space at supersonic speeds human civilisation has now entered a new paradigm as global structures, nations, economies, businesses and people are virtually connected together. A new parallel space has opened up transgressing geographical barriers, boundaries and limitations.
At this point in time, it is the countries that are seen making giant strides, to become global technological hubs that drive and empower cyberspace. One such key global player and now a technology hub leading the technological advances is Ireland.
The parallels that are drawn between the physical reality and virtual reality, i.e. cyberspace are fraught with human activity of all kinds. Suffice to say the facets of human nature are seen running amongst these parallels. While on one hand there is the positive side, on the other there are serious security issues threatening cyberspace. Infact, with the borderless incognito nature of cyberspace security is of greater concern and cybersecurity brings with it greater perils if breached.
This article is aimed at reviewing a multi-layered, robust and well enveloped cybersecurity structure that Ireland’s Cybersecurity Laws create. Concerned persons should take keen interest in understanding the design of this fortified framework through law, regulations and policies both domestic and international. This article aims to review the Irish cybersecurity laws, regulations and landscape.
Ireland- An Integrated Cyber and Technology Hub
In the 1970’s Ireland devised a new industrial policy, aimed at attracting FDI from the USA in particular. What was going to work for Ireland was that it had just joined the then EEC (European Economic Community), present-day EU (European Union) and coupled with being an English speaking nation culturally very close and to add to that Ireland reduced its corporate tax rate to 12.5% (Source) the perfect mix to set the stage for a slow but steady march towards making it a Global Tech Hub.
Over the years Ireland has become the business haven for Global technology giants like Apple, Dell, etc. A brief snapshot of Ireland’s IT landscape will help understand Ireland’s strategic and eminent position in the Global Tech landscape.
According to ‘The Changing Landscape of Disruptive technologies- Global Innovation hubs published by KPMG, Ireland. Is one of the youngest dynamic and tech-savvy countries in Europe also claiming it to be the choicest name for tech bigwigs, startups and entrepreneurs?
“Ireland is the location of choice and a gateway to Europe for successful businesses. A winning combination of talented people, attractive business taxes, commitment to the EU and an exceptional track record sets Ireland apart. We are home to entrepreneurs, innovators, and business leaders in every sector from fintech to pharma. They choose Ireland for many different reasons but they each have one thing in common—A DESIRE TO SUCCEED IN A BUSINESS-FRIENDLY EUROPEAN ENVIRONMENT THAT IS GREAT FOR BUSINESS AND GREAT FOR LIVING.” — Anna Scally Partner, Head of Technology, Media and Telecoms, KPMG in Ireland (Source)
The Trident- IDA, Enterprise Ireland and SFI
The Irish have taken a three-pronged approach to boost technology innovation.
The IDA Industrial Development Authority focuses on MNC’s to create jobs in Ireland. The IDA is mostly the global face of Ireland which markets Ireland to the rest of the world and with presence in other countries to fish for companies to put their European headquarters in Ireland.
Enterprise Ireland focuses on helping Irish businesses thrive domestically as well internationally. Enterprise Ireland is focused on helping Irish businesses by deploying infrastructure like incubators, accelerators, seed-stage matching investment funds, office parks.
Science Foundation Ireland service research grants to Irish universities. They catalyse tax money to propel innovation and economic development through research by giving grants to Irish Universities. An interesting and noteworthy feature is that they have a program where SFI will pay the salary for one of their researchers to be placed in a company for a year across the globe. After a year the researcher can be hired by the companies if they are willing to join the company or else return to the university.
The ease of business, pro-innovation, and technology-savvy atmosphere and high-quality skilled talent readily available, and a thriving Information Communications Technology sector attracts talent, investors, and multinational corporations to make Ireland their European hub. Backed by a world-class education, a National ICT Skills Strategy and Plan, 2014 developed by the Irish government in partnership with industry leaders ensures constant budding talent. The friendly and light tax regime attracts global businesses to narrow down on Ireland. All of these factors make Ireland a prosperous ecosystem of tech giants, startups, and software players.
With global tech giants like Google, Microsoft, Apple, Facebook, Twitter Dell, etc. operating European Headquarters from Ireland, and with tech startups, entrepreneurs, and players in the software space all contributing to make Ireland a Global Cyber & Tech Hub, it is imperative that a lot of crucial data is being exchanged, processed and stored in and across the borders of Ireland. A crucial question then arises- How secure is Cyberspace in Ireland? What are the laws governing and regulating Cyberspace in Ireland? What are the laws governing and ensuring Cybersecurity in Ireland?
Analysis of Ireland’s various kinds of Cybersecurity Laws
Ireland is shielded under multi-layers of laws and regulations relating to Cybersecurity. These laws provide for various cybercrimes like hacking, phishing, electronic theft, etc. Apart from these Ireland has a multitude of laws governing data protection and privacy laws, payment services-related regulations. A comprehensive law review of Ireland’s Cybersecurity laws gives in-depth learning and understanding of Ireland’s approach to cybersecurity laws. Let us go through various kinds of Ireland’s cybersecurity laws.
a. Criminal Justice (Offences Relating to Information Systems) Act 2017
In 2017, Ireland enacted the Criminal Justice (Offences Relating to Information Systems) Act 2017, here with the ‘2017 Act’ taking effect from 12 June 2017 (Source) revamping the Irish law on cybercrimes while enforcing the Cybercrime Directive. The 2017 Act defines specific criminal offences concerning cybercrime-related activities like hacking, phishing, electronic theft, etc. The 2017 Act lays provisions for punishments up to 5 years (Source) imprisonment or a more stringent punishment of up to 10 Years imprisonment for offences of interfering with an information system without lawful authority.
The offences priorly contained in the Criminal Damage Act 1991 (Source) relating to hacking and criminal damage of data are now repealed and replaced under the 2017 Act. The 2017 Act provides for an array of new offences to deal with crimes relating to ransomware and other serious cyber security threats.
The provisions under the 2017 Act are:
|Section 1||Interpretation Clause- definitions.|
|Section 2||Hacking- intentionally accessing information without lawful authority by infringing security measures is an offence.|
|Section 3||Interruption or intentional hindrance to the functioning of an information system by inputting data on the system; transmission, damage, deletion, alteration or suppression, causing deterioration of data on the system, or rendering data on the system to be inaccessible are all offences relating to Denial-of-Service attacks and are offences under the section.|
|Section 4||Interference with data without lawful authority- intentionally deletion, damage, alteration, suppression, or rendering inaccessible, causing deterioration of data on information systems is an offence under section 4 of the Act.|
|Section 5||Intentional Interception of transmission of data without lawful authority is an offence.|
|Section 6||Production, sale, procurement of computer programs for imports, distribution, or making available for the purpose of committing offences mentioned under Sections 2,3,4 or 5 is whether as a computer’s program or device or codes by way of which information system is capable of being accessed is an offence.|
|Section 7||Procedures relating to search and seizure.|
|Section 8||Penalties relating to offences committed under Section 2, 3, 4, 5, 6, 7(7), or 9(1). Separately under the section identity theft or fraud can be an aggravating factor in cases of ‘denial-of-service attack’ or ‘infection of IT systems’ offences.|
|Section 9||Provides for offences committed for the benefit of a body corporate by a person and where the commission of such offence is attributable to the relevant officer of the body corporate having the requisite degree of control or authority over such person, the body corporate shall be guilty of the offence.|
|Section 10||Jurisdiction- for offences committed within the territory of the State; classification of persons; residency status shall be deemed ordinarily resident if a person has been resident in the State for a period of 12 months immediately preceding the alleged commission of offence.|
|Section 11||Procedures for offences relating to evidence in proceedings for offences outside Ireland.|
|Section 12||Double jeopardy- where a person has been acquitted or convicted for in a foreign land, he shall not be proceeded against for offence relating to the same act within Ireland; the same for.|
|Section 13||Amendments to Criminal Damage Act, 1991.|
|Section 14||Amendment to Bail Act 1997 by adding Paragraph 39 providing for offences under Section 2, 3, 4, 5 or 6 of the 2017 Act.|
|Section 15||Amendment to Criminal Justice Act 2011- substituting Paragraph 30 with 30 and 30A to Schedule 1 of the Criminal Justice Act 2011 providing for provisions for offences related to ‘data’.|
|Section 16||Expenses incurred by the Minister in the administration of the 2017 Act shall be borne by the Oireachtas.|
|Section 17||Short Title & Commencement.|
A certain kind of cybercrimes are more frequent and prevalent, let us look at laws relating to such.
b. Review- The status of frequent and prevalent cyber crimes under Irish Laws
- Hacking- is an offence under Section 2.
- Denial-of-service attacks- are an offence under Section 3.
- Phishing is not an offence under the Act per se and does not constitute a specific offence in Ireland.
- Infecting IT systems with malware- is covered under Section 4 of the 2017 Act.
- Distribution and sale of hardware or software or other tools to commit a cybercrime- is an offence under Section 6.
- Identity theft or fraud with regards to access devices- can be derived from Sections 6, 25, 26 and 27 for deception and forgery of the Criminal Justice (Theft and Fraud Offences) Act 2001 (the “2001 Act”), since there is no explicit mention or provision for this offence.
- Intercepting transmission of data without lawful authority- is covered under Section 5.
- Unsolicited penetration testing- could be an offence under Section 2 of the 2017 Act.
Cybercrimes under both the Acts attract certain punishments as well as penalties.
c. Penalties under the 2017 Act and 2001 Act
|Nature of Offence||Penalty||Act|
|Charged Summarily or less serious offence||Maximum fine €5000||2017 Act|
|Serious Offence||Maximum 5 years’ imprisonment and 10 years in case of Denial-of-service Attacks and an unlimited fine for serious offences.||2017 Act|
|Making a gain or causing a loss by deception||Maximum penalty of 5 years’ imprisonment and an unlimited fine||2001 Act|
|Forgery and unlawful use of a computer offences||Maximum 10 years’ imprisonment and an unlimited fine||2001 Act|
Data Protection Laws
The matters relating to how data is collected, processed and stored in Ireland are governed by The General Data Protection Regulation (Regulation (EU) 2017/679 (“GDPR”) and the Data Protection Acts 1988 to 2018 (“DPA”). The onus lies on the data controllers to take utmost appropriate security measures against unauthorised access, alteration, deletion, disclosure, damage or destruction of data and are obligated to report incidents, particularly where incidences occur involving transmission of data over a network. The DPA provides for offences related to unauthorised sale, distribution or disclosure of personal data obtained without prior authorization.
The e-Privacy Regulations 2011 (S.I. 336 of 2011) (Source) regulate how providers of telecommunications networks and services handle personal data while requiring service providers to take appropriate technical, security and organisational measures to safeguard the privacy and report incidences. The e-Privacy Regulation 2011 also prevents interception or surveillance of communications and related data without users’ consent.
Under the e-Privacy Regulations providers of publicly available telecommunication networks are mandated to ensure adequate technical and organisational measures of security and security policy. Measures ensuring that personal data is accessible only by authorised persons for legally authorised purposes and must ensure the protection of data against tampering, misuse or damage, etc.
The European Payments Services Regulations introduced regulatory technical standards to ensure strong customer authentication systems. It also requires payment service providers to inform the national competency authority in case of major security incidents to the authority as well as the customers.
Dissemination of inaccurate information
In case of a security breach resulting in the dissemination of inaccurate information, the aggrieved person may seek remedies under the Defamation Act 2009 or at common law for breach of confidence and negligence.
The NISD Regulations and Commission Implementing Regulation (EU) specify elements to identify measures to ensure the security of network and information systems shall be applicable always. The National Cyber Security Strategy 2019-2024 mandates for the National Cyber Security Centre to engage in activities to protect critical information infrastructure. The NSSC authorised officers can conduct security assessments and audits and enforce instructions to remedy deficiencies under the enforcement powers under the NISD Regulations.
Reporting to authorities
In case of an incident where a personal data breach has occurred, the data controller must without any delays if possible within 72 hours of becoming aware of the data breach must notify the DPC of the incident with a description of the breach and number of data subjects or personal data records concerned. A list of likely consequences of breach and measures taken or planned to tackle the breach must also be provided.
Where the data breach risks the personal security, freedom, and rights of a data subject, the data controller must notify the data subject, to whom the data pertains. In case of a data breach related to services offered by unlikely available telecommunications networks, the service provider must inform the DPC of the incidents or potential incidents. In specific cases of breach of security of the network, providers must inform their subscribers without delay. Where specific data subjects’ personal data is breached, such subscribers must be informed personally.
Where there is a substantial impact that hampers services, the NISD Regulations require OES and digital providers to notify NCSC with information for the NCSC to assess the impact on services and its cross-border impact as well.
Section 19 of the 2011 Act mandates reporting of certain cybercrimes to the Irish Police failure of which is an offence.
The Central Bank of Ireland’s ‘Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks’ mandates firms to report to themselves, incidences of data breaches or cybersecurity incidents that could have a grave and adverse impact on its ability to provide adequate services to their client and also adversely impacts its financial condition and reputation.
The laws are stringent on reporting incidents to the authorities. Non-compliance for not reporting incidents to authorities will make service providers or data controllers with substantial penalties. It is important to understand the liability that arises upon non-compliance.
Penalties for noncompliance
Failure to comply with adequate security measures or reporting incidents of the data security breach as per GDPR may attract administrative sanctions, ban on processing, and penalties up to €10 Million or 2% of global turnover as per Article 83 of the GDPR (Source).
Failure or non-compliance at the hands of telecommunications networks or services to comply with aforesaid e-Privacy Regulations is an offence that may attract a penalty of up to €250 thousand. In case of conviction, the court may order for any information relating to the offence to be destroyed or confiscated and relevant data to be erased.
Under NISD Regulations in absence of notifying an incident by an operator of essential services or a digital service provider may attract a penalty of up to €10 Million or 2% of global turnover (Source).
In a few decades, Ireland has made giant strides in rightfully attaining a leadership position in the global tech space. Making optimum strategic decisions from attracting foreign FDI in tech space to lowering corporate taxes to leveraging its socio-cultural aspects to deploying a three-pronged approach to fortify itself as a haven in the global tech arena. All of this however cannot and will not thrive without adequate measures to ensure robust law and policy regulating cyberspace.
Here again, Ireland has a strategic advantage with the multilevel regulation domestically with its own laws like the 2017 Act, 2011 Act, e-Privacy Regulation, etc. further enveloped with the European Union norms like the GDPR, European Union Payments Services Regulation, NISD Regulations, etc. giving it a robust defence system in its cybersecurity arsenal. Nonetheless, technological advances pace forward at dizzying speeds and so do cybersecurity breaches. Ireland must continue to think forward and strategically like it always has and endeavour to keep itself two steps ahead of the detractors to deter, prevent, prohibit and avert cybersecurity threats and attacks especially given the fact that it is one of the key regions handling global data.
With the National Cyber Security Strategy 2019-2024 (Link) the Irish government’s main objectives are to ensure the state can respond and manage incidents of threats, attacks, and even national security and protect its national cybersecurity infrastructure from cybersecurity attacks. Under this new plan, Ireland continues to make efforts to increase skills and improvise its legal and regulatory framework to ensure awareness and measures at the national, individual and enterprise levels.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: