Photo of Davinia Brennan

The Data Protection Commissioner (DPC) has initiated a consultation seeking submissions in regard to how some key concepts in the GDPR should be interpreted and applied, including:

  • Consent
  • Profiling
  • Personal data breach notifications
  • Certification

The Article 29 Working Party (WP29) (consisting of representatives of the EU data protection authorities) is currently preparing guidance on these concepts, and EU data protection authorities are undertaking consultation processes with the purpose of ensuring that the views of stakeholders are heard.  The questions asked in the consultation demonstrate the lack of detail in the GDPR in regard to these key concepts.

Continue Reading DPC launches consultation on consent, profiling, data breach notifications and certification under the GDPR

Photo of Davinia Brennan

In Case C-375/15 (the BAWAG case), the CJEU examined the scope of a payment service provider’s obligation to communicate changes to information and conditions, and to framework contracts, to e-banking customers.  In particular, the CJEU considered whether a bank may notify its customers of account information and contractual changes via an electronic banking mailbox.  The CJEU clarified the conditions that must be met for information to be “provided” to customers on a “durable medium”, as required by the Payment Services Directive (PSD) (2007/64/EC).

Continue Reading Communicating with online banking customers

Photo of Davinia Brennan

In Muwema v Facebook Ireland Ltd [2017] IEHC 69, the Irish High Court refused to grant a Norwich Pharmacal order against Facebook, requiring disclosure of the identity and location of an anonymous third party operating a Facebook page containing defamatory content. The Court found that if Facebook disclosed such information it would endanger the life of the third party.  The Court held that the right to a good name must give way to the right to life and bodily integrity in the event of a conflict.

Continue Reading Court refuses Norwich Pharmacal order where compliance would threaten a person’s safety

Photo of Davinia Brennan

The CJEU has ruled (Case C-398/15) that there is no general right to be forgotten in respect of personal data in the companies register. However, upon expiry of a sufficiently long period after dissolution of a company, Member States may provide for restricted access to such data by third parties in exceptional cases. The CJEU’s decision is in line with its ruling in Google Spain (Case C-131/12) that the right to be forgotten is not absolute, and will always need to be balanced against other fundamental rights.

Continue Reading No right to be forgotten in respect of personal data in the companies register

Photo of Davinia Brennan

The Information Commissioner (IC) has made a formal binding decision that records of lobbying communications with the Data Protection Commissioner (ODPC) are not accessible under the Freedom of Information (FOI) Act 2014. In Right to Know CLG v ODPC (Case No. 160447), the IC concluded that the ODPC was justified in refusing the applicant’s request on the ground that the records sought fell outside the scope of the FOI Act, as they did not concern the general administration of the ODPC’s office.

Continue Reading Data Protection Commissioner not required to disclose lobbying communications

Photo of Davinia Brennan

The UK Court of Appeal has clarified the scope of the disproportionate effort exemption, and the relevance of motive, when responding to Data Subject Access Requests (DSARs).  The decisions are interesting as the scope of the disproportionate effort exemption has caused considerable confusion in both the UK and Ireland.  Neither the English nor Irish Data Protection Acts (DPAs) define what constitutes “disproportionate effort” and there is a paucity of Irish case-law on the issue. Nor has the Irish Data Protection Commissioner (DPC) provided any comprehensive guidance on the exemption.

Continue Reading Data Subject Access Requests – Proportionality and Motive

Photo of Davinia Brennan

At a plenary meeting on 7 February 2017, the Article 29 Working Party (WP29) discussed the progress of its guidelines on the GDPR.  The WP29 is continuing its work on Data Protection Impact Assessments (DPIAs), Certification and other topics.  The DPIA guidelines are expected in April 2017, and the Certification guidelines in June 2017.

In regard to the Privacy Shield, the WP29 has decided that the EU centralised body, in charge of channelling complaints to the Ombudsperson, will be composed by 5 national Data Protection Authorities (DPAs).  The WP29 has adopted two sets of template documents serving as complaint forms for submitting commercial related complaints or requests under the Ombudsperson mechanism, and has adopted its rules of procedure.

The WP29 intend to send a letter to the US authorities:
(i) To raise concerns and seek clarification on the impact of Trump’s recent Executive Order on the Shield;
(ii) To request assurances on the way personal data will be dealt with by US authorities regarding complaints under the Shield, and
(iii) To provide answers to questions from the US authorities on the functioning of the centralised body.

The WP29 also intend to issue an Opinion on the draft e-Privacy Regulation, published by the Commission earlier this year, in April 2017.

Press Release: Article 29 Working Party – February 2017 Plenary Meeting

Photo of Davinia Brennan

The CJEU has once again been asked to consider the meaning of “communication to the public” within Article 3(1) of the Copyright Directive.

In Stichting Brein v Ziggo BV, XS4ALL Internet BV (Case C‑610/15), the CJEU has been asked to identify  the scope of liability for copyright infringement committed by ‘card providers,’ namely sites such as The Pirate Bay, where files containing music and films are shared free of charge, and usually in breach of copyright.

On 8 February, 2017, the Attorney General (AG) delivered an Opinion advising the CJEU to find copyright infringement where a website (such as The Pirate Bay) indexes content available on peer-to-peer (P2P) networks, even where there is no actual content on the website.  However the AG found copyright infringement will only occur where the website operator has actual knowledge of the illegality and takes no action. Accordingly, if copyright holders notify a site’s operators of the illegal nature of information appearing on the site, and they fail to take action to make access to that work impossible, then the site operator may be held liable.

Continue Reading AG advocates finding of copyright infringement by The Pirate Bay

Photo of Davinia Brennan

The European Commission has published its draft e-Privacy Regulation which, if adopted, will replace the existing e-Privacy Directive.  The Regulation broadens the scope of the Directive, enhances the confidentiality of communications, and simplifies the rules on cookies and unsolicited electronic marketing.

Scope

The Regulation expands the scope of the e-Privacy Directive, which only applies to traditional telecoms providers.  It is proposed that the Regulation will apply to any business that provides any form of online communication service, so all internet based voice and messaging services, will be subject to the new rules.  The Regulation calls these providers “over-the-top communications service providers”. So Skype, WhatsApp, Facebook Messenger, Gmail, Viber and so forth, will all come within the Regulation’s remit. This will ensure that these services guarantee the same level of confidentiality of communications as traditional telecoms operators.

 

Continue Reading The e-Privacy Regulation – What’s new?

Photo of Daniel Harrington

EU consumers of online content services such as Netflix, Spotify or Sky Sports will soon be able to access their subscriptions while on holiday in or when otherwise visiting another Member State, due to the lifting of existing restrictions by a proposed new EU Regulation.

Continue Reading No Frontiers! – EU Consumers to enjoy cross-border access to online content services