Nowak v. The Data Protection Commissioner: Data subjects' right of appeal and testing the boundaries of "personal data"

Under Section 26 of the Data Protection Acts 1988 and 2003, an appeal before the courts is provided for against a decision of the Data Protection Commissioner in relation to a complaint under Section 10(1)(a) of the Acts. The scope and applicable review standard for such an appeal was one of two key issues which came before the Supreme Court in the recent case of Nowak v. The Data Protection Commissioner (Judgment of O'Donnell J delivered on 28th April 2016).

Continue Reading...

UK High Court endorses Predictive Coding (Part II)

The High Court in the UK has again endorsed the use of predictive coding, ruling it as being the most appropriate and proportionate approach to disclosure despite disagreement between the parties surrounding its use. In a previous blog, we outlined how the UK High Court in the Pyrrho case ruled that predictive coding was appropriate to discharge a parties obligations regarding electronic disclosure.

In the most recent judgment, (yet to be published), the concept of using predictive coding in a disclosure exercise was strongly contested. Berwin Leighton Paisner acting for the respondent note that the petitioner’s solicitors wished to adopt a “traditional” approach to document review, where the inboxes of an agreed a list of custodians would be filtered using an agreed list of search terms, and the responsive documents would be subject to a manual review.  It was put to the court that the costs of the traditional approach would be excessive, and that superior results could be achieved at a more proportionate cost using predictive coding.

Continue Reading...

Can you keep a (trade) secret?

The European Council was yesterday due to adopt the directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure ("Trade Secrets Directive"), following a vote by the European Parliament on 15 April 2016.  This was following a long legislative process which began with a draft directive in 2013. 

Continue Reading...

New Guidance On Whether Hyperlinking May Constitute Copyright Infringement

Under the Copyright Directive (2001/29/EC) the owner of copyright material has the exclusive right to control any "communications to the public" of their protected works.

In an advisory opinion to the Court of Justice of the European Union ("CJEU"), Attorney General Wathelet (the "AG"), recently considered whether the act of posting a hyperlink directing users to infringing content on a third party website would give rise to copyright infringement.

The AG held that where the infringing content is freely accessible to the public, the act of posting a hyperlink to that content, would not in itself constitute a ‘communication to the public’ as necessary to establish copyright infringement, notwithstanding the fact that the hyperlinks may facilitate or simplify a users’ access to the works in question. This is on the basis that the actual act of making the content available to the public would be deemed to be the action of the person who initially posted the infringing materials.

The hyperlinkers' knowledge of the infringement was considered by the AG to be irrelevant for the purposes of determining whether copyright infringement had occurred.

Rather the AG held that in order to establish an act of communication for these purposes, the posting of the hyperlink must be vital or indispensable for users to benefit or enjoy the works. Accordingly, the posting of hyperlinks which make it possible for users to ‘circumvent restrictions’ put in place on third party websites would constitute an act of communication to the public and may give rise to copyright infringement.

The AG noted however, that while right holders would accordingly be prevented from taking action against website operators that post hyperlinks to freely accessible content they would still have alternative remedies available to them. In particular, the right holder could take an infringement action against the entity who had originally published the unlicensed materials or an injunction against the website operator who initially uploaded the material.

The opinion of the AG stems from a dispute between a Dutch website operator, GS Media and Sanoma, the publisher of Playboy magazine. GS Media posted a link to another website where photographs commissioned by Sanoma were hosted and could be downloaded by internet users.

While the opinion of the AG it is not binding, the CJEU often relies on the opinions of its attorney generals as a basis for its rulings. The CJEU is expected to issue its formal ruling in the case later this year.

Review of e-Privacy Directive

The European Commission has launched a public consultation on the current text of the ePrivacy Directive 2002/58/EC as well as the possible changes to the existing legal framework to make sure it is up to date with the new challenges of the digital age. The e-Privacy Directive sets out specific data protection rules for the electronic communications sector.

Interested parties, who wish to participate in the consultation process, have until 5 July 2016 to submit responses to the Commission's online questionnaire.  The Commission will use the feedback from the consultation to prepare a new legislative proposal on ePrivacy, which is expected by the end of 2016. The type of legal instrument to be used in case of a revision may well follow the GDPR approach, taking the form of Regulation rather than a Directive, to avoid inconsistent application of the new rules at national level.

Continue Reading...

EU GDPR is finally agreed

After four years of negotiation, the EU General Data Protection Regulation (GDPR) has finally been agreed.  It was given final approval by the European Parliament this morning, Thursday 14 April 2016.  The GDPR will replace existing EU and national data protection legislation.  Companies have a two year transitionary period to comply with the GDPR, which come into force in Spring 2018.

The Law Enforcement Data Protection Directive (LEPD Directive), which allows for smoother exchange of information between Member States' police and judicial authorities, has also been approved.  It is aimed at improving co-operation in the fight against terrorism and other serious crime across the EU. 

Continue Reading...

Article 29 Working Party demands improvements to Privacy Shield

The Article 29 Working Party (WP29) held a Press Conference today, Wednesday 13 April 2016, welcoming the improvements brought by the Privacy Shield compared to the Safe Harbour decision, but calling for further improvements to ensure the protection offered by the Shield is essentially equivalent to that offered in the EU. 

The WP29 has strong concerns, in particular, with regard to the possibility of bulk collection of personal data originating from the EU, and insufficient guarantees concerning the independence of the Ombudsperson.

Continue Reading...

ODPC contacts Dublin City Council regarding anti-litter posters

The Office of the Data Protection Commissioner (ODPC) has contacted Dublin City Council in relation to its data protection concerns surrounding the City Council's new anti-litter poster initiative. As part of the initiative the City Council had erected a billboard in the north inner city featuring CCTV images of 12 people who appear to be engaging in illegal dumping around the Amiens Street-Five Lamps area. Although the faces were slightly blurred due to the quality of the CCTV footage, the City Council stated that the people would be able to identify themselves from the images, as most likely would their neighbours.

Due to the personal data element of the CCTV images, it is reported that the ODPC has been in contact with the City Council to advise them that the processing of personal data must be done fairly and proportionally and must not be overly prejudicial to a person's right to privacy.


Finalisation of EU GDPR imminent

The new EU General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LEDP Directive) are expected to be finalised by the European Parliament tomorrow, Thursday 14 April 2016.

The new data protection laws were approved by the European Council on 8 April 2016.  Earlier this week, the LIBE committee also voted to approve the laws. The European Parliament is expected to formally adopt the GDPR and LEPD Directive on Thursday 14 April 2016.  Once adopted, the texts will be published in the Official Journal.  Businesses will then have a two year transitionary period to comply with the new laws.

The European Council published a new version of the GDPR, which will likely be the final text of the GDPR. Some technical/linguistic work has clarified some of the unclear wording in the text that was adopted by a political agreement of the EU institutions last December 2015.

For further information on the EU GDPR see our dedicated website: 

WiFi providers not liable for copyright infringement by users

On 16 March 2016, the Advocate General (AG) delivered an Opinion, in McFadden v Sony Music Entertainment Germany GmbH Case-484/14, that a business offering free WiFi access to the public cannot be held liable for copyright infringement committed by a user of that WiFI. The decision confirms the applicability of the E-Commerce Directive, and the “mere conduit” defence, to free WiFi providers.

Continue Reading...

Territorial scope of Data Protection Directive under the microscope again

The Administrative Court of Hamburg recently overturned an order of the Hamburg Data Protection Authority (DPA) against Facebook.  The Court held that Irish, not German, data protection law was applicable, despite the existence of an office of Facebook in Germany.

he background

A woman complained to the Hamburg DPA after Facebook blocked her account for using a pseudonym, requested a copy of some identification and unilaterally changed her username to her real name. The Hamburg DPA found that Facebook could not unilaterally change users' chosen usernames to their real names, nor ask them for official identification, as German data protection law provides a right to a pseudonymous online profile.  

Overturning the DPA's decision, the Hamburg Court found that the business operations of Facebook Ireland and Facebook Germany constitute an "establishment" within the meaning of Article 4 (1)(a) of the Data Protection Directive 95/46/EC (the Directive).  However, it held that if several national data protection laws might apply due to the fact that the data controller is established in several Member States, then it is the law of the EU member state which the disputed data processing is most closely associated with which is to be applied.  According to the Hamburg Court, that was Facebook Ireland in this case, where Facebook has its European Headquarters. The Hamburg Court refused to apply a broad interpretation of the "establishment" test in Article 4(1)(a) of the Directive.  It distinguished the CJEU's judgment in Google Spain on the basis that the controller (Facebook) was established in an EU Member State, so that there was no risk that natural persons affected by the contested data processing operation would be deprived of the protection offered by the Directive.

Continue Reading...

The European Commission releases EU-US Privacy Shield

The European Commission has released the legal texts that will constitute the EU-US Privacy Shield which will replace the Safe Harbour framework, which was declared invalid by the Court of Justice (CJEU) last October.  Unlike its predecessor, the Privacy Shield includes not only commitments in the commercial sector, but also access to personal data by public authorities for national security purposes.

The documents released include the draft “adequacy decision”, the Privacy Shield Principles which will apply to all US companies providing services on the EU market, as well as written commitments by the US Government on the enforcement of the Privacy Shield, including safeguards and limitations concerning access to data by US national intelligence agencies. 

The Privacy Shield aims to provide European citizens with more transparency about transfers of their personal data to the US and stronger obligations on US companies to protect their data. It requires stronger monitoring and enforcement by the US Department of Commerce (DoC) and the Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities (DPAs).  It also provides several redress possibilities for individuals in case of complaints either directly with companies, or with the help of their local DPA.

Continue Reading...

WiFi operators urged to install WiFi signage

The Information Commissioner's Office (ICO) in the UK has published guidance for organisations providing WiFi services to their staff and customers.  The guidance considers how WiFi operators can use location and other analytics information in a manner that complies with data protection laws. As the core data protection principles in the UK and Irish Data Protections Acts are the same, the guidance is also of interest to Irish businesses.

The guidance highlights that it is possible for WiFi operators to collect data from devices covertly, and therefore it is vital that individuals are warned that their data may be collected.  This can be done by installing clear signage at the entrance to and throughout WiFi zones, on websites and in WiFi sign-up or registration pages, notifying device users of the potential processing of their data.

Continue Reading...

Commissioner Věra Jourová announces signing of Judicial Redress Act by President Obama

On 24 February 2016, the European Commissioner, Věra Jourová, announced the signing of the Judicial Redress Act by President Obama. The Act aims to: (i) address the concerns expressed by the Court of Justice of the European Union (CJEU) when it overturned the Safe Harbor Agreement last October 2015 regarding the lack of judicial redress by EU citizens in the US and (ii) facilitate data exchange between the US and EU.

The Act purports to give EU citizens the same rights to judicial redress under the US Privacy Act of 1974 that US citizens have, by allowing them to bring civil actions in U.S. courts against US law enforcement agencies which misuse their personal data.

Whilst the Act gives the US Department of Justice authority to determine which US agencies are within its scope, potentially limiting the reach of the Act, it nonetheless represents a welcome step forward by the US government.

Continue Reading...

DPC publishes guidance on data sharing in the public sector

The Data Protection Commissioner (DPC) has published new guidance on 'Data sharing in the public sector' following the decision of the CJEU in Bara (C-201/14) (see our previous blog on the Bara judgment).

The Bara judgment serves as a reminder that any decision by public bodies to share personal data bodies should not be taken lightly, and only the minimum amount of personal data should be shared. It shows the importance of public bodies informing individuals as to how their personal data is used, for what purpose, and who has access to it.

Continue Reading...