A short profile of Article Eight Advocacy is available below, followed by more detailed notes about our activities and our people. Relevant media files will be added when available.

Article Eight Advocacy is an independent not for profit organisation which advocates for data subject rights in Ireland. We support data subjects by using all the tools available to us to ensure their fundamental right to protection of their personal data is respected.

We do this by providing easy to understand information on what data protection means for individuals on our website, submitting complaints to the Data Protection Commission on behalf of individuals and managing the progress of these, initiating litigation where necessary, and carrying out research to uncover misuses of personal data.

🃏 There's nothing here yet, sorry.

🃏 There's nothing here yet, sorry.


It’s fifty years since the first data protection law in Europe was introduced in the German state of Hesse. It’s ten years since the European Union Charter of Fundamental Rights came into effect and established the right to protection of one’s personal data as a distinct fundamental right.

The General Data Protection Regulation introduced a specific mechanism which gives an individual “the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data” (Article 80 GDPR) to lodge complaints with a supervisory authority (Article 77 GDPR), to exercise the individual’s right to an effective judicial remedy against a supervisory authority (Article 78 GDPR) and to exercise the individual’s right to an effective judicial remedy against a controller or processor (Article 79 GDPR).

Some examples of this mechanism being used across Europe include

  • Norway’s Forbrukerradet (The Norwegian Consumer Council) lodged complaints against a number of data controllers (Grindr, Twitter’s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato) with the Norwegian Data Protection Authority in January 2020 [Announcement; Select Coverage: The New York Times, The Guardian, CBS, BBC, The Times, RTE, The Irish Times, Consumer Reports]
  • Vienna-based None of Your Business (NOYB) lodged complaints in May 2018 against four data controllers with supervisory authorities in Austria, Belgium, France, and Germany resulting in a €50 million fine being imposed on Google which is being appealed [Press Release (PDF); Select coverage: Financial Times, The Register, The Irish Times, ]
  • In January 2019 NOYB lodged complaints against eight data controllers (Amazon, Apple, DAZN, Flimmit, Netflix, SoundCloud, Spotify and YouTube) with supervisory authorities in Austria, Berlin, Ireland, Luxembourg, the Netherlands, Sweden and the United Kingdom [Announcement; Select coverage: Reuters, Telegraph, TechCrunch ]
  • In November 2018, Privacy International filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France (CNIL), Ireland, (DPC) and the UK (ICO). As a result of this complaint the DPC announced a statutory inquiry into Quantcast. [Privacy International Press Release; Select coverage: The RegisterFortune, ]

Given Ireland’s prominence as a location for large transnational technology companies there has been a surprising lack of civil society activity in this area. Digital Rights Ireland and more recently the Irish Council for Civil Liberties are the only advocacy organisations which have involved themselves heavily with these issues. Article Eight Advocacy will complement their efforts.

The ability for individuals to seek judicial remedy against data controllers and processors independent of the involvement of the supervisory authority has gone mostly unnoticed in broader media coverage of the reforms and updates which the GDPR brought to data protection in Europe.

“Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.” (Article 79 GDPR)

The significantly increased workload of the Data Protection Commission of Ireland combined with ongoing resourcing and funding issues has led to well-publicised delays in the conclusion of investigations and hence access to remedies for data subjects. Where appropriate Article Eight Advocacy will use this mechanism provided by Article 79 and engage in litigation to ensure the fundamental rights of individuals are vindicated.

Real harm to individuals is caused by controllers failing to comply with their data protection obligations. The GDPR allows individuals to seek compensation for material and non-material damage.

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” (Article 82 GDPR)


Loughlin O’Nolan

Loughlin O’Nolan has worked in a variety of roles in different areas of the technology industry over the past two decades, from website development through core mobile network software to online games and mobile content delivery. He edits the (somewhat) popular Cat Herder email newsletter, subtitled ‘Cautionary Data Protection Tales From Around The World’. A graduate of Trinity College Dublin, he holds postgraduate qualifications in international marketing from the Dublin Institute of Technology (now Technological University Dublin) and in data protection from University College Dublin.

Cassie Roddy-Mullineaux

Cassie Roddy-Mullineaux is an Irish qualified solicitor (non-practising) with an interest in data protection and technology law. She previously trained and worked with William Fry, as well as with Irish Life on its GDPR Readiness Project. Cassie is completing an LLM at the Irish Centre for Human Rights, Galway where, as part of the Centre’s Human Rights Clinic, she is involved in the ‘’ project, an initiative to create an online resource to help survivors of historical and institutional abuses in Ireland use the GDPR to access their personal data. Cassie is also the Women’s Section Editor of STAND News.

Gavin Sheridan

Gavin Sheridan has been a blogger since 2002 and a right to information advocate and activist since filing his first FOI request in 2009. He is part of the team behind,, Storyful (acquired by News Corp), and founded Vizlegal – a legal information startup. At, Gavin pioneered the use of Freedom of Information law in new ways, resulting in multiple significant decisions by the Information Commissioner, the High Court, and the Supreme Court. These cases included the ultimate release of the “Trichet Letters” in 2014 and the designation of the National Asset Management Agency (NAMA) as a public authority for the purposes of the Access to Information on the Environment (AIE) Regulations in the Supreme Court.


FP Logue Solicitors

Our legal advisors are FP Logue Solicitors. FP Logue Solicitors is a law firm specialising in data protection and information law. They have extensive experience advising and representing a broad range of clients in relation to data protection matters, including individual data subjects, commercial businesses, charities and advocacy groups.