ICO states that GDPR is still relevant for the UK

Following the Brexit Referendum and the uncertainty now surrounding the future of data flows between the UK and the remaining EEA States, the UK Information Commissioner's Office has published an update on its blog: "GDPR still relevant for the UK". The update emphasises the importance of the GDPR to many organisations in the UK and notes:

"With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to explain our view that reform of UK data protection law remains necessary."

For further guidance and analysis on the impact of Brexit for businesses and investors in both Ireland and Northern Ireland, please see our website here.

High Court finds brand survey evidence unreliable

In 2013, Mr Justice Gilligan refused an injunction sought by Galway Free Range Eggs Limited restraining Hillsbrook Eggs Limited from packaging or promoting their products under the name “O’Brien’s of Galway Free Range Eggs". The Court held that it was not satisfied that the packaging used by the defendant was likely to deceive the public but did accept that there were issues to put forward to trial.

The substantive High Court hearing was held recently before Mr Justice Tony O'Connor and one of the bigger issues before the Court was the use of survey evidence and the weight to be attached to such opinion evidence.   The Court was highly sceptical of the value of market opinions and related questionnaires and stated that in this specific case "the evidence offered on behalf of the plaintiff concerning brand confusion was tenuous and unreliable".

Continue Reading...

Microsoft wins landmark US appeal against search warrant for emails stored in Ireland

The US Second Circuit Court of Appeals, overturning an earlier court ruling from a lower court, has held that the US Government cannot compel Microsoft to hand over emails stored on a server in Dublin in a narcotics case. The decision is a milestone victory for privacy rights and will be greatly welcomed by US technology companies storing data abroad. It should also provide reassurance to European citizens that their data will be protected by European data protection laws and the US legal system will respect their privacy rights.

Continue Reading...

European Commission Adopts Privacy Shield

The European Commission has today adopted the Privacy Shield.  The Privacy Shield is intended to provide a framework for EU-US data transfers.

What is the Privacy Shield?

European data protection law restricts the transfer of personal data outside the European Economic Area (EEA) unless the country to which the data is transferred ensures an adequate level of data protection. The Privacy Shield is a mechanism for overcoming this restriction and legitimising the transfer of personal data to some US companies.

Why do we need the Privacy Shield?

Until 6 October 2015, over 4,000 US companies relied on the Safe Harbour regime to legitimise the transfer of personal data to the US.  The Safe Harbour regime was declared invalid by the Court of Justice of the EU (CJEU) on 6 October 2015.  The Privacy Shield will replace the Safe Harbour regime.

After the CJEU's ruling many US companies turned to the Model Contractual Clauses to legitimise their transatlantic data transfers.  The approval of the Privacy Shield will be welcomed by multinational companies, particularly as the Irish Data Protection Commissioner recently sought a referral to the CJEU to determine the legal status of data transfers under Model Contractual Clauses. However, Model Contractual Clauses remain a valid method of transatlantic transfer unless declared invalid by the CJEU, which may not be determined for up to another two years.

Continue Reading...

Member States approve Privacy Shield

On 8 July 2016, Member State representatives (the Article 31 Committee) approved the final version of the EU-U.S. Privacy Shield, to permit transatlantic transfers of personal data from the EU to the U.S.  The Privacy Shield will replace the invalid Safe Harbour Agreement, to ensure high standards of data protection for transatlantic transfers of data for commercial purposes.

Continue Reading...

Trade Secrets Directive- 5 July 2016

Following its publication in the Official Journal of the European Union, the EU Trade Secrets Directive (2016/943)on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure will enter in to force on the 5 July 2016. Member States will have two years from this date to implement the provisions of the Directive into national law.

Council of Europe adopts the NIS Directive

On 17 May 2016, the Council of Europe formally adopted the Network and Information Security (NIS) Directive, a Commission proposal in response to increasing concerns about cyber-attacks and privacy breaches.

Continue Reading...

Nowak v. The Data Protection Commissioner: Data subjects' right of appeal and testing the boundaries of "personal data"

Under Section 26 of the Data Protection Acts 1988 and 2003, an appeal before the courts is provided for against a decision of the Data Protection Commissioner in relation to a complaint under Section 10(1)(a) of the Acts. The scope and applicable review standard for such an appeal was one of two key issues which came before the Supreme Court in the recent case of Nowak v. The Data Protection Commissioner (Judgment of O'Donnell J delivered on 28th April 2016).

Continue Reading...

UK High Court endorses Predictive Coding (Part II)

The High Court in the UK has again endorsed the use of predictive coding, ruling it as being the most appropriate and proportionate approach to disclosure despite disagreement between the parties surrounding its use. In a previous blog, we outlined how the UK High Court in the Pyrrho case ruled that predictive coding was appropriate to discharge a parties obligations regarding electronic disclosure.

In the most recent judgment, (yet to be published), the concept of using predictive coding in a disclosure exercise was strongly contested. Berwin Leighton Paisner acting for the respondent note that the petitioner’s solicitors wished to adopt a “traditional” approach to document review, where the inboxes of an agreed a list of custodians would be filtered using an agreed list of search terms, and the responsive documents would be subject to a manual review.  It was put to the court that the costs of the traditional approach would be excessive, and that superior results could be achieved at a more proportionate cost using predictive coding.

Continue Reading...

Can you keep a (trade) secret?

The European Council was yesterday due to adopt the directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure ("Trade Secrets Directive"), following a vote by the European Parliament on 15 April 2016.  This was following a long legislative process which began with a draft directive in 2013. 

Continue Reading...

New Guidance On Whether Hyperlinking May Constitute Copyright Infringement

Under the Copyright Directive (2001/29/EC) the owner of copyright material has the exclusive right to control any "communications to the public" of their protected works.

In an advisory opinion to the Court of Justice of the European Union ("CJEU"), Attorney General Wathelet (the "AG"), recently considered whether the act of posting a hyperlink directing users to infringing content on a third party website would give rise to copyright infringement.

Continue Reading...

Review of e-Privacy Directive

The European Commission has launched a public consultation on the current text of the ePrivacy Directive 2002/58/EC as well as the possible changes to the existing legal framework to make sure it is up to date with the new challenges of the digital age. The e-Privacy Directive sets out specific data protection rules for the electronic communications sector.

Interested parties, who wish to participate in the consultation process, have until 5 July 2016 to submit responses to the Commission's online questionnaire.  The Commission will use the feedback from the consultation to prepare a new legislative proposal on ePrivacy, which is expected by the end of 2016. The type of legal instrument to be used in case of a revision may well follow the GDPR approach, taking the form of Regulation rather than a Directive, to avoid inconsistent application of the new rules at national level.

Continue Reading...

EU GDPR is finally agreed

After four years of negotiation, the EU General Data Protection Regulation (GDPR) has finally been agreed.  It was given final approval by the European Parliament this morning, Thursday 14 April 2016.  The GDPR will replace existing EU and national data protection legislation.  Companies have a two year transitionary period to comply with the GDPR, which come into force in Spring 2018.

The Law Enforcement Data Protection Directive (LEPD Directive), which allows for smoother exchange of information between Member States' police and judicial authorities, has also been approved.  It is aimed at improving co-operation in the fight against terrorism and other serious crime across the EU. 

Continue Reading...

Article 29 Working Party demands improvements to Privacy Shield

The Article 29 Working Party (WP29) held a Press Conference today, Wednesday 13 April 2016, welcoming the improvements brought by the Privacy Shield compared to the Safe Harbour decision, but calling for further improvements to ensure the protection offered by the Shield is essentially equivalent to that offered in the EU. 

The WP29 has strong concerns, in particular, with regard to the possibility of bulk collection of personal data originating from the EU, and insufficient guarantees concerning the independence of the Ombudsperson.

Continue Reading...

ODPC contacts Dublin City Council regarding anti-litter posters

The Office of the Data Protection Commissioner (ODPC) has contacted Dublin City Council in relation to its data protection concerns surrounding the City Council's new anti-litter poster initiative. As part of the initiative the City Council had erected a billboard in the north inner city featuring CCTV images of 12 people who appear to be engaging in illegal dumping around the Amiens Street-Five Lamps area. Although the faces were slightly blurred due to the quality of the CCTV footage, the City Council stated that the people would be able to identify themselves from the images, as most likely would their neighbours.

Due to the personal data element of the CCTV images, it is reported that the ODPC has been in contact with the City Council to advise them that the processing of personal data must be done fairly and proportionally and must not be overly prejudicial to a person's right to privacy.