WP29 Action Plan for 2017

The Article 29 Working Party (WP29) has released its Action Plan for 2017, setting out its priorities and objectives in the context of implementation of the EU GDPR for the year ahead. It has committed to finalize its work on topics undertaken in 2016 including guidelines on:

  • Certification;
  • Processing likely to result in a high risk & Data Protection Impact Assessments (DPIAs);
  • Administrative fines;
  • Setting up the European Data Protection Board (EDPB) structure;
  • Preparation of the one stop shop, and
  • The EDPB consistency mechanism.

The WP29 also intends to start work in 2017 on guidelines on:

  • Consent;
  • Profiling, and
  • Transparency.

At the same time, the WP29 intends to work on the update of already existing opinions and referentials on data transfers to third countries and data breach notifications.

Last December 2016, the WP29 also issued on data portability, lead authority, and Data Protection Officers.  See our blog for more information.

UK closer to UPC ratification

In an earlier blog, we outlined that the UK confirmed its intention to ratify the International Agreement on a Unified Patent Court. In December 2016, the UK government proceeded to sign the Protocol on Privileges and Immunities of the Unified Patent Court.  The Protocol provides EU privileges and immunities to the judges of the Unified Patent Court necessary for the exercise of its functions.  The Protocol is required in the individual countries hosting divisions of the court, one of which is in London.  This positive step would suggest that the UK is moving closer towards ratification.

GDPR guidance on Data Portability, DPOs & Lead Supervisory Authority

The Article 29 Working Party has issued a press release and three sets of guidelines and FAQs on implementation of some key issues under the GDPR:


It welcomes any comments from stakeholders on the guidelines until end January 2017. Guidelines on Data Privacy Impact Assessments and Certification are promised for 2017.

The guidance provides some interesting insights and should help organisations to comply with their new obligations under the GDPR.  The guidelines on the Lead Supervisory Authority highlight that there will be more than one lead supervisory authority, where a company carries out several cross-border activities and the decisions on the means and purposes of processing are taken in different establishments. This means that companies will have to consider organising decision-making powers in respect of personal data processing activities in a single location, in order to avail of the "one-stop shop" mechanism.

The guidelines on DPOs consider the meaning, and gives practical examples, of the notions of "core activities", "large scale" and "regular and systematic monitoring". It is essential to understand these notions in order to assess whether the appointment of a DPO is legally necessary. The WP29 also encourages the voluntary appointment of a DPO. The guidelines warn that a DPO should not hold a position within the organisation that leads him/her to determine the purpose of means of processing, which may include senior management positions, such as CEO, head of HR or IT etc., as such a position would result in a conflict of interests. It also highlights that DPOs will not be personally responsible for non-compliance with the GDPR.

The guidelines on data portability note that the GDPR does not impose specific recommendations on the format of the personal data to be provided. It states that the most appropriate format will differ across sectors, and encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.


ODPC publishes guidance on the GDPR

The ODPC has published guidance, The GDPR and You - Preparing for 2018, to help organisations prepare for the GDPR. It contains a checklist to provide companies with a practical starting point to ensure full compliance by May 2018. It is important for organisations to start taking steps to prepare now, to ensure that adequate policies and procedures are in place to deal with the new rules when they come into force.  Organisations will face hefty fines for non-compliance, and the risk of individuals bringing private claims for breach of their data privacy rights.

The Article 29 Working Party (consisting of representatives of national data protection authorities) is also expected to shortly issue guidance at European level on Data Protection Officers, Data Portability, and Designation of Lead Supervisory Authority.

New legislation on interception of communications


The Department of Justice and Equality have published a policy document on amending the law relating to the interception of communications. The purpose of interception legislation is to assist in the fight against organised crime and to protect the security of the State.

Irish legislation relating to interception is out-of-date and needs to be amended to provide for lawful interception of email and other forms of communication over the internet. Interception is controlled, to a limited extent, by the Postal and Telecommunications Services Act 1983, and the Interception of Postal Packets and Telecommunications (Regulation) Act 1993. That legislation is restricted to Telecoms and Postal Service providers (i.e. voice calls, text messages and postal packets). 

The Government intends to introduce approximately 50 amendments to the current regime, with the primary aim of ensuring that communications services delivered over the internet are covered by our lawful interception legislation.  Accordingly, the definition of "information society services" will be amended to cover "internet referencing services, social media", and "any other entity providing a publicly available means of communication over an electronic communications network." The definition of "interception" will also be amended to reflect modern communications characteristics.  It will essentially be "an action, the effect of which is to make some or all of the content of a communication available to a person". 

The Government intends to request the Law Reform Commission to carry out a review of the law on investigatory powers relating to communications, which will give interested parties an opportunity to provide their perspective on this issue.  It is likely, however, that the LRC report will come after the current proposals have been implemented.


UK will say "Yes" to UPC

The UK has confirmed today that it intends to ratify the International Agreement on a Unified Patent Court. The Minister of State for Energy and Intellectual Property, Baroness Neville-Rolfe, reportedly made the statement at a meeting of the EU Competitive Council.

There has been much commentary on the political and legal challenges the UK would face in joining the system post-Brexit. It does remain the possibility that the UK could join the system and then be ejected, something which is most likely to be determined post-Brexit. 

Continue Reading...

CJEU rules IP addresses may constitute personal data

On 19 October 2016, the CJEU ruled, in Breyer v Bundesrepublik Deutschland (Case C-582/14), that dynamic IP addresses may constitute "personal data" under the Data Protection Directive, where a website operator has the legal means of identifying the visitor by use of additional information held about him/her by the ISP.  The decision confirms the stance taken by the Scarlet Extended (Case C-70/10) (at para. 51), where the CJEU essentially held that IP addresses are "personal data" because they allow those users to be precisely identified. However, that finding by the CJEU related to the situation in which the collection and identification of the IP addresses of internet users is carried out by ISPs.

The CJEU's decision in Breyer is, however, at odds with the approach taken by the Irish High Court, in EMI Records v Eircom [2010] IEHC 108, which held that IP addresses were not personal data in the hands of record companies.

Although the decision does not refer to pseudonymous data, it supports the view of Article 29 Working Party and the Irish Data Protection Commissioner, that pseudonymous data, such as key-coded data, which allows identification using indirect means, may be "personal data" and fall within the remit of the Directive.

Continue Reading...

A&L Goodbody Guide on the EU General Data Protection Regulation

On 5th October 2016, our IP & Technology team hosted a seminar on the new EU General Data Regulation (GDPR), which takes effect from 25 May 2018.  The Data Protection Commissioner, Helen Dixon, gave a keynote address at the event, which was followed by commentary from our IP and Technology Partners, John Whelan, John Cahir, Mark Rasdale and Claire Morrissey. 

The GDPR introduces substantial changes to EU data protection law.  Companies have 19 months remaining in which to make preparations for the GDPR, but given its extra-territorial scope; new concepts such as accountability and privacy by design and default; enhanced rights of data subjects, and severe financial penalties for non-compliance, it is important for businesses to start taking steps now to review and revise their data protection policies and procedures as appropriate. 

To assist businesses with understanding the key changes introduced by the GDPR, its likely impact, and action points to consider, A& L Goodbody have prepared a Guide for Businesses which is available to download from our website:

The GDPR: A Guide for Businesses

The Central Bank of Ireland publishes new Cross Industry Guidance on IT and Cybersecurity Risks

On 13 September 2016, the Central Bank of Ireland (the CBI) published new guidance on IT risk management and cybersecurity for financial service firms. Publication of the Guidance follows the CBI's previous actions in relation to cyber risks in the funds, insurance and banking sectors (see previous blog here). The CBI acknowledges that IT plays an integral part in the supply of financial services and calls on Boards and Senior Management of regulated firms to recognise the ever increasing incidences of cyber-attacks and business interruptions. It requests such firms to acknowledge their responsibilities in this regard and prioritise IT security. This responsibility involves establishing and maintaining a resilient IT strategy, while ensuring that it aligns with the firm's general business strategy. It states that a robust oversight and engagement on IT matters at the Board and Senior Management level promotes an IT and security risk aware culture within the firm.

Continue Reading...

ISP not required to remove defamatory statements

The High Court in Muwema v Facebook Ireland Ltd [2016] IEHC 519 held that Facebook had no duty to remove defamatory content posted by an anonymous third party. Justice Binchy did, however, make a Norwich Pharmacal order requiring Facebook to disclose the identity and location of the person operating the page involved.

Continue Reading...

CJEU finds linking to freely available but unauthorised content may not constitute copyright infringement

In GS Media v Sanoma Media Netherlands and Others (C-160/15), the CJEU held that the posting of a hyperlink on a website, giving access to copyright-protected work on another website, will not constitute a "communication to the public" under Article 3(1) of the Copyright Directive 2001/29/EC, if the person posting the link did not do so to seek financial gain, and did not know that the hyperlink was published illegally without the consent of the copyright holder.  In contrast, if a hyperlink is provided for profit, knowledge of the illegality of the publication on the other website must be presumed.

Continue Reading...

Free WiFi providers not liable for users' copyright infringements

The CJEU has confirmed the AG's Opinion, in McFadden v Sony Music Entertainment Germany (C-484/14),  that operators of a free Wi-Fi service, who offer that service to the public, are not liable for copyright infringements committed by users of that network. However, such an operator may be required to password-protect its network in order to bring an end to, or prevent, such infringements.

Continue Reading...

High Court refuses oral hearing of complaint to Data Protection Commissioner

In Martin v Data Protection Commissioner [2016] IEHC 479, Mr Martin sought to challenge the Data Protection Commissioner's (DPC) refusal to investigate disputed facts of his data protection complaint via an oral hearing. The High Court held that the DPC was not empowered to hold an oral hearing under the Data Protection Directive 95/46/EC or the Data Protection Acts 1988 and 2003 (the Acts), even where there is a conflict of evidence. Furthermore, the requirements of natural and constitutional justice do not confer an inherent power on the DPC to do so.

The decision confirms that it cannot be inferred from the Acts, which impose on the DPC a duty to investigate and make a decision in relation to a complaint, that the DPC has the power to conduct an oral hearing. Individuals do, however, have a right to appeal a decision of the DPC to the Circuit Court where an oral hearing can take place.

Continue Reading...

Potential light at the end of the wifi tunnel

An Advocate General of the CJEU has expressed his opinion that operators of a free Wi-Fi service, who offer that service to the public, will be protected by the mere conduit defence under the E-Commerce Directive and will therefore not be liable for copyright infringement committed by users of that network. Advocate General Szpunar has published his opinion in response to a series of questions posed to the CJEU in Case C-484/14 Tobias McFadden v Sony Music Entertainment Germany GmbH. The case came about following an illegal download of a musical work in 2010, which prompted Sony to bring an action for damages and injunctive relief against Mr. McFadden - the operator of a business selling and renting lighting and sound systems near Munich which offered the free Wi-Fi network accessible to the public (over which the music work was unlawfully downloaded).

Continue Reading...

CJEU delivers judgment on applicable data protection law

On 28 July 2016, the Court of Justice of the EU (CJEU), in VKI v Amazon EU Sárl (Case C-191/15) reconfirmed its earlier decision in Weltimmo (C-230/14) regarding the test for applicable law in relation to data processing activities.

The CJEU held that the processing of personal data by an undertaking engaged in electronic commerce is governed by the law of the Member State to which it directs its activities, if the undertaking carries out the data processing in question "in the context of the activities" of an establishment situated in that Member State.  It is for the national court to determine whether that is the case.  The fact that the undertaking does not have a branch or subsidiary in that Member State does not preclude it from having an establishment there.  The degree of stability of the arrangements and the effective exercise of activities in the Member State in question must be assessed. 

The CJEU also held that a standard term choosing a seller or supplier's law as governing law is unfair within the meaning of the Unfair Consumer Contracts Directive (93/13/EEC).  As a result companies will need to consider whether their standard choice of law clauses in Business to Consumer contracts are unfair and therefore invalid.

Continue Reading...