API Terms of Use (Ireland)

An API Terms of Use in Ireland sets the service levels, data-handling duties, fees, and liability terms under which the technology or platform is supplied, and takes its legal force from the Electronic Commerce Act 2000. It defines the service scope, SLA, pricing, data-protection duties, and liability allocation between provider and customer.

API Terms of Use in Ireland are governed by the general law of contract and several key statutes. The Electronic Commerce Act 2000, implementing the EU Electronic Commerce Directive (2000/31/EC), is of particular relevance because API Terms of Use are typically concluded electronically — through a developer portal registration, an API key request, or an online acceptance mechanism. The Act gives legal recognition to electronically concluded contracts and specifies the information that online service providers must make available to users. Section 9 of the Act requires online commercial service providers to make certain information easily, directly, and permanently accessible to users — including the provider's legal name, geographic address, electronic mail address, and VAT registration number. An API provider operating from Ireland must confirm that this information is prominently displayed on its developer portal.

The Copyright and Related Rights Act 2000 (the "Copyright Act 2000") is relevant to API Terms of Use because the API, the underlying software, and any data accessible through the API may be protected as copyright works. The API provider retains copyright in the software implementing the API, in any original documentation, and in any proprietary data accessible through the API. The API Terms of Use govern the scope of the licence granted to developers to use these copyright-protected materials.

The General Data Protection Regulation (GDPR) and the Data Protection Acts 1988–2018, enforced by the Data Protection Commission (DPC), impose obligations on API providers and developers who use APIs to process personal data. Ireland is the European headquarters of many major technology companies, and the DPC is the lead supervisory authority for many of these companies' EU operations. The DPC has published guidance on the use of APIs in the context of open banking (under the Payment Services Directive 2), social media APIs, and third-party data access, and Irish API providers should be familiar with the DPC's positions on key data protection issues arising in the API context.

The Competition and Consumer Protection Commission (CCPC) may have an interest in API Terms of Use where they affect competition — for example, where API access restrictions are used to foreclose competitors from integrating with a dominant platform. Developers who believe that API access restrictions are anti-competitive should consider whether a complaint to the CCPC or the Competition Authority is appropriate.

The Payment Services Directive 2 (PSD2), transposed in Ireland by the European Union (Payment Services) Regulations 2018 (S.I. No. 6 of 2018), introduced mandatory open banking API requirements for account servicing payment service providers — requiring banks and credit institutions to provide secure access to customer payment account information and payment initiation services through standardised APIs. Irish banks must comply with the European Banking Authority (EBA) Regulatory Technical Standards on strong customer authentication and secure communication (RTS on SCA and CSC). The Central Bank of Ireland, as the competent authority for payment services regulation in Ireland, oversees compliance with PSD2 API requirements. Businesses building fintech products that integrate with open banking APIs in Ireland must comply with PSD2 licensing requirements and must enter into API access agreements with account servicing institutions that satisfy the RTS requirements.

The Network and Information Security (NIS) Regulations 2018 (S.I. No. 360 of 2018) impose cybersecurity obligations on operators of essential services and digital service providers in Ireland. API providers that qualify as digital service providers — including online marketplace operators, online search engine operators, and cloud computing service providers — must implement security measures and report significant incidents to the National Cyber Security Centre (NCSC). The forthcoming NIS2 Directive will extend these obligations to a broader range of sectors and organisations. API Terms of Use should address the provider's security practices and incident notification obligations under the NIS Regulations.

Irish API Terms of Use are needed by any organisation that provides third-party developers with programmatic access to its platform, data, or services through an API. The terms are needed regardless of whether the API is provided as a commercial product, as a free developer tool, or as part of a broader software integration programme.

You need API Terms of Use when you are: operating a platform or SaaS product and offering a public or private API that allows third-party developers to build integrations, apps, or extensions; providing a data API that gives developers access to your proprietary data, content, or analytics; operating an open banking or payments API under the Payment Services Directive 2 (PSD2), transposed in Ireland by the European Union (Payment Services) Regulations 2018 (S.I. No. 6 of 2018), or the European Banking Authority Regulatory Technical Standards on Strong Customer Authentication (Commission Delegated Regulation (EU) 2018/389); running a developer programme that allows third parties to build on top of your platform; or allowing enterprise customers or business partners to integrate their own systems with yours through an API connection.

Without API Terms of Use, an API provider has no contractual basis for controlling how developers use the API, protecting its intellectual property, limiting its liability, or terminating access in the event of misuse. Without clear terms, developers may argue that they are entitled to use the API for any purpose — including building competing products, harvesting data at scale, or reselling API access to third parties.

API Terms of Use are also needed for GDPR compliance. Ireland is the European headquarters of many major technology companies, and the Data Protection Commission (DPC) — whose enforcement decisions carry pan-EU significance as lead supervisory authority under Article 56 GDPR — has been active in scrutinising data flows through third-party API integrations. The DPC has issued substantial fines against major technology companies for failures in their data processing frameworks. Where the API provides access to personal data, appropriate data processing agreements meeting the requirements of Article 28 GDPR must be in place between the API provider and developers who process personal data through the API. Failure to have such written agreements in place is itself a GDPR violation that can result in enforcement action. API providers should confirm that their Terms of Use incorporate the Article 28 GDPR data processing agreement terms, or require developers to sign a separate DPA as a condition of API access.

For fintech and open banking APIs regulated under PSD2, the Central Bank of Ireland is the competent authority overseeing Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). As at 2024, the Central Bank had authorised/registered multiple PISPs and AISPs operating in Ireland. Operators of open banking APIs must confirm their Terms of Use comply with both PSD2 requirements and GDPR, and must implement the strong customer authentication (SCA) requirements of the EBA RTS.

The Network and Information Security (NIS) Regulations 2018 (S.I. No. 360 of 2018) impose cybersecurity obligations on digital service providers in Ireland, including cloud API providers. The NIS2 Directive (EU 2022/2555), which Ireland is required to transpose, significantly expands the scope of these obligations. API providers should confirm their security practices and incident response procedures are reflected in their Terms of Use.

API Terms of Use are also needed to manage the commercial relationship with developers — including specifying the pricing for API access, the limits on free tier usage, the conditions for upgrading to paid tiers, and the developer's obligations to attribute the API provider in their products.

Under the Companies Act 2014, the Companies Registration Office (CRO) maintains the register of Irish companies. Section 343 of the Companies Act 2014 sets annual confirmation obligations. The Competition and Consumer Protection Commission (CCPC) enforces the Consumer Rights Act 2022. The Central Bank of Ireland regulates financial services under the Central Bank Act 1971. The High Court of Ireland has jurisdiction under Section 212 of the Companies Act 2014.

Thorough Irish API Terms of Use should contain the following essential provisions.

The parties and registration clause specifies that access to the API is available only to registered developers who have accepted the Terms of Use and obtained an API key. The clause should specify the registration process, the developer's obligations in providing accurate registration information, and the provider's right to refuse or revoke registration.

The API licence clause grants the developer a limited, non-exclusive, non-transferable, revocable licence to access and use the API solely for the developer's own application development and integration purposes. The clause should specify whether the licence permits the developer to create commercial applications, whether sub-licensing is permitted, and whether the developer may use the API to provide services to third parties.

The permitted use and acceptable use clause specifies in detail the uses that are permitted (building integrations, developing applications, testing and development) and the uses that are prohibited — including using the API to build a competing service, scraping data at scale, reselling API access, circumventing rate limits or security measures, accessing data the developer is not authorised to access, and using the API in violation of applicable law (including GDPR, privacy law, and export control regulations).

The rate limiting and usage quota clause specifies the maximum number of API calls permitted per unit time (per minute, per hour, per day, per month), the rate limit tiers applicable to different subscription levels, the mechanism by which rate limits are enforced, the consequences of exceeding limits (throttling, blocking, overage charges, or termination), and the process for requesting increased limits.

The intellectual property clause confirms that the provider retains all IP rights in the API, its documentation, and any data accessible through the API. The clause addresses the developer's rights in their own applications built using the API, and specifies any restrictions on the developer's use of the provider's trademarks, brand names, or logos.

The API key and credentials clause specifies the developer's obligations regarding the security and confidentiality of their API key — including the obligation to keep it secret, not to share it with third parties, to rotate it promptly if it is compromised, and to notify the provider immediately in the event of a suspected security breach.

The data protection clause incorporates the mandatory data processing agreement terms required by Article 28 GDPR (where the API involves processing personal data), specifies the security measures the provider and developer must implement, addresses international data transfers, and specifies the parties' respective roles as data controller and data processor (or joint controllers, as appropriate).

The changes to the API clause specifies the provider's rights to modify, update, deprecate, or discontinue the API, the notice period the provider will give developers before making breaking changes (typically 30–90 days), and the developer's responsibility for updating their applications to accommodate changes to the API.

The limitation of liability clause limits the provider's liability for losses arising from API downtime, data inaccuracies, or rate limit enforcement, and caps the provider's total liability to a defined amount (typically the fees paid by the developer in the preceding 12 months, or EUR nil for free API access).

The term and termination clause specifies the duration of the API access arrangement, the grounds for termination (including breach, persistent rate limit violations, and failure to pay), and the consequences of termination — including the revocation of the API key and the developer's obligation to cease using the API and delete any cached data.

The governing law clause confirms that the Terms of Use are governed by the laws of Ireland and that disputes are subject to the jurisdiction of the Irish courts. The forms-legal.com API Terms of Use (Ireland) template covers the mandatory elements under Companies Act 2014.