This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
General context, key principles and hot topics
1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.
The Corporate Enforcement Agency (CEA) has been investigating the Football Association of Ireland (FAI) in respect of well-documented financial issues, which were referred to the CEA by the FAI’s statutory auditors. Although An Garda Síochána (the Irish police force) has not launched a criminal investigation into the FAI, the CEA investigation continues. More recently, the CEA seized more than 280,000 documents from the FAI and was engaged in long-running High Court proceedings with the FAI regarding legal professional privilege claims asserted by the FAI’s former chief executive over certain of the seized documents. In May 2022, the High Court concluded its hearing regarding the disputed documents. The Court of Appeal has upheld the decision of the High Court, which was appealed by the former chief executive officer (CEO) of the FAI, and has granted the CEA access to documents that the former CEO had claimed were subject to legal professional privilege.
The CEA has traditionally faced challenges, particularly regarding the pace of progress in it investigations. White-collar crime investigations are typically complex and can take several years to complete; for example, the former charity Console was referred to the Director of Public Prosecutions (DPP) in May 2019. A pretrial hearing was scheduled for 2022 and the trial for January 2024. In this context, the Criminal Procedure Act 2021, which came into force on 28 February 2022, was a welcome development. The primary purpose of the Act is to provide for pretrial hearings, with the aim of reducing delays in complex economic crime prosecutions. The CEA has been active in investigating and prosecuting corporate offences in Ireland since its establishment and it is expected that it will continue to increase its activity in investigating corporate offences.
On 7 September 2022, the Taoiseach published the Commission of Investigation’s final report into the Irish Bank Resolution Corporation (IBRC) relating to a transaction involving the sale of building services group Siteserv to a company controlled by businessman Denis O’Brien at the height of the financial crisis. In summary, the report found that the sale of SiteServ was based on misleading and incomplete information provided by SiteServ to the IBRC and that the transaction was not commercially sound. This investigation into the IBRC by the Commission, connected to the collapse and subsequent winding down of Anglo Irish Bank plc, remains the highest-profile current corporate investigation in Ireland. When it was established, 38 transactions were within focus of the investigation, the Siteserv transaction being the first. The related trial of certain high-ranking banking executives concerning their conduct before the collapse was the longest criminal trial in the history of the state and resulted in penal sentences, which are rarely imposed in Irish business crime cases. This investigation is one of the most complex ever to have been carried out by the Garda National Economic Crime Bureau (GNECB) and concerns allegations of a €7.2 billion conspiracy to defraud.
Following the publication of the report, the Commission of Investigation recommended that it would serve no useful purpose to investigate the remaining 37 transactions covered by its terms of reference. In its final report, published in May 2023, the Commission recommended a number of reforms to the conduct of future investigations, given the substantial cost and time required, to ensure that future commissions effectively fulfil their statutory duty.
In March 2021, the Central Bank of Ireland (CBI) fined J&E Davy, Ireland’s largest stockbroker, €4.13 million for breaches arising from personal account dealing and for failing to comply with its regulatory obligations. The transaction in question was in respect of a 2014 bond deal in which a consortium of 16 senior J&E Davy staff members purchased, and subsequently sold, bonds from a client without disclosing that they were the purchasers. In March 2022, the GNECB confirmed it was undertaking a formal criminal investigation into the matter and this investigation remains ongoing.
2 Outline the legal framework for corporate liability in your country.
Corporations are separate legal entities and a company can be found liable for the criminal acts of its officers. Companies can be vicariously liable for the conduct of employees. When the doctrine of vicarious liability does not apply, the state of mind of an employee can be attributed to the company in circumstances in which the human agent is the ‘directing mind and will’ of the company, or when an individual’s conduct can be attributed to the company under the particular rule under construction. A company can also be guilty of a strict liability offence, which is an offence that does not require any natural person to have acted with a guilty mind, such as health and safety legislation infringements. The Criminal Justice (Corruption Offences) Act 2018 has also created a strict liability offence for companies in respect of corruption and bribery offences. Under section 18 of this Act, a corporate body can be guilty of a criminal offence if one of its officers, employees, agents, subsidiaries or persons purporting to act as such commits a corruption offence with the intention of obtaining or retaining business or an advantage for the company. The corporate has a defence if it can show that it took all reasonable steps and exercised due diligence.
3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?
An Garda Síochána is the body with primary responsibility for the investigation and prosecution of crime in Ireland, with a specialist wing for dealing with complex economic crimes (the GNECB). Other law enforcement agencies, or regulators, with a focus on corporate offences and business crimes include (without limitation):
- the CEA, which monitors and prosecutes violations of Irish company law;
- the Office of the Revenue Commissioners, which is responsible for the collection, monitoring and enforcement of tax laws;
- the Competition and Consumer Protection Commission (CCPC), which is responsible for competition law and consumer protection and has been given new, increased enforcement powers under the Competition (Amendment) Act 2022;
- the Central Bank of Ireland (CBI), which regulates financial institutions and, with the Department of Enterprise, Trade and Employment and the Department of Foreign Affairs, is responsible for the supervision and enforcement of EU sanctions (restrictive measures);
- the Health and Safety Authority, which enforces occupational health and safety law; and
- the Data Protection Commission (DPC), which is responsible for data protection law.
Generally, regulatory bodies are empowered to prosecute only (some) summary (minor) offences. The Office of the DPP is responsible for prosecuting criminal offences on indictment (serious) and summary offences. The DPP has no investigative functions. Cases can be referred by the relevant investigatory body.
4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?
This will depend on the statutory basis for the investigation. For the most part, investigations are initiated on the basis of a complaint alleging that an offence has been committed. Some bodies can only initiate investigations following receipt of a complaint alleging that an offence has been committed, whereas others, such as the GNECB, the CBI and the DPC, can initiate investigations on their own initiative. Different factors and thresholds are relied on by different bodies. The GNECB relies on a variety of factors, such as monetary loss, the international or cross-border significance and the complexity of the issues of law or procedure that arise. Between 1 January 2022 and 6 July 2022, the CEA received 77 complaints and directed 23 criminal charges against two separate individuals for offences, including fraud, theft and providing false information. At the time of writing, the CEA statistics for 2022–2023 have not been published.
5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?
A challenge could be initiated in the Irish courts through judicial review proceedings. Sometimes a compromise can be reached with the law enforcement agency on the scope of the notice. In certain circumstances it may be possible to get an interim injunction preventing the exercise of the notice, subpoena or warrant, or preventing the authority from using information already obtained, unless and until the court determines that the validity of the instrument is valid and enforceable.
6 Does your country make use of cooperative agreements giving immunity or leniency to individuals who assist or cooperate with authorities?
Irish law does not recognise plea bargaining or cooperative agreements. The decision to prosecute is at the discretion of the DPP and the courts have discretion in imposing sentences within the statutory minimum and maximum periods. Different regulatory authorities have different regimes, however.
7 What are the top priorities for your country’s law enforcement authorities?
The Irish government has a renewed focus on tackling white-collar crime, particularly following the establishment of the CEA. The Criminal Procedure Act 2021, effective as of February 2022, should provide efficiencies in the trial process but, given it relatively recent implementation, this remains to be seen.
In its Strategy Statement for 2022–2025, the CEA outlined its main priorities for its first three years. The top priority is ensuring that it has a solid foundation on which to discharge its statutory mandate in an effective manner. In achieving this aim, it will prioritise building operational capability, effective advocacy and influencing, and operating effective systems of proportionate and dissuasive enforcement.
The CEA will focus on the establishment of governance structures and the recruitment of suitably qualified and experienced staff. One of the authority’s key powers, in contrast to its predecessor, is the ability to hire its own staff, such as forensic accountants and other specialist investigators.
The CBI’s enforcement priorities for 2024 include, among other things, taking enforcement action where it sees serious instances of consumer or investor harm from the behaviour or failings of firms and individuals, reforming the fitness and probity regime and individual accountability, the behaviour and culture of regulated entities, and money laundering and counter-terrorism financing compliance. In particular, the Central Bank (Individual Accountability Framework) Act 2023, which was enacted in March 2023, gives the CBI enhanced powers to supervise the conduct of senior individuals in regulated entities, including through wider enforcement powers.
8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?
It is vital for corporations to be seen to have an effective regulatory compliance and corporate governance programme. Under section 225 of the Companies Act 2014, company directors are required to include in their annual report a statement to confirm (1) the company’s policies in respect of compliance by the company with its relevant obligations under company law and tax law, (2) the putting in place of appropriate structures designed to secure material compliance with these obligations, and (3) that a review of the structures has taken place during the previous financial year. In addition, specific legislation imposes further obligations, such as Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (GDPR). Under the GDPR, companies are required to establish a data protection compliance programme informed by GDPR principles, including the appointment of a data protection officer, providing training to employees and conducting internal data audits and compliance reviews.
In terms of what constitutes an effective compliance programme, section 225 of the Companies Act 2014 provides that the structures put in place ‘shall be regarded as being designed to secure material compliance’ if these structures ‘provide a reasonable assurance of compliance in all material respects with those obligations’.
The Department of Finance published information on its own corporate governance framework in October 2019. This publication contains some commentary on what constitutes an effective governance framework. It notes that good corporate governance ‘ensures that a framework of structures, policies and processes are in place to deliver on these obligations, and it allows for an objective assessment of management and corporate performance’.
The Corruption Offences Act 2018 provides corporates with a defence to the corporate liability offence under the Act if they can show that they took all reasonable steps and exercised due diligence to avoid the commission of the offence.
9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities to cybersecurity-related failings.
The European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 impose requirements on operators of essential services (OESs) and digital service providers (DSPs) to manage the risks to the security of network and information systems. OESs include operators within specified sectors, including energy, transport, banking, financial market infrastructure, health and digital infrastructure. DSPs are those who provide digital services, including online marketplaces, online search engines and cloud computing services. There is a centralised computer security incident response team in the Department of Communications, Climate Action and the Environment, which both OESs and DSPs must notify if there are incidents that have a significant or substantial effect on these services.
The Central Bank of Ireland (CBI) may take enforcement action against any financial service provider whose failings in cybersecurity cause it to breach its regulatory requirements. The CBI has previously imposed substantial fines on regulated entities who failed to demonstrate sufficient controls to mitigate against significant information technology disruptions, fraud and money laundering. It has indicated that ensuring adequate cybersecurity measures are in place for regulated entities remains a key priority for the regulator.
10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?
The Criminal Justice (Offences Relating to Information Systems) Act 2017 was the first Irish legislation to specifically address the issue of cybercrime. The Criminal Justice (Theft and Fraud Offences) Act 2001 also provides that it is an offence to use a computer with the dishonest intention of causing a loss to another person. Cybercrime is investigated by the Garda National Cyber Crime Bureau, a specialist division of An Garda Síochána.
In 2021, the Irish Health Service Executive was the victim of a serious ransomware attack. The investigation into the attack continues to be led by the Gardai in collaboration with international law enforcement agencies, including Interpol and Europol.
Cross-border issues and foreign authorities
11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.
Ireland is bound by the European Union’s European Arrest Warrant Framework Decision, as implemented in Ireland by the European Arrest Warrant Act 2003, under which arrest and extradition is coordinated among EU Member States. Legal assistance can be requested and provided by Irish authorities to law enforcement in other jurisdictions under the Criminal Justice (Mutual Assistance) Acts 2008 and 2015; however, Ireland will only allow extradition in circumstances where (1) a person has been charged with an offence (i.e., not for the purpose of merely investigating a criminal offence), (2) the offence is not a political offence, and (3) the offence does not carry the death penalty.
Other examples of extraterritorial jurisdiction are set out below.
The Criminal Justice (Corruption Offences) Act 2018 prohibits bribery offences occurring outside Ireland in two circumstances: (1) if an Irish person or company does something outside Ireland that, if done within Ireland, would constitute an offence under the corruption legislation, that person is liable as if the offence had been committed in Ireland; and (2) if an offence under the corruption legislation takes place partly in Ireland and partly in a foreign jurisdiction, a person may be tried in Ireland for that offence. There is no requirement that the offending act should also be an offence in the foreign jurisdiction where the offending act took place.
The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) sets out specific circumstances in which an action can be taken for money laundering occurring outside Ireland. If an individual or a company engages in conduct in a foreign jurisdiction that would constitute a money laundering offence both under the Act and in that foreign jurisdiction, they can be prosecuted in Ireland. This extraterritorial jurisdiction may be exercised only if the individual is an Irish citizen, ordinarily resident in the state, or the body corporate is established by the state or registered under the Companies Act 2014.
Proceeds of crime
Under the Proceeds of Crime Act 1996 (as amended), the Irish High Court can make orders depriving a defendant of assets that are merely suspected of being the proceeds of crime, regardless of whether the defendant has been convicted of a criminal offence. ‘Proceeds of crime’ for the purposes of this Act means any property obtained or received at any time by, or as a result of, or in connection with criminal conduct. The definition of ‘criminal conduct’ is such that foreign criminality is covered by the scope of the Act where the proceeds are within the state and where the conduct is an offence under both Irish law and the law of the foreign jurisdiction.
12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.
For investigations by Irish regulators and law enforcement agencies, the foremost consideration will be whether there is an existing framework for cooperation between Ireland and the other jurisdiction (or jurisdictions). The Criminal Justice (Mutual Assistance) Act 2008, as amended, gives effect to international agreements that establish the existing legislative framework for the provision of mutual legal assistance.
Investigations by regulators or law enforcement and by corporations can also encounter difficulties owing to different legal standards; for example, data protection laws in some countries can restrict the flow of information out of the country, and different levels of protection for private data may restrict the possibility of transfer between the jurisdictions. Further, different rules can apply to matters such as the application of privilege and the constitutional protections owed to persons under investigation.
13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?
A corporation cannot be prosecuted twice for the same or similar offences on the same facts following a legitimate acquittal or conviction by an Irish court or by a court of competent authority in a foreign jurisdiction. There must be identity between the foreign and domestic offences.
Typically, the principle does not apply until proceedings are concluded; however, under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended), no proceedings may be initiated in circumstances where an individual has been charged under that Act in the absence of consent from the Director of Public Prosecutions.
There is no anti-piling on policy in Ireland that prevents multiple enforcement authorities from taking action against an entity in relation to the same conduct; however, under section 33AT (1) of the Central Bank Act 1942 (as amended), when a financial services provider has been sanctioned for breaches of financial services legislation, if the breach would also constitute a criminal offence, the provider cannot be subject to further criminal prosecution.
14 Are ‘global’ settlements common in your country? What are the practical considerations?
It is possible for a domestic authority to reach a resolution as part of a coordinated approach with an overseas authority; however, if a party wishes to reach a settlement with authorities in another country or countries, it should be aware that such an agreement may not prevent Irish authorities from continuing to pursue a prosecution.
15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?
Investigations into similar matters in other jurisdictions are often the catalyst for investigations in Ireland. Irish authorities will usually try, and in certain instances may be obliged, to cooperate with foreign investigation authorities, and the exchange of information through appropriate channels can aid an investigation greatly. Ultimately, it will be a matter for the Irish authorities to determine whether and how to conduct their own investigations.
Economic sanctions enforcement
16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.
Sanctions imposed at an international level are implemented at a national level. Therefore, individuals and companies operating in Ireland should be aware of the restrictions imposed under Irish law that implement international sanctions. As a Member State of both the United Nations and the European Union, Ireland is required to observe and enforce UN Security Council sanctions and EU restrictive measures. The Department of Foreign Affairs (DFA), the Department of Enterprise, Trade and Employment (DETE) and the Central Bank of Ireland (CBI) are the competent authorities in Ireland and they will enforce sanctions imposed by either the European Union or the United Nations. If a breach of a specific sanction constitutes an offence under Irish law, this will be prosecuted by the Director of Public Prosecutions.
17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?
Any regulated entity in Ireland could find itself subject to enforcement action in respect of policies and procedures around financial sanctions screening.
Sanctions enforcement activity has increased on account of the European Union being more proactive in imposing sanctions, particularly in light of the Russian invasion of Ukraine in February 2022. On 23 June 2023, the CBI published details of the 11th package of restrictive measures and sanctions adopted since the invasion. No enforcement settlements have been issued by the CBI to date specifically in respect of failures concerning a firm’s financial sanctions screening process.
18 Do the authorities responsible for sanctions compliance and enforcement in your country cooperate with their counterparts in other countries for the purposes of enforcement?
Yes. Sanctions imposed at an international level are implemented at a national level. The DFA, the DETE and the CBI will work with their counterparts in other jurisdictions to enforce sanctions imposed by either the European Union or the United Nations.
19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.
As a member of the European Union, Ireland is subject to the EU Blocking Regulation. The Regulation effectively nullifies the extraterritorial application of the US sanctions against Iran by (1) prohibiting compliance with any sanctions imposed by the United States, (2) preventing the enforcement of any judgment from a foreign court outside the European Union that gives effect to the sanctions, (3) requiring any EU person, natural or legal, to notify the European Commission of any effects that the sanctions may have on them, and (4) allowing any EU person to seek compensation caused by the application of the sanctions.
20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?
The Irish courts implement certain aspects of the EU Blocking Regulation by not enforcing or recognising any judgments that may be made outside the European Union. Further, the courts will allow EU persons to seek compensation in the Irish court system for any adverse effects caused by the application of US sanctions.
Under SI 217/1997 (European Communities (Extraterritorial Application of Legislation Adopted By a Third Country) Regulations), failure to comply with the EU Blocking Regulation is an offence and may be punished by a fine or up to 12 months’ imprisonment.
Before an internal investigation
21 How do allegations of misconduct most often come to light in companies in your country?
Allegations of misconduct will often be raised by whistleblowers, who are protected by the Protected Disclosures Act 2014, as amended by the Protected Disclosures (Amendment) Act 2022. Accordingly, great care must be taken not to violate these protections when allegations come to light in this way. Under the Central Bank (Supervision and Enforcement) Act 2013, there are specific whistleblower protections in relation to making disclosures to the Central Bank of Ireland (CBI) when breaches of financial services legislation may be in issue.
Thematic reviews are typically carried out by regulators; for example, the CBI often bases its investigations on the Administrative Sanction Procedure under the Central Bank Act 1942 (as amended) on matters identified during thematic reviews. Following enactment of the Central Bank (Individual Accountability Framework) Act 2023, the CBI has reviewed its administrative sanction procedure to reflect legislative changes. It is currently consulting on the proposed changes to the administrative sanction procedure.
Allegations of misconduct also come to light following complaints from members of the public; for example, between 1 January 2022 and 6 July 2022, the Office of the Director of Corporate Enforcement (now the Corporate Enforcement Agency) received 77 complaints. In 2021, the CBI received 16 formal complaints from members of the public.
When allegations arise through media reports, publicised litigation or other publicised external sources, there are more immediate public relations risks than when a matter arises internally.
There are specific legislative provisions that oblige persons to report information in relation to certain offences in certain circumstances. The Supreme Court upheld the enforceability of section 19 of the Criminal Justice Act 2011 (which sets out the offence of ‘withholding information’ and involves a mandatory reporting obligation in specific circumstances) in Sweeney v. Ireland  IESC 39. If a company is a regulated entity, it may be required to make certain disclosures to its regulator, or to self-report unintentional breaches or offences. Auditors have disclosure obligations, and misconduct coming to light during their engagement may trigger a reporting obligation. In early 2021, the European Court of Justice in DB v. Commissione Nazionale per la Società e la Borsa (Case C-481/19) confirmed that natural persons have the right to silence under EU law, particularly in administrative proceedings of a criminal nature. The implications of this judgment are potentially relevant in a number of Irish regulatory contexts, including under the CBI’s Administrative Sanctions Procedure and the Competition and Consumer Protection Commission’s enforcement regime.
22 Does your country have a data protection regime?
Ireland’s data protection regime mainly comprises Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (GDPR) and the Data Protection Acts 1988–2018 (the DP Acts). Within this regime, data controllers have a number of duties, including an obligation to process personal data (under the meaning of the GDPR and the DP Acts) fairly, and for data to be kept up to date and secure.
Additionally, the Criminal Justice (Offences Relating to Information Systems) Act 2017 gives effect to provisions of Directive 2013/40/EU on attacks against information systems, which introduced a number of criminal offences.
23 To the extent not dealt with above at question 9, how is the data protection regime enforced?
The Data Protection Commission (DPC) is responsible for monitoring the application of the DP Acts and the GDPR to protect the rights and freedoms of individuals in relation to processing.
The DPC has a number of investigative powers, including the power to conduct an audit, the power to compel individuals and companies to provide it with information and documentation, and the power to prohibit the transfer of personal data overseas.
Summary proceedings may be brought and prosecuted by the DPC. In relation to indictable offences, the DPC prepares a file and submits it to the Director of Public Prosecutions for consideration.
24 Are there any data protection issues that cause particular concern in internal investigations in your country?
The GDPR and the DP Acts restrict the use and disclosure of an individual’s data in Ireland. There are exceptions to the protection given under the DP Acts, but there is no specific exemption when an internal investigation is being carried out. Traditionally, companies have relied on consent to support internal investigations; however, the DP Acts now require that consent be freely given to be valid. The GDPR requires that a data subject can withdraw consent at any time. These factors make it difficult for employers, in the majority of circumstances, to rely on consent as a legal basis for processing data, albeit not impossible.
Companies should therefore seek an alternative lawful basis for processing in the context of internal investigations. The DP Acts allow for data to be processed if it is necessary for the purposes of legitimate interests pursued by the data controller, which can be the case for an internal investigation, but that needs to be balanced against the fundamental rights and freedoms and the legitimate interests of the data subject in question. Controllers should also pay special consideration to children’s data, to the extent that this is processed in the course of an investigation. The DPC has released guidance on fundamental principles to be considered when processing children’s data, and controllers should ensure that their reliance on legitimate interests to process data does not interfere with, conflict with, or negatively affect the best interests of the child.
Irish law recognises a broad ‘right to privacy’, which includes a right to privacy at work, and a person does not lose privacy and data protection rights simply by being an employee. Any limitation of an employee’s right to privacy should be proportionate to the likely damage to the employer’s legitimate interests. Where an employer intends to process personal data that arises outside the course of an employee’s ordinary role (e.g., personal data taken from social media), the existence, legal basis and reason for the processing should be disclosed to employees in advance of that processing taking place. This may be disclosed by way of an internal investigations policy or similar.
If an employer seeks to use ‘legitimate interests’ as the basis for processing data, an employee as data subject will have a right to object to that processing of their data. This right is not absolute and may be overridden by the employer having compelling reasons to process the data. The DPC has advised that controllers who intend to rely on their ‘legitimate interest’ as a legal basis for processing must first carry out a balancing test in each case to ensure that there is a ‘clear and proportionate justification’ for the processing. A record must be kept of this exercise. Companies must inform their employees of the right to object and should draft an internal investigation policy reflecting this balance. Employees should be notified of the possibility that an investigation might take place and, in particular, the ways in which their personal data might be processed in the context of an investigation. For new employees, this information should be provided when they join the company, but for existing employees, the provision of an updated internal investigation policy will be sufficient. Controllers should take care to ensure that access logs and other metadata associated with employees’ personal data are preserved, particularly in the context of contentious internal investigations, as data subjects may seek to exercise their right of access and such records are in scope for disclosure.
25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?
Irish employers have the right to monitor employees’ communications; however, this is subject to the right to privacy that employees are afforded under both the Irish Constitution and the European Convention on Human Rights, as well as under data protection law. Any intrusion of an employee’s right to privacy must be proportionate to any likely damage caused to the employer’s legitimate interests.
When an employee wishes to enforce the right to privacy or believes that it has been infringed, the employee may do so by referring a dispute to the Workplace Relations Commission or by commencing proceedings in the courts. If the dispute involves an employee’s personal data, it may be possible to lodge a complaint with the DPC.
Dawn raids and search warrants
26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.
Search warrants and dawn raids are often used as part of investigations against companies, particularly by the Competition and Consumer Protection Commission and the Corporate Enforcement Agency. Both company premises and private homes of relevant persons can be searched on the basis of an appropriate warrant.
There are constitutional protections for persons subject to searches, particularly of private homes. Depending on the specific statute, a regulator or investigatory body would obtain a search warrant to enter a dwelling to conduct a search and to seize documents. There is a general requirement that there is some nexus between the investigation by the regulatory body of the offence in question and the dwelling in question. The body is only permitted to search the premises specified in the warrant and to seize items included within the terms of the warrant.
27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?
Privileged material is prima facie protected from examination by law enforcement or regulatory bodies. Specific statutes, such as the Companies Act 2014 and the Central Bank (Supervision and Enforcement) Act 2013, also provide for the protection of privileged information during investigations.
In practical terms, it can be difficult to determine during a seizure operation whether material is privileged, and sometimes the material will be isolated so that a claim of privilege can be assessed later.
The mechanism to assess whether privilege has been properly asserted must be set out in the legislation under which the search warrant is conducted.
28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?
There are various provisions of criminal, civil and administrative law that compel testimony. The Irish Constitution recognises a right to silence and the privilege against self-incrimination. Arrested suspects are brought into police custody for questioning under caution. The suspects should be cautioned that they have the right to maintain silence and that anything they say may be used in evidence; however, the Criminal Justice Act 1984 (as amended) provides that, in the case of arrestable offences (i.e., those for which a person can be imprisoned for five years or more), inferences can be drawn at trial from an accused’s silence.
The right to silence can be abridged by statute, most often in the context of regulatory investigations, meaning that answers can be compelled; however, Irish courts have frequently held that statements given under statutory compulsion (such as in connection with a regulatory investigation attracting a civil penalty) cannot be used against that person in subsequent criminal proceedings, whereas voluntary statements can.
Whistleblowing and employee rights
29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?
The Protected Disclosures (Amendment) Act 2022 (the 2022 Act) amended and extended the existing whistleblowing legislation in Ireland, the Protected Disclosures Act 2014. The purpose of the 2022 Act, which came into force on 1 January 2023, is to provide for the transposition of the EU Whistleblowing Directive into Irish law.
The 2022 Act places a new obligation on all private sector organisations with 50 or more employees to establish, maintain and operate internal reporting channels and procedures to make protected disclosures; however, organisations with between 50 and 249 employees (subject to certain exceptions) were able to avail of a grace period until 17 December 2023. The reporting channels and procedures may be operated internally by a designated person or department or can be provided externally by a third party on behalf of the employer.
When a worker makes a protected disclosure, the employer in question is prevented from dismissing or penalising the worker, taking an action for damages or an action arising under criminal law, or disclosing any information that might identify the person who made the disclosure. Notably, the 2022 Act reverses the burden of proof in penalisation claims, shifting it to the employer to prove that the act or omission was not as a result of the protected disclosure. Further, the Act extends the remedy of an injunction to acts of penalisation. If the employer were to dismiss or penalise a worker wholly or mainly as a result of having made a protected disclosure, the worker could be awarded up to five years’ remuneration, re-engagement or reinstatement by the Workplace Relations Commission (the employment tribunal in Ireland). Further, the 2022 Act creates a cause of action in tort for a person who suffers damage caused by reported false information.
30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?
As a general matter, employees have a constitutional right to fair procedures in any investigative or disciplinary process. This means that, among other things, employees must be kept apprised of the investigation and must be permitted to participate in the investigation, test the evidence and make points in their defence. The extent and scope of fair procedures and natural justice that must be afforded during a workplace investigation depends on the actual nature of the investigation and the potential consequences thereof.
The rights do not differ for officers and directors who are employees.
31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?
Constitutional rights apply in an investigation and disciplinary process when a person is implicated or suspected of having engaged in misconduct.
Prior to a finding of misconduct being made, an investigation and disciplinary process should be carried out.
The disciplinary process should, at a minimum, follow the Workplace Relations Commission’s Code of Practice on Disciplinary and Grievance Procedures and the employer’s own procedures, and involve the following basic principles:
- Advance written notice of any allegations, and any supporting documentation and witness statements, should be provided to the employee.
- The employee should be invited, in writing, to an investigation meeting to discuss the allegations and to put forward a response.
- The investigation should go no further than to determine whether there is a sufficient factual basis to warrant a matter being put to a disciplinary hearing.
- Suspension should be imposed only after full consideration of the necessity for it pending a full investigation of matters. It may be justified if it is to prevent repetition of the conduct complained of or interference with evidence; to protect individuals at risk from such conduct; to comply with any regulatory rule applicable to the individual or the individual’s role; or to protect the employer’s business and reputation. Suspension must be on full pay and benefits, and for no longer than is reasonably necessary.
- Depending on the outcome of an investigation, the employee should be invited, in writing, to a disciplinary meeting to discuss the allegations and to put forward a response. Documents obtained during the investigation should be provided to the employee.
- The employee should be allowed to be accompanied by a colleague or trade union representative at any meetings.
- Any sanction must be proportionate and reasonable in the circumstances and should be confirmed in writing to the employee.
- A right of appeal to someone not previously involved should be provided.
- Unless the allegations are sufficient to constitute gross misconduct, the sanctions should progress from verbal warning to written warning to final written warning and then to dismissal. Summary dismissal will be permitted only when the circumstances genuinely constitute gross misconduct.
For dismissal for out-of-work misconduct to be deemed fair, there must be a genuine connection between the employee’s offence and the employment. The connection must be such that it leads to a breach of trust or causes reputational or other damage to the employer. In these circumstances, the employer should carry out its own internal investigation and disciplinary process (in accordance with the requirements set out above).
32 Can an employee be dismissed for refusing to participate in an internal investigation?
The extent to which an employer may take disciplinary action against an employee for failure to participate in an investigation will depend on the circumstances.
Commencing an internal investigation
33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?
There is no statutory requirement for such a document, but it would be considered general good practice. Depending on the circumstances, it may be useful to detail the purpose and scope of the investigation and to clarify the remit of the investigators’ role. Matters to cover might include:
- the structure and methodology of the investigation;
- a definition of the issues to be covered; and
- details of any engagement with legal counsel and related matters concerning privileged material.
If the investigation concerns employees of the company, it should go no further than gathering the relevant information or evidence to determine whether there is a sufficient factual basis to put particular allegations at a formal disciplinary hearing. The investigation should be carried out in accordance with any relevant internal procedures and not reach any factual conclusions on the evidence or decide whether the allegations are proved.
34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?
Depending on the severity of the issue, it would usually be prudent for a business to carry out a certain level of enquiry and investigation; however, a company should take care in carrying out any investigations, and in creating any reports, as it is possible that any such documents could be subject to disclosure in subsequent legal proceedings. A number of legislative provisions impose a positive obligation on persons (including businesses) to report wrongdoing in certain circumstances (e.g., Criminal Justice Act 2011, section 19) as well as various provisions of financial services legislation (e.g., Central Bank (Supervision and Enforcement) Act 2013, section 38).
It is also essential that any wrongdoing ceases as soon as the company becomes aware of it, and that remedial measures are taken where appropriate. Care should be taken to preserve evidence of the wrongdoing, as a failure to do so could result in accusations of destruction of evidence, which can itself be an offence under certain legislation.
35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?
It is advisable to immediately implement a ‘document hold’ by suspending deletion policies and circulating document retention notices.
The company should review the request and consider the power under which it is exercised, and in particular if the request is voluntary or mandatory. There are risks associated with releasing documentation, particularly when it might contain confidential or personal information, without being lawfully compelled to do so. External legal advice may be required in this regard.
An inventory listing the materials falling within the notice should also be prepared. The material should then be assessed for privilege. Copies of anything provided to the investigation authority should be retained.
36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?
Privately owned companies are not required to publicly disclose the existence of internal investigations or contact from law enforcement. There may, of course, be commercial reasons for doing so (or not doing so) in any particular case.
Under the Irish Listing Rules, publicly listed companies on the Irish Stock Exchange (Euronext Dublin) must, without delay, provide to Euronext Dublin any information that it considers appropriate to protect investors. Euronext Dublin may, at any time, require an issuer to publish such information within the time limits as it considers appropriate to protect investors or to ensure the smooth operation of the market.
37 How are internal investigations viewed by local enforcement bodies in your country?
Internal investigations are considered part of good corporate governance. Companies operating in Ireland, however, can be subject to certain reporting obligations in respect of certain offences and, therefore, will be required to notify matters to law enforcement or regulators in certain circumstances; for example, persons with a ‘pre-approved control function’ are required to report breaches of financial services legislation and designated persons (including auditors, financial institutions and solicitors) have an obligation to report money laundering offences.
If criminal prosecution precedes an internal investigation, in general, internal disciplinary procedures are suspended to respect the individual’s right to silence.
38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?
Any requirement to disclose documents obtained through an internal investigation to the Irish authorities is qualified by legal professional privilege, of which there are two forms in Ireland:
- legal advice privilege, which applies to confidential communications between a lawyer and a client that are created for the sole or dominant purpose of giving or seeking legal advice; and
- litigation privilege, which applies to communications between a lawyer and a client made in the context of contemplated or existing litigation or regulatory action. It also covers communications with third parties, such as experts.
Litigation privilege is a broader form of privilege to assert in the context of an internal investigation, provided there is actual or contemplated litigation or regulatory action.
The main way to protect and preserve privilege is to involve lawyers in internal investigations at an early stage, although it should be noted that privilege cannot be asserted in respect of pre-existing documents after they have been created merely by involving lawyers. To ensure that existing privilege is not lost, it is important to limit the disclosure or sharing of privileged materials to only those persons who are authorised to seek or receive the privileged material. Legal advice should not be summarised or copied and shared by non-legal persons. If privileged materials need to be shared with third parties, it is important to ensure that appropriate confidentiality agreements are put in place to govern the disclosure to ensure that, as far as possible, privilege is not inadvertently waived or lost.
39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?
Legal professional privilege applies equally to individuals and companies and can be waived only by the client. Under Irish law, the question of who is the client in a corporate context was considered in UCC v. ESB  IEHC 135, where it was held that if the client is a corporate body, it is necessary to consider whether the individual making the communication to the lawyer is a person engaged or employed to obtain or receive legal advice on behalf of the client.
40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?
Yes, subject to the criteria for legal professional privilege being met. In-house counsel must be acting in the capacity of a legal adviser and not as an officer of the company; however, the position with regard to in-house counsel in the context of certain external matters is not straightforward and advice should be sought as a result of the decision of the European Court of Justice in Akzo Nobel Chemicals Ltd and Akcros Chemicals Ltd v. Commission (Case C-550/07 P).
41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to investigations in your country?
The definition of ‘lawyer’ in Ireland extends to foreign lawyers. There does not appear to be any question about this and it is generally accepted that foreign legal advice is privileged to the extent that it fits Irish legal rules on privilege.
42 To what extent is waiver of the attorney–client privilege regarded as a cooperative step in your country? Are there any contexts where privilege waiver is mandatory or required?
Asserting legal professional privilege is a fundamental legal right and the fact of its assertion should not be held against a party; however, if the materials over which legal professional privilege is being asserted are central to any enforcement investigation (such as a party defending certain conduct on the basis that it was taken following legal advice), it may appear uncooperative to refuse to disclose those materials. In such a case, disclosure could, in fact, be in a party’s strategic interest. Any decision to waive privilege should be carefully considered as, once waived, legal professional privilege is lost. It is generally recommended that a waiver should be limited to those materials that are strictly necessary and should be made on a limited and specified basis; in other words, a general waiver of all legal professional privilege in respect of a particular matter is not advisable.
43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?
It is possible to waive privilege on a limited basis; however, care should be taken as privilege can inadvertently be lost in such circumstances. The scope of the waiver should be clear, limited and in writing; furthermore, it is of utmost importance that confidentiality in the material should be maintained. Care should be taken when waiving privilege over documents that make reference to connected documents over which privilege is maintained. The Irish courts do not permit parties to ‘cherry-pick’ which privileged information they wish to disclose. In Quinn v. IBRC  IEHC 481, the court held that, in certain circumstances, a partial disclosure of privileged documents may create an unfair litigious advantage if a litigant retains privilege over other connected documents. Therefore, a partial disclosure can result in a wider waiver of privilege.
The Central Bank (Individual Accountability Framework) Act 2023 introduced a privilege ‘safe harbour’ for persons to voluntarily submit privileged material to the Central Bank of Ireland, for example in the course of an investigation, without such limited disclosure constituting a waiver of privilege as against other third parties.
44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?
If the waiver of privilege was appropriate, limited and restricted, it should not defeat the overall assertion of legal professional privilege; however, this will depend on the extent and nature of the waiver in each case.
45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?
Common interest privilege does exist in Ireland. It is important that common interest privilege is expressly asserted and that the receiving third party is aware of the necessity of preserving privilege in the materials received.
46 Can privilege be claimed over the assistance given by third parties to lawyers?
Litigation privilege can be asserted regarding third-party communications where the dominant purpose of the communication is in anticipation of existing or contemplated litigation (which currently includes regulatory proceedings).
47 Does your country permit the interviewing of witnesses as part of an internal investigation?
Yes, and this is often an integral part of the fact-finding exercise of an investigation; however, the internal investigation would not be able to compel witnesses to attend, except to the extent that employees can be requested to cooperate in the context of their employment.
48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?
Yes, where reports contain legal analysis, advice or conclusions, or are prepared with the dominant purpose of preparing for, or in contemplation of or in connection with, litigation or regulatory proceedings.
49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?
It can be important that witnesses are informed of the nature of the interview, whether they are implicated in any wrongdoing and, crucially, of any possible consequences for them of the investigation process to preserve the ability to take appropriate action, if necessary, following or as a result of the investigation. It is important to point out that any lawyers present are acting for the company and not for the employee, who may, in some cases, have his or her own legal representation.
Existing employees have a greater right to fair procedures as they are more likely to face the possibility of an adverse outcome, such as dismissal; however, it is best practice to accord equal and fair procedures to all interviewees.
50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?
It is good practice to ensure that any documents of relevance to the witness are put to them. ‘Interview by ambush’ is contrary to fair procedures and open to challenge, particularly by employees.
Employees have no statutory right to legal representation at witness interviews; however, if the employee or witness is, or may become, the subject of the investigation, the employer should consider advising the employee or witness to have legal representation to minimise the risk of a later legal challenge to the investigation process. If the person requests permission to have legal representation, the company should assess each case separately. It is generally considered prudent to permit such representation, or not to proceed in the absence of such representation.
Reporting to the authorities
51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?
A number of legislative provisions impose a positive obligation on persons (including businesses) to report wrongdoing in certain circumstances. Most significantly, section 19 of the Criminal Justice Act 2011 provides that a person is guilty of an offence if he or she fails to report information that the person knows or believes might be of ‘material assistance’ in preventing the commission of, or securing the prosecution of another person in respect of, certain listed offences, including many corporate crimes. The disclosure must be made ‘as soon as practicable’, and a person who fails to disclose such information may be liable to a fine or imprisonment for up to five years, or both; however, the person considering making the report may need to make enquiries to be satisfied that a report is justified.
Other mandatory reporting obligations include the duties of:
- persons with a pre-approved control function to report breaches of financial services legislation;
- designated persons (such as auditors, financial institutions and solicitors) to report money laundering offences;
- auditors to report a belief that an indictable offence has been committed;
- auditors or persons preparing accounts to report theft and fraud offences; and
- all persons to report any offence committed against a child.
52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?
A company might be advised to self-report, in Ireland or overseas, to mitigate the risk of prosecution or any potential sentence that may be imposed by a court. There are no express provisions for immunity or leniency in prosecution under Irish law, but self-reporting can be considered a mitigating factor in sentencing. The Director of Public Prosecutions does have discretion to grant immunity in certain circumstances. Some regulatory regimes, such as the Central Bank of Ireland’s (CBI) administrative sanction procedure, also consider self-reporting as a mitigating factor affecting the level of sanctions. The list of sanctioning factors set out in the CBI’s Administrative Sanctions Guidance (published in 2019) includes ‘how quickly, effectively and completely the regulated entity brought the contravention to the attention of the CBI or any other relevant regulatory body’.
The exception is the Cartel Immunity Programme operated by the Competition and Consumer Protection Commission, which allows a member of a cartel to apply for immunity in return for cooperating with the Commission. Only the first member of a cartel to come forward can avail of the programme and must meet strict eligibility criteria.
In terms of extraterritorial self-reporting, an Irish company may self-report to authorities in other jurisdictions that have immunity or leniency programmes if the conduct in question could also be investigated or prosecuted by those authorities.
53 What are the practical steps needed to self-report to law enforcement in your country?
It is important that a company has considered its risks and, as far as possible, investigated the matter before making a report. A report can be made in writing, such as by letter to the appropriate authority, or by providing a written statement when attending a Garda station. The form and content of the report will depend on the specific circumstances of the matter, including, for example, whether the company might be implicated, or whether there are other legal, commercial or reputational issues to be considered. Data deletion policies should be suspended and relevant materials retained in case they are subsequently required in the context of an investigation or legal or regulatory proceedings.
Responding to the authorities
54 In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?
Dialogue may start with the authority once a notice has been received and analysed; for example, the company may wish to address concerns such as the scope of the request, the legal basis or the deadline for compliance. It is important that care is taken with these types of communications, as they can set the tone for engagement with the authority and may be relevant for any subsequent court challenge or dispute that may arise.
55 Are ongoing authority investigations subject to challenge before the courts?
Yes, for example, through an application for judicial review. It is also possible to seek injunctions, typically on an interim basis, to protect legal rights while the underlying challenge is resolved.
56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?
Each request should be treated separately as the legal basis for the request is likely to be different. A request that may appear to compel disclosure of documents may not, in fact, have legal effect if it is from outside the jurisdiction and the procedures for compelling cross-border information (such as the procedures under the Criminal Justice (Mutual Assistance) Act 2008, as amended) are not engaged. It is generally not advisable to release information, in the absence of lawful compulsion. Package disclosures are usually inadvisable, therefore, as documents that one agency has a legal right to obtain may not be within the compulsory power of another agency. That said, when requests are made by different authorities, it is important to have a consistent approach with regard to how requests are treated and what arguments are made to authorities.
57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for and produce material in other countries to satisfy the request? What are the difficulties in that regard?
The appropriate response will depend on the nature of the request and the relationship between the company that is subject to the request and the entities holding the documents across borders. If the company in receipt of the request has the power to compel production, such as from a branch or subsidiary, it may be required to do so; however, generally, the entity to which the request is addressed will be the only body with an obligation to respond.
58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for cooperation with foreign authorities?
In terms of formal cooperation mechanisms, the Criminal Justice (Mutual Assistance) Act 2008 gives effect to 12 international agreements that establish the existing legislative framework for the provision of mutual legal assistance. The Criminal Justice (Mutual Assistance) (Amendment) Act 2015 gives effect to a further six international instruments not provided for by the 2008 Act. This has enhanced the already significant level of cooperation between Ireland and other EU Member States. Cooperation with third countries (those outside the European Economic Area) is dependent on their ratification of relevant international agreements or the existence of a mutual assistance treaty agreed between them.
The transposition of the EU Fourth Money Laundering Directive into Irish law has also led to further enhanced international cooperation, as the Directive requires information to be shared between competent national authorities, including the creation of a central register of beneficial owners of entities.
59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?
There is no generally applicable statutory obligation that creates an obligation on the police to keep information received during an investigation confidential.
Irish law does recognise a broad ‘right to privacy’, which is protected by the Irish Constitution, the EU Charter of Fundamental Rights and the European Convention on Human Rights. Further, data protection is regulated in Ireland primarily by the Data Protection Acts 1988–2018 (the DP Acts), which reflect EU data protection laws. The police are subject to the same obligation under the DP Acts as all data controllers, within the meaning of the DP Acts, when processing personal data. There are exceptions to the rules set out in the DP Acts, including where the processing is required to investigate or prevent an offence.
Whistleblowers are protected from identification by the Protected Disclosures Act 2014, as amended by the Protected Disclosures (Amendment) Act 2022. Accordingly, great care must be taken not to violate these protections when an investigation involving whistleblower information is under way; however, the identity of whistleblowers can be disclosed to prevent a crime or to aid in the prosecution of a criminal offence.
60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?
In such circumstances, it would usually be prudent to advise the company not to provide the documents; however, the company should ensure that it is not violating any laws in its own jurisdiction by doing so. The company should inform the requesting authority of the basis for the decision to refuse the request for documents.
61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?
The DP Acts regulate data protection in Ireland and protect the personal data of individuals from disclosure in certain circumstances. The transfer of data outside Ireland is restricted but there is no outright ‘block’ preventing all transfers. The main implication of Irish data protection law is that companies may be reluctant to release materials in the absence of a legal obligation.
Further, care should be taken when releasing documents that relate to any type of contractual relationship, as there may be confidentiality terms in the contract or engagement terms that could be violated by the disclosure. A party should always be mindful that if it releases information without being compelled to do so, it is not protected from claims that it has breached Irish data protection legislation or breach of confidence claims.
62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?
A company may be in breach of the DP Acts if it releases materials that contain personal data in the absence of lawful compulsion, and may also be in breach of confidence if it releases confidential material without being compelled to do so. There may also be other contractual consequences for a company releasing certain materials voluntarily. There is no automatic confidentiality attached to materials disclosed to law enforcement, unless restrictions have been agreed to that effect. Accordingly, material provided to authorities voluntarily may be shared with other authorities or used for purposes other than the initial basis of the request. Materials obtained on the basis of a compulsory power are subject to greater protections; however, once material is in the possession of an authority, there is nothing to prevent a third party from seeking the material, such as through a non-party discovery order.
Prosecution and penalties
63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?
Irish criminal legislation typically provides for monetary fines or terms of imprisonment for offences. Given the nature of corporate entities, the most common form of sanction is a fine; however, although less common, Irish legislation also provides for specific remedies, such as compensation orders and adverse publicity orders under health and safety legislation.
Common sanctions in the context of business crime are restriction and disqualification orders. Under section 839 of the Companies Act 2014, if a person has been convicted of an indictable offence in relation to a company, or convicted of an offence involving fraud or dishonesty, that person may not be appointed or act as an auditor, director or other officer, receiver, liquidator or examiner, or be concerned in any way, whether directly or indirectly, or take part in the promotion, formation or management of any company for a period of five years by default, but potentially longer should the court see fit.
64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?
Under the EU Public Sector Procurement Directive (2014/24/EU) (transposed into Irish law by the European Union (Award of Public Authority Contracts) Regulations 2016 (the Regulations)), companies must be excluded from public procurement for a specific period when they have been convicted of certain offences. The Regulations also provide for offences that carry discretionary debarment. These include offences under EU law, meaning that a company should take care when settling charges in another country, as doing so could, depending on the offence, trigger these exclusion rules.
The Regulations enable companies to recover eligibility to bid for public contracts by demonstrating evidence of ‘self-cleaning’, such as the payment of compensation to the victim, clarification of the facts and circumstances of the offence, cooperation with the investigating authority and the implementation of appropriate measures to prevent further criminal offences or misconduct.
65 What do the authorities in your country take into account when fixing penalties?
Sentencing of corporate crimes is largely a function for the courts. If a business is found guilty of an offence, a wide range of factors may be taken into account at the discretion of the court. Mitigating factors include whether the company ceased committing the criminal offence on detection or whether there were further infringements or complaints; whether remedial efforts to repair the damage caused were made by the company; the existence of a compliance programme; and whether the company itself reported the infringement before it was detected by the prosecuting authority. Additionally, in imposing any sentence, the court must comply with the principle of proportionality as set out in People (DPP) v. McCormack  4 IR 356.
Certain sanctions, such as those available to the Central Bank of Ireland under the Administrative Sanction Procedure, or the Competition and Consumer Protection Commission in connection with cartels, can be expressed as a percentage of turnover.
Resolution and settlements short of trial
66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?
No. There has been some consideration of these types of arrangements at policy level; for example, the Law Reform Commission recommended in its Report on Regulatory Powers and Corporate Offences (published on 23 October 2018) that deferred prosecution agreements (DPAs) be introduced, based on the UK model, which are subject to court approval; however, in December 2020, a report prepared by a review group chaired by former Director of Public Prosecutions James Hamilton, tasked with assessing the strategies and structures for investigation and penalising economic crime, refused to recommend DPAs in Irish law.
67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?
Neither non-prosecution agreements nor DPAs are available in Ireland.
68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?
It is possible to enter into a settlement with some regulatory authorities in prescribed circumstances.
Generally, any company considering entering into a settlement with a regulatory or enforcement authority should balance the seriousness of the charge, the scope of a conviction, the strength of the case against it and against the terms of the settlement, such as the quantum of any fine, and whether there is publicity associated with the settlement.
69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?
The use of external corporate compliance monitors is not an enforcement tool used by Irish law enforcement authorities.
70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?
A defendant may be subject to simultaneous civil and criminal proceedings arising out of the same set of circumstances. Although there is no obligation on the courts to do so, civil proceedings are commonly adjourned pending the outcome of related criminal proceedings. As there are different burdens of proof in civil and criminal matters, the outcome of civil and criminal proceedings will not necessarily be the same. It is also possible, although rare, for individuals to initiate private criminal prosecutions by issuing a summons pursuant to the Petty Sessions (Ireland) Act 1851 in certain limited circumstances.
Authorities are not obliged to disclose their files to such persons unless a particular file is generally open to the public or a court order has been obtained.
Publicity and reputational issues
71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.
The Irish judiciary is extremely protective of an accused’s right to a fair trial and will prohibit or stay a trial if necessary. This sometimes occurs in respect of high-profile cases when the extent of publicity affects the ability of the defendant to have a fair jury trial. An example of this is the trial of a high-profile former chairman of Anglo Irish Bank, which was initially adjourned in 2015, owing to concerns about adverse publicity surrounding the trial.
Reports that undermine legal proceedings can amount to contempt of court. Further, any reporting that goes beyond a faithful account of the court proceedings could give rise to defamation claims.
Under court rules introduced by the Data Protection Act 2018, an accredited member of the press may access documents that are ‘opened’ in court (i.e., read out in court by a lawyer or by the judge) and those that are ‘deemed to have been opened’ at a hearing before the court (i.e., documents that the judge has read in chambers and does not require the parties to formally open in court).
72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?
In larger companies, corporate communications are generally managed by a team of marketing professionals, and it is common for companies to employ public relations companies when there is a risk of negative publicity.
73 How is publicity managed when there are ongoing related proceedings?
It is important that any public statements issued by a company do not potentially prejudice ongoing criminal proceedings or investigations. Statements issued by a company in such circumstances should be brief, factual and approved by the company’s legal advisers. Care should also be taken that no comments are made that potentially identify any persons, as there could be a risk of defamation proceedings if the statement incorrectly implies that a person has committed any wrongdoing.
Duty to the market
74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?
Publicly listed companies on the Irish Stock Exchange must, without delay, provide to Euronext Dublin any information that it considers appropriate to protect investors. Euronext Dublin may, at any time, require an issuer to publish such information within the time limits it considers appropriate to protect investors or to ensure the smooth operation of the market.
Environmental, social and corporate governance (ESG)
75 Does your country regulate ESG matters?
ESG has become an area of increased importance in Ireland. In particular, within the financial services industry, the Central Bank of Ireland has indicated that it is an area of focus and that it has outlined its supervisory expectations of regulated firms, in particular firms’ compliance with climate and wider ESG-related requirements.
Directive (EU) 2022/2464 of 14 December 2022 (rhe Corporate Sustainability Reporting Directive (CSRD)) came into force on 5 January 2023, replacing the former Non-Financial Reporting Directive regime and considerably expanding both the scope of entities to which the reporting obligations apply and the extent of the required disclosures. Under the CSRD, in-scope companies will be required to report extensive sustainability information in a dedicated section of their annual report in accordance with EU sustainability reporting standards. The disclosures under CSRD will need to be audited by an external auditor (initially to a limited assurance standard but it is expected that the standard will increase to a full audit in the future).
The CSRD must be transposed into the national laws of EU Member States by July 2024; it is expected that the Irish implementing regulations will be published by the end of 2023. The sanctions for breaches of the reporting obligations will be set out in the national implementing law. It is expected that the Irish Auditing and Accounting Supervisory Authority will have responsibility for regulating the CSRD sustainability reporting of entities that are subject to Directive 2004/109/EC of 15 December 2004 on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market (the Transparency Directive) (i.e., entities with debt or equity listed on an EU-regulated market) and other public interest entities (broadly, EU-regulated insurance undertakings and credit institutions).
The Disclosure of Non-Financial Information Regulations 2017 (SI 360/2017) transposed Directive 2014/95/EU (the Non-Financial Reporting Directive) into Irish law and require directors of any company with more than 500 employees to:
- submit for each financial year a non-financial statement explaining the company’s development, performance and position and the effects of its activity relating to environmental, social, human rights, and bribery and corruption matters; and
- include in its corporate governance statement a diversity report on the company’s diversity policy and its implementation and results.
Regulation (EU) 2019/2088 (the Sustainable Finance Disclosure Regulation):
- requires financial market participants and financial advisers to disclose 15 different ESG considerations on their websites, and in their remuneration policies and pre-contractual disclosures, including:
- the principal adverse effects of investment decisions on sustainability issues;
- the company’s considerations of ESG and sustainability risks; and
- additional product-specific obligations where financial products promote environmental sustainability or have sustainable investment as their core objective; and
- introduces additional disclosure requirements for existing financial services legislation, including Directive 2011/61/EU on Alternative Investment Fund Managers, Directive 2009/65/EC on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS), Directive 2009/138/EC on the taking up and pursuit of the business of insurance and reinsurance (Solvency II), Directive (EU) 2016/97 on insurance distribution and Directive 2014/65/EU on markets in financial instruments (MiFID II).
Regulation (EU) 2020/852 (the Taxonomy Regulation) requires financial market participants to disclose in pre-contractual disclosures and public reports:
- how certain financial products and their underlying investments in economic activities qualify as ‘environmentally sustainable’ under this Regulation; and
- in non-financial undertakings, the proportion of their turnover derived from environmentally sustainable products and services, and the proportion of their capital and operating expenditure relating to assets or processes associated with environmentally sustainable activities.
Regulation (EU) 2018/2089 (the Low Carbon Benchmark):
- requires benchmark administrators to include details of how they incorporate ESG factors in their benchmark methodologies and statements; and
- extends the period for national authorities to compel benchmark administrators to publish a critical benchmark from two years to five years.
76 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address ESG matters?
Key legislative changes expected in coming years include a regulation introducing a European green bond (EU GBS). On 28 February 2023, the European Parliament and European Council reached a provisional agreement on the EU GBS proposals. The agreement still needs to be confirmed by the Council and Parliament, and adopted by both institutions before it is final. The agreement will apply 12 months after its entry into force.
Another key legislative change will be the proposed Corporate Sustainability Due Diligence Directive (CSDDD), once finalised. The CSDDD proposal is currently being negotiated at the EU level, with a final Directive not expected before the end of 2023. Once adopted, Member States will have two years to transpose it into national law. The CSDDD is one prong in the European Union’s programme to increase its regulatory focus on environmental and human rights due diligence through the implementation of measures that companies can take to prevent or reduce the adverse effects of a company’s organisational structure or its supply or value chain on human rights and environmental concerns. In-scope companies will be required to identify and, where necessary, prevent, end or mitigate any adverse effects of their activities on human rights and on the environment. Adverse effects include, but are not limited to, human rights issues such as forced labour, child labour, inadequate workplace health and safety conditions, and environmental effects such as pollution and ecosystem degradation.
77 Has there been an increase in ESG-related litigation, investigations or enforcement activity in recent years in your country?
So far there has been limited ESG-related litigation in Ireland but this may change following two developments. Ireland is set to implement Directive (EU) 2020/1828 (the Representative Actions Directive) by way of the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023. Once enacted, the Act will introduce collective injunctive and redress measures for consumers for the first time. The Irish courts may also be receptive to ESG-related litigation following the Supreme Court decision in Friends of the Irish Environment CLG v. The Government of Ireland & Ors  IESC 49, in which the Supreme Court quashed the Irish government’s statutory plan for tackling climate change and held that climate change is already having a profound environmental and societal effect in Ireland.
78 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?
The Corporate Enforcement Authority (CEA) is tasked with combating business crime and suspected breaches of company law. The CEA’s strategy for 2022–2025 is based on three strategic pillars:
- embedding governance structures, building operational capability and establishing presence;
- effective advocacy and influencing; and
- operating effective systems of proportionate, robust and dissuasive enforcement.
The Central Bank (Individual Accountability Framework) Act 2023 (the IAF Act) partly came into force on 19 April 2023; the remaining sections are due to commence on 29 December 2023. The long-anticipated Act introduces the Senior Executive Accountability Regime (SEAR) into the financial services sector. The IAF Act, among other things, signals a change in law in respect of the Central Bank of Ireland’s fitness and probity investigations, suspensions and prohibitions. Sections 3 to 6 and 10 of the Act, which deal with the SEAR, the conduct standards and the certification process, will be commenced from 29 December 2023. The SEAR is designed to improve accountability for individuals in Ireland by imposing conduct standards directly on individuals performing controlled functions, and an increased duty of responsibility on individuals performing senior executive functions. Further, non-compliance with these standards may give rise to potential enforcement directly against senior executives in the sector.
 Karen Reynolds is a partner and Connor Cassidy is a senior associate at Matheson.