Photo of Davinia Brennan

In Aldi Stores (Ireland) Limited and Aldi GMBH & Co. KG v Dunnes Stores [2017] IECA 116, Dunnes Stores (Dunnes) succeeded in its  appeal against a High Court ruling that its 2013 comparative advertising campaign against Aldi was contrary to EC (Misleading and Comparative Advertising) Regulations, 2007 (the 2007 Regulations) and the Consumer Protection Act, 2007 (the 2007 Act).

In essence, the Court of Appeal determined that the High Court applied the wrong test.  It did not make a decision as to whether the 2013 campaign was lawful, but criticised a number of adverse findings made by the High Court.

Continue Reading Comparative Advertising in the Court of Appeal

Photo of John Cahir

The General Scheme of the Data Protection Bill 2017 was published last Friday and we have prepared a summary of its main provisions here.

The drafting of the Bill is a complex task. There is a need to repeal the provisions of the Data Protection Acts 1988 and 2003 that are replaced by the directly effective provisions of the GDPR, to transpose the Law Enforcement Directive (2016/680) and at the same time to give effect to provisions of the GDPR that require national implementing measures.

Although not stated definitively, it appears that consideration is being given to having a full repeal of the Data Protection Acts 1988 and 2003 with the new Act to be a consolidating measure. That would be a welcome development.

The stand out proposals of general interest in the Bill include:

  • Confirmation that only public authorities who compete with the private sector will be susceptible to administrative fines.
  • The proposal that additional due process in the form of an oral hearing or a written “right of reply” will be available under the new administrative sanctions procedure.
  • A new power of the DPC to direct that a controller/processer engage an independent reviewer to prepare a written report on any matter specified by the DPC with the cost of the report to be borne by the data controller/processor. This is an entirely new investigative mechanism that has been designed to deal with “large scale cases”.

We will provide regular updates on the Bill’s progress.

Photo of Davinia Brennan

The Article 29 Working Party (WP29) (consisting of data protection regulators from the 28 Member States) has adopted an Opinion 01/2017 on the proposed e-Privacy Regulation, which will repeal and replace the e-Privacy Directive. Whilst the WP29 welcomes the proposal, it identifies several points of concern, and sets out how the proposal can be improved.

Continue Reading WP29 gives lukewarm welcome to proposed e-Privacy Regulation

Photo of Davinia Brennan

The Article 29 Working Party (WP29) has proposed guidelines to help organisations identify when it is necessary to carry out a Data Protection Impact Assessment (DPIA) and how to do so. The guidelines are open to public comment until 23 May 2017.  DPIAs involve evaluating the potential impact that a new project will have on the privacy of individuals, and identifying ways to mitigate or avoid any adverse effects in advance of processing.  The GDPR requires DPIAs to be carried out when processing is likely to result in a “high risk” to the rights and freedoms of natural persons.

Continue Reading WP29 publishes draft guidelines on DPIAs

Photo of Davinia Brennan

The Data Protection Commissioner (DPC) has published her Annual Report for 2016.  It highlights key developments and activities of her Office last year, as well as priorities for 2017, which will be “all about GDPR readiness“.  2016 was a busy year for the DPC’s Office.  It dealt with an increased number of queries, complaints and data breach notifications. The DPC continued her engaged approach to regulation, engaging extensively with multinational companies, such as Facebook, LinkedIn, Apple and WhatsApp on proposed new policies, products and services, conducting over 100 face-to-face meetings. The DPC also engaged with a number of entities in the public, health and private/financial sectors.

Continue Reading Data Protection Commissioner publishes Annual Report for 2016

Photo of Davinia Brennan

The Article 29 Working Party (WP29) has issued its final guidance on Data Protection Officers (DPOs), Data Portability and Lead Supervisory Authority, in response to stakeholders’ comments. Some of the new points raised in the revised guidance are set out below.

Continue Reading WP29 issues final guidance on DPOs, Data Portability and Lead Authority

Photo of Davinia Brennan

In Rolf Anders Daniel Pihl v Sweden, the European Court of Human Rights (ECHR) agreed with Swedish authorities that a non-profit association was not liable for anonymous defamatory comments posted on its blog. The ECHR held that the Swedish authorities’ refusal to hold the owner of the blog liable for the anonymous defamatory online comment did not violate the European Convention on Human Rights (the Convention).

Continue Reading Blog owner not liable for anonymous defamatory online comments

Photo of Davinia Brennan

The Irish Commercial Court has ordered nine ISPs to block three websites offering illegal downloading or streaming of copyrighted movies and TV shows.  The action was brought by Motion Pictures Association, representing six film and TV studios.  The Court held that it was clear there had been infringement of copyright, that it would not result in the lawful use of the internet being interfered with and the order was proportionate to the damage being caused. None of the ISPs opposed the application for the injunction.  However one ISP raised concerns about cost implications of dealing with a large number of sites into the future, and asked the court to put a cap on the number of illegal website notifications a month, which movie companies could direct ISPs to block.  The Judge refused to grant a cap on notifications. Continue Reading Court orders ISPs to block illegal streaming websites

Photo of Davinia Brennan

The Data Protection Commissioner (DPC) has initiated a consultation seeking submissions in regard to how some key concepts in the GDPR should be interpreted and applied, including:

  • Consent
  • Profiling
  • Personal data breach notifications
  • Certification

The Article 29 Working Party (WP29) (consisting of representatives of the EU data protection authorities) is currently preparing guidance on these concepts, and EU data protection authorities are undertaking consultation processes with the purpose of ensuring that the views of stakeholders are heard.  The questions asked in the consultation demonstrate the lack of detail in the GDPR in regard to these key concepts.

Continue Reading DPC launches consultation on consent, profiling, data breach notifications and certification under the GDPR

Photo of Davinia Brennan

In Case C-375/15 (the BAWAG case), the CJEU examined the scope of a payment service provider’s obligation to communicate changes to information and conditions, and to framework contracts, to e-banking customers.  In particular, the CJEU considered whether a bank may notify its customers of account information and contractual changes via an electronic banking mailbox.  The CJEU clarified the conditions that must be met for information to be “provided” to customers on a “durable medium”, as required by the Payment Services Directive (PSD) (2007/64/EC).

Continue Reading Communicating with online banking customers