The Article 29 Working Party (WP29) (consisting of data protection regulators from the 28 Member States) has adopted an Opinion 01/2017 on the proposed e-Privacy Regulation, which will repeal and replace the e-Privacy Directive. Whilst the WP29 welcomes the proposal, it identifies several points of concern, and sets out how the proposal can be improved.
The Article 29 Working Party (WP29) has proposed guidelines to help organisations identify when it is necessary to carry out a Data Protection Impact Assessment (DPIA) and how to do so. The guidelines are open to public comment until 23 May 2017. DPIAs involve evaluating the potential impact that a new project will have on the privacy of individuals, and identifying ways to mitigate or avoid any adverse effects in advance of processing. The GDPR requires DPIAs to be carried out when processing is likely to result in a “high risk” to the rights and freedoms of natural persons.
The Data Protection Commissioner (DPC) has published her Annual Report for 2016. It highlights key developments and activities of her Office last year, as well as priorities for 2017, which will be “all about GDPR readiness“. 2016 was a busy year for the DPC’s Office. It dealt with an increased number of queries, complaints and data breach notifications. The DPC continued her engaged approach to regulation, engaging extensively with multinational companies, such as Facebook, LinkedIn, Apple and WhatsApp on proposed new policies, products and services, conducting over 100 face-to-face meetings. The DPC also engaged with a number of entities in the public, health and private/financial sectors.
The Article 29 Working Party (WP29) has issued its final guidance on Data Protection Officers (DPOs), Data Portability and Lead Supervisory Authority, in response to stakeholders’ comments. Some of the new points raised in the revised guidance are set out below.
In Rolf Anders Daniel Pihl v Sweden, the European Court of Human Rights (ECHR) agreed with Swedish authorities that a non-profit association was not liable for anonymous defamatory comments posted on its blog. The ECHR held that the Swedish authorities’ refusal to hold the owner of the blog liable for the anonymous defamatory online comment did not violate the European Convention on Human Rights (the Convention).
The Irish Commercial Court has ordered nine ISPs to block three websites offering illegal downloading or streaming of copyrighted movies and TV shows. The action was brought by Motion Pictures Association, representing six film and TV studios. The Court held that it was clear there had been infringement of copyright, that it would not result in the lawful use of the internet being interfered with and the order was proportionate to the damage being caused. None of the ISPs opposed the application for the injunction. However one ISP raised concerns about cost implications of dealing with a large number of sites into the future, and asked the court to put a cap on the number of illegal website notifications a month, which movie companies could direct ISPs to block. The Judge refused to grant a cap on notifications. Continue Reading Court orders ISPs to block illegal streaming websites
The Data Protection Commissioner (DPC) has initiated a consultation seeking submissions in regard to how some key concepts in the GDPR should be interpreted and applied, including:
- Personal data breach notifications
The Article 29 Working Party (WP29) (consisting of representatives of the EU data protection authorities) is currently preparing guidance on these concepts, and EU data protection authorities are undertaking consultation processes with the purpose of ensuring that the views of stakeholders are heard. The questions asked in the consultation demonstrate the lack of detail in the GDPR in regard to these key concepts.
In Case C-375/15 (the BAWAG case), the CJEU examined the scope of a payment service provider’s obligation to communicate changes to information and conditions, and to framework contracts, to e-banking customers. In particular, the CJEU considered whether a bank may notify its customers of account information and contractual changes via an electronic banking mailbox. The CJEU clarified the conditions that must be met for information to be “provided” to customers on a “durable medium”, as required by the Payment Services Directive (PSD) (2007/64/EC).
In Muwema v Facebook Ireland Ltd  IEHC 69, the Irish High Court refused to grant a Norwich Pharmacal order against Facebook, requiring disclosure of the identity and location of an anonymous third party operating a Facebook page containing defamatory content. The Court found that if Facebook disclosed such information it would endanger the life of the third party. The Court held that the right to a good name must give way to the right to life and bodily integrity in the event of a conflict.
The CJEU has ruled (Case C-398/15) that there is no general right to be forgotten in respect of personal data in the companies register. However, upon expiry of a sufficiently long period after dissolution of a company, Member States may provide for restricted access to such data by third parties in exceptional cases. The CJEU’s decision is in line with its ruling in Google Spain (Case C-131/12) that the right to be forgotten is not absolute, and will always need to be balanced against other fundamental rights.