Trade Secrets Directive- 5 July 2016

Following its publication in the Official Journal of the European Union, the EU Trade Secrets Directive (2016/943)on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure will enter in to force on the 5 July 2016. Member States will have two years from this date to implement the provisions of the Directive into national law.

Council of Europe adopts the NIS Directive

On 17 May 2016, the Council of Europe formally adopted the Network and Information Security (NIS) Directive, a Commission proposal in response to increasing concerns about cyber-attacks and privacy breaches.

Continue Reading...

Nowak v. The Data Protection Commissioner: Data subjects' right of appeal and testing the boundaries of "personal data"

Under Section 26 of the Data Protection Acts 1988 and 2003, an appeal before the courts is provided for against a decision of the Data Protection Commissioner in relation to a complaint under Section 10(1)(a) of the Acts. The scope and applicable review standard for such an appeal was one of two key issues which came before the Supreme Court in the recent case of Nowak v. The Data Protection Commissioner (Judgment of O'Donnell J delivered on 28th April 2016).

Continue Reading...

UK High Court endorses Predictive Coding (Part II)

The High Court in the UK has again endorsed the use of predictive coding, ruling it as being the most appropriate and proportionate approach to disclosure despite disagreement between the parties surrounding its use. In a previous blog, we outlined how the UK High Court in the Pyrrho case ruled that predictive coding was appropriate to discharge a parties obligations regarding electronic disclosure.

In the most recent judgment, (yet to be published), the concept of using predictive coding in a disclosure exercise was strongly contested. Berwin Leighton Paisner acting for the respondent note that the petitioner’s solicitors wished to adopt a “traditional” approach to document review, where the inboxes of an agreed a list of custodians would be filtered using an agreed list of search terms, and the responsive documents would be subject to a manual review.  It was put to the court that the costs of the traditional approach would be excessive, and that superior results could be achieved at a more proportionate cost using predictive coding.

Continue Reading...

Can you keep a (trade) secret?

The European Council was yesterday due to adopt the directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure ("Trade Secrets Directive"), following a vote by the European Parliament on 15 April 2016.  This was following a long legislative process which began with a draft directive in 2013. 

Continue Reading...

New Guidance On Whether Hyperlinking May Constitute Copyright Infringement

Under the Copyright Directive (2001/29/EC) the owner of copyright material has the exclusive right to control any "communications to the public" of their protected works.

In an advisory opinion to the Court of Justice of the European Union ("CJEU"), Attorney General Wathelet (the "AG"), recently considered whether the act of posting a hyperlink directing users to infringing content on a third party website would give rise to copyright infringement.

Continue Reading...

Review of e-Privacy Directive

The European Commission has launched a public consultation on the current text of the ePrivacy Directive 2002/58/EC as well as the possible changes to the existing legal framework to make sure it is up to date with the new challenges of the digital age. The e-Privacy Directive sets out specific data protection rules for the electronic communications sector.

Interested parties, who wish to participate in the consultation process, have until 5 July 2016 to submit responses to the Commission's online questionnaire.  The Commission will use the feedback from the consultation to prepare a new legislative proposal on ePrivacy, which is expected by the end of 2016. The type of legal instrument to be used in case of a revision may well follow the GDPR approach, taking the form of Regulation rather than a Directive, to avoid inconsistent application of the new rules at national level.

Continue Reading...

EU GDPR is finally agreed

After four years of negotiation, the EU General Data Protection Regulation (GDPR) has finally been agreed.  It was given final approval by the European Parliament this morning, Thursday 14 April 2016.  The GDPR will replace existing EU and national data protection legislation.  Companies have a two year transitionary period to comply with the GDPR, which come into force in Spring 2018.

The Law Enforcement Data Protection Directive (LEPD Directive), which allows for smoother exchange of information between Member States' police and judicial authorities, has also been approved.  It is aimed at improving co-operation in the fight against terrorism and other serious crime across the EU. 

Continue Reading...

Article 29 Working Party demands improvements to Privacy Shield

The Article 29 Working Party (WP29) held a Press Conference today, Wednesday 13 April 2016, welcoming the improvements brought by the Privacy Shield compared to the Safe Harbour decision, but calling for further improvements to ensure the protection offered by the Shield is essentially equivalent to that offered in the EU. 

The WP29 has strong concerns, in particular, with regard to the possibility of bulk collection of personal data originating from the EU, and insufficient guarantees concerning the independence of the Ombudsperson.

Continue Reading...

ODPC contacts Dublin City Council regarding anti-litter posters

The Office of the Data Protection Commissioner (ODPC) has contacted Dublin City Council in relation to its data protection concerns surrounding the City Council's new anti-litter poster initiative. As part of the initiative the City Council had erected a billboard in the north inner city featuring CCTV images of 12 people who appear to be engaging in illegal dumping around the Amiens Street-Five Lamps area. Although the faces were slightly blurred due to the quality of the CCTV footage, the City Council stated that the people would be able to identify themselves from the images, as most likely would their neighbours.

Due to the personal data element of the CCTV images, it is reported that the ODPC has been in contact with the City Council to advise them that the processing of personal data must be done fairly and proportionally and must not be overly prejudicial to a person's right to privacy.


Finalisation of EU GDPR imminent

The new EU General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LEDP Directive) are expected to be finalised by the European Parliament tomorrow, Thursday 14 April 2016.

The new data protection laws were approved by the European Council on 8 April 2016.  Earlier this week, the LIBE committee also voted to approve the laws. The European Parliament is expected to formally adopt the GDPR and LEPD Directive on Thursday 14 April 2016.  Once adopted, the texts will be published in the Official Journal.  Businesses will then have a two year transitionary period to comply with the new laws.

The European Council published a new version of the GDPR, which will likely be the final text of the GDPR. Some technical/linguistic work has clarified some of the unclear wording in the text that was adopted by a political agreement of the EU institutions last December 2015.

For further information on the EU GDPR see our dedicated website: 

WiFi providers not liable for copyright infringement by users

On 16 March 2016, the Advocate General (AG) delivered an Opinion, in McFadden v Sony Music Entertainment Germany GmbH Case-484/14, that a business offering free WiFi access to the public cannot be held liable for copyright infringement committed by a user of that WiFI. The decision confirms the applicability of the E-Commerce Directive, and the “mere conduit” defence, to free WiFi providers.

Continue Reading...

Territorial scope of Data Protection Directive under the microscope again

The Administrative Court of Hamburg recently overturned an order of the Hamburg Data Protection Authority (DPA) against Facebook.  The Court held that Irish, not German, data protection law was applicable, despite the existence of an office of Facebook in Germany.

he background

A woman complained to the Hamburg DPA after Facebook blocked her account for using a pseudonym, requested a copy of some identification and unilaterally changed her username to her real name. The Hamburg DPA found that Facebook could not unilaterally change users' chosen usernames to their real names, nor ask them for official identification, as German data protection law provides a right to a pseudonymous online profile.  

Overturning the DPA's decision, the Hamburg Court found that the business operations of Facebook Ireland and Facebook Germany constitute an "establishment" within the meaning of Article 4 (1)(a) of the Data Protection Directive 95/46/EC (the Directive).  However, it held that if several national data protection laws might apply due to the fact that the data controller is established in several Member States, then it is the law of the EU member state which the disputed data processing is most closely associated with which is to be applied.  According to the Hamburg Court, that was Facebook Ireland in this case, where Facebook has its European Headquarters. The Hamburg Court refused to apply a broad interpretation of the "establishment" test in Article 4(1)(a) of the Directive.  It distinguished the CJEU's judgment in Google Spain on the basis that the controller (Facebook) was established in an EU Member State, so that there was no risk that natural persons affected by the contested data processing operation would be deprived of the protection offered by the Directive.

Continue Reading...

The European Commission releases EU-US Privacy Shield

The European Commission has released the legal texts that will constitute the EU-US Privacy Shield which will replace the Safe Harbour framework, which was declared invalid by the Court of Justice (CJEU) last October.  Unlike its predecessor, the Privacy Shield includes not only commitments in the commercial sector, but also access to personal data by public authorities for national security purposes.

The documents released include the draft “adequacy decision”, the Privacy Shield Principles which will apply to all US companies providing services on the EU market, as well as written commitments by the US Government on the enforcement of the Privacy Shield, including safeguards and limitations concerning access to data by US national intelligence agencies. 

The Privacy Shield aims to provide European citizens with more transparency about transfers of their personal data to the US and stronger obligations on US companies to protect their data. It requires stronger monitoring and enforcement by the US Department of Commerce (DoC) and the Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities (DPAs).  It also provides several redress possibilities for individuals in case of complaints either directly with companies, or with the help of their local DPA.

Continue Reading...

WiFi operators urged to install WiFi signage

The Information Commissioner's Office (ICO) in the UK has published guidance for organisations providing WiFi services to their staff and customers.  The guidance considers how WiFi operators can use location and other analytics information in a manner that complies with data protection laws. As the core data protection principles in the UK and Irish Data Protections Acts are the same, the guidance is also of interest to Irish businesses.

The guidance highlights that it is possible for WiFi operators to collect data from devices covertly, and therefore it is vital that individuals are warned that their data may be collected.  This can be done by installing clear signage at the entrance to and throughout WiFi zones, on websites and in WiFi sign-up or registration pages, notifying device users of the potential processing of their data.

Continue Reading...