A&L Goodbody Guide on the EU General Data Protection Regulation

On 5th October 2016, our IP & Technology team hosted a seminar on the new EU General Data Regulation (GDPR), which takes effect from 25 May 2018.  The Data Protection Commissioner, Helen Dixon, gave a keynote address at the event, which was followed by commentary from our IP and Technology Partners, John Whelan, John Cahir, Mark Rasdale and Claire Morrissey. 

The GDPR introduces substantial changes to EU data protection law.  Companies have 19 months remaining in which to make preparations for the GDPR, but given its extra-territorial scope; new concepts such as accountability and privacy by design and default; enhanced rights of data subjects, and severe financial penalties for non-compliance, it is important for businesses to start taking steps now to review and revise their data protection policies and procedures as appropriate. 

To assist businesses with understanding the key changes introduced by the GDPR, its likely impact, and action points to consider, A& L Goodbody have prepared a Guide for Businesses which is available to download from our website:

The GDPR: A Guide for Businesses

The Central Bank of Ireland publishes new Cross Industry Guidance on IT and Cybersecurity Risks

On 13 September 2016, the Central Bank of Ireland (the CBI) published new guidance on IT risk management and cybersecurity for financial service firms. Publication of the Guidance follows the CBI's previous actions in relation to cyber risks in the funds, insurance and banking sectors (see previous blog here). The CBI acknowledges that IT plays an integral part in the supply of financial services and calls on Boards and Senior Management of regulated firms to recognise the ever increasing incidences of cyber-attacks and business interruptions. It requests such firms to acknowledge their responsibilities in this regard and prioritise IT security. This responsibility involves establishing and maintaining a resilient IT strategy, while ensuring that it aligns with the firm's general business strategy. It states that a robust oversight and engagement on IT matters at the Board and Senior Management level promotes an IT and security risk aware culture within the firm.

Continue Reading...

ISP not required to remove defamatory statements

The High Court in Muwema v Facebook Ireland Ltd [2016] IEHC 519 held that Facebook had no duty to remove defamatory content posted by an anonymous third party. Justice Binchy did, however, make a Norwich Pharmacal order requiring Facebook to disclose the identity and location of the person operating the page involved.

Continue Reading...

CJEU finds linking to freely available but unauthorised content may not constitute copyright infringement

In GS Media v Sanoma Media Netherlands and Others (C-160/15), the CJEU held that the posting of a hyperlink on a website, giving access to copyright-protected work on another website, will not constitute a "communication to the public" under Article 3(1) of the Copyright Directive 2001/29/EC, if the person posting the link did not do so to seek financial gain, and did not know that the hyperlink was published illegally without the consent of the copyright holder.  In contrast, if a hyperlink is provided for profit, knowledge of the illegality of the publication on the other website must be presumed.

Continue Reading...

Free WiFi providers not liable for users' copyright infringements

The CJEU has confirmed the AG's Opinion, in McFadden v Sony Music Entertainment Germany (C-484/14),  that operators of a free Wi-Fi service, who offer that service to the public, are not liable for copyright infringements committed by users of that network. However, such an operator may be required to password-protect its network in order to bring an end to, or prevent, such infringements.

Continue Reading...

High Court refuses oral hearing of complaint to Data Protection Commissioner

In Martin v Data Protection Commissioner [2016] IEHC 479, Mr Martin sought to challenge the Data Protection Commissioner's (DPC) refusal to investigate disputed facts of his data protection complaint via an oral hearing. The High Court held that the DPC was not empowered to hold an oral hearing under the Data Protection Directive 95/46/EC or the Data Protection Acts 1988 and 2003 (the Acts), even where there is a conflict of evidence. Furthermore, the requirements of natural and constitutional justice do not confer an inherent power on the DPC to do so.

The decision confirms that it cannot be inferred from the Acts, which impose on the DPC a duty to investigate and make a decision in relation to a complaint, that the DPC has the power to conduct an oral hearing. Individuals do, however, have a right to appeal a decision of the DPC to the Circuit Court where an oral hearing can take place.

Continue Reading...

Potential light at the end of the wifi tunnel

An Advocate General of the CJEU has expressed his opinion that operators of a free Wi-Fi service, who offer that service to the public, will be protected by the mere conduit defence under the E-Commerce Directive and will therefore not be liable for copyright infringement committed by users of that network. Advocate General Szpunar has published his opinion in response to a series of questions posed to the CJEU in Case C-484/14 Tobias McFadden v Sony Music Entertainment Germany GmbH. The case came about following an illegal download of a musical work in 2010, which prompted Sony to bring an action for damages and injunctive relief against Mr. McFadden - the operator of a business selling and renting lighting and sound systems near Munich which offered the free Wi-Fi network accessible to the public (over which the music work was unlawfully downloaded).

Continue Reading...

CJEU delivers judgment on applicable data protection law

On 28 July 2016, the Court of Justice of the EU (CJEU), in VKI v Amazon EU Sárl (Case C-191/15) reconfirmed its earlier decision in Weltimmo (C-230/14) regarding the test for applicable law in relation to data processing activities.

The CJEU held that the processing of personal data by an undertaking engaged in electronic commerce is governed by the law of the Member State to which it directs its activities, if the undertaking carries out the data processing in question "in the context of the activities" of an establishment situated in that Member State.  It is for the national court to determine whether that is the case.  The fact that the undertaking does not have a branch or subsidiary in that Member State does not preclude it from having an establishment there.  The degree of stability of the arrangements and the effective exercise of activities in the Member State in question must be assessed. 

The CJEU also held that a standard term choosing a seller or supplier's law as governing law is unfair within the meaning of the Unfair Consumer Contracts Directive (93/13/EEC).  As a result companies will need to consider whether their standard choice of law clauses in Business to Consumer contracts are unfair and therefore invalid.

Continue Reading...

Advocate General advises that obligation to retain data imposed by a Member State on electronic communications service providers may be compatible with EU law

The Advocate General has given his Opinion in a case concerning the interpretation to be given in a national context to the judgment of the Court of Justice of the EU (CJEU) in 2014 in Digital Rights Ireland (which found the EU Data Retention Directive to be invalid). The Advocate General found that an obligation to retain data imposed by a Member State on providers of electronic communication services may be compatible with EU law, subject to strict requirements.

Continue Reading...

Privacy Shield - Not likely to be challenged by EU DPAs for at least one year

The Article 29 Working Party (WP29) has issued a Press Release indicating it still has concerns about the Privacy Shield.  However it appears that the WP29 (consisting of representatives of the EU Data Protection Authorities) will refrain from challenging the Privacy Shield until after mid-2017. 

Continue Reading...

Court of Appeal confirms jurisdiction to order ISPs to take action against copyright infringement

On 28th July 2016, the Irish Court of Appeal, in Sony Music Entertainment (Ireland) Ltd. & Ors v UPC Communications Ireland Ltd. [2016] IECA 231, confirmed that national courts have jurisdiction to grant graduated response system (GRS) injunctions against innocent intermediaries, such as ISPs, in response to alleged copyright infringement. This is the first GRS order of its kind made anywhere in the EU. 

The Court held that Article 8(3) of the Information Society Directive (2001/29/EC) (the 2001 Directive), implemented in Ireland by section 40(5A) of the Copyright and Related Rights Act 2000, provided the jurisdiction to grant such orders. Article 8(3) requires Member States to ensure that rightholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe a copyright or related right.

Continue Reading...

ICO states that GDPR is still relevant for the UK

Following the Brexit Referendum and the uncertainty now surrounding the future of data flows between the UK and the remaining EEA States, the UK Information Commissioner's Office has published an update on its blog: "GDPR still relevant for the UK". The update emphasises the importance of the GDPR to many organisations in the UK and notes:

"With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to explain our view that reform of UK data protection law remains necessary."

For further guidance and analysis on the impact of Brexit for businesses and investors in both Ireland and Northern Ireland, please see our website here.

High Court finds brand survey evidence unreliable

In 2013, Mr Justice Gilligan refused an injunction sought by Galway Free Range Eggs Limited restraining Hillsbrook Eggs Limited from packaging or promoting their products under the name “O’Brien’s of Galway Free Range Eggs". The Court held that it was not satisfied that the packaging used by the defendant was likely to deceive the public but did accept that there were issues to put forward to trial.

The substantive High Court hearing was held recently before Mr Justice Tony O'Connor and one of the bigger issues before the Court was the use of survey evidence and the weight to be attached to such opinion evidence.   The Court was highly sceptical of the value of market opinions and related questionnaires and stated that in this specific case "the evidence offered on behalf of the plaintiff concerning brand confusion was tenuous and unreliable".

Continue Reading...

Microsoft wins landmark US appeal against search warrant for emails stored in Ireland

The US Second Circuit Court of Appeals, overturning an earlier court ruling from a lower court, has held that the US Government cannot compel Microsoft to hand over emails stored on a server in Dublin in a narcotics case. The decision is a milestone victory for privacy rights and will be greatly welcomed by US technology companies storing data abroad. It should also provide reassurance to European citizens that their data will be protected by European data protection laws and the US legal system will respect their privacy rights.

Continue Reading...

European Commission Adopts Privacy Shield

The European Commission has today adopted the Privacy Shield.  The Privacy Shield is intended to provide a framework for EU-US data transfers.

What is the Privacy Shield?

European data protection law restricts the transfer of personal data outside the European Economic Area (EEA) unless the country to which the data is transferred ensures an adequate level of data protection. The Privacy Shield is a mechanism for overcoming this restriction and legitimising the transfer of personal data to some US companies.

Why do we need the Privacy Shield?

Until 6 October 2015, over 4,000 US companies relied on the Safe Harbour regime to legitimise the transfer of personal data to the US.  The Safe Harbour regime was declared invalid by the Court of Justice of the EU (CJEU) on 6 October 2015.  The Privacy Shield will replace the Safe Harbour regime.

After the CJEU's ruling many US companies turned to the Model Contractual Clauses to legitimise their transatlantic data transfers.  The approval of the Privacy Shield will be welcomed by multinational companies, particularly as the Irish Data Protection Commissioner recently sought a referral to the CJEU to determine the legal status of data transfers under Model Contractual Clauses. However, Model Contractual Clauses remain a valid method of transatlantic transfer unless declared invalid by the CJEU, which may not be determined for up to another two years.

Continue Reading...