Cyber Risk & Data Privacy

Photo of Chris Stynes

On 26 July 2017 the Court of Justice of the European Union (CJEU) delivered its Opinion that the draft Passenger Name Record (PNR) Agreement between the EU and Canada is not compatible with the EU Charter of Fundamental Rights (the Charter) and may not be concluded in its current form. The Opinion follows a referral by the European Parliament to the CJEU and is the first time the Court has been requested to examine the compatibility of an international agreement with the EU Charter.

The Court observed that the Charter rights are not absolute, and that an agreement allowing for the transfer and retention of data to ensure public security would be capable of justifying even serious interference with fundamental rights such as privacy and personal data protection. Any such interference should, however, be (1) proportionate, (2) strictly necessary and (3) guided by clear and precise rules governing its scope and application. The transfer of sensitive data would also require a precise and solid justification in addition to that of public security and the Court concluded that in this instance, there was no such justification.

Retention of Data

The envisaged Agreement provided that PNR data may be retained by Canada for five years after receipt of such data. The Court observed that the retention of data for the duration of a visitor’s stay in Canada did not exceed the limits of what is strictly necessary, but noted that as PNR data would be used as part of the verification process to grant entry into the territory, subsequent use of that data would require fresh justification by way of new circumstances or objective evidence. The Court suggested that except in cases of valid urgency, any decision by Canadian authorities to use PSN data after entry has been granted should be subject to prior review by a court or independent body. The retention of data after departure from Canada should also be limited to air passengers only when there is objective evidence available inferring a terrorism or crime risk.

The Court declared that as a number of other provisions were vague and did not adequately address the processing of PNR data in a clear and precise manner, it was not satisfied that the Agreement in its current form was compatible with the Charter.

 

Photo of Davinia Brennan

Stakeholders have written a joint letter to Article 29 Working Party (WP29) expressing their concerns about the GDPR consultation process. ​ They believe that the GDPR consultation processes which have taken place so far with 30-day deadlines to respond were much too short, and that a reasonable consultation period (for example 8 weeks) should be set.

An additional concern is that the WP29 guidelines effectively introduce additional rules. The WP29 guidelines are non-binding, but can still be introduced as compulsory requirements at national level.  The stakeholders therefore point out that whilst it is important that they provide clarity and help facilitate implementation, they should not undermine the GDPR’s provisions.

To date, the WP29 have issued guidelines on data portability, data protection officers and lead supervisory authorities, as well as draft guidelines on data protection impact assessments.  Further guidance is being prepared by the WP29 on:

  • Administrative fines
  • Certification
  • Consent
  • Profiling
  • Notification of personal data breaches
  • Transparency
  • Tools for international transfers

 

Joint letter to express concerns about the stakeholder consultation for Article 29 Working Party data protection guidelines

Photo of Chris Stynes

The Article 29 Working Party (WP29) has recently provided its Opinion 2/2017 on data processing at work. The Opinion, adopted on 8 June 2017, highlights the risks and challenges of processing employees’ personal data in light of new technologies. While the Opinion focuses on the current data protection regime, it also considers some of the obligations arising under the General Data Protection Regulation (GDPR) from 25 May 2018.

The Opinion emphasises that despite a proliferation of new and affordable technologies that facilitate both covert and overt surveillance, fundamental principles of data protection will continue to apply. These principles include:

  • the satisfaction of a legal basis to process under Article 7 of the DPD;
  • whether the processing activity is both necessary and fair to the employee;
  • whether the processing activity is proportionate; and
  • whether the processing activity is transparent.

The WP29 reiterate that due to the imbalance between employer and employee, consent as a legal basis of processing will not be satisfactory for the majority of data processing at work. In some cases, the employer will be able to rely on contractual necessity to process personal data (such as paying the employee). The imposition of legal obligations (such as for the purpose of tax calculation) will also constitute a valid legal basis for processing. In order to rely on legitimate interests to legitimise data processing, the technology or method utilised must be necessary, proportionate and carried out in the least intrusive manner possible.

The WP29 emphasise that regardless of the legal basis for processing, a proportionality test should be undertaken prior to its commencement to consider whether the processing is necessary to achieve a legitimate purpose, as well as ensuring that any measures infringing the right to private life and secrecy of communications are limited to a minimum. This can form part of a Data Protection Impact Assessment (DPIA).

GDPR

The WP29 comment that  the GDPR requires the most privacy friendly settings to be provided as default when an employer issues a device to an employee. The GDPR also requires a DPIA to be carried out when processing is likely to result in a high risk to the rights and freedoms of employees, particularly when using new technologies. The employer must consult the supervisory authority prior to processing if these risks cannot be adequately addressed. The WP29 Opinion considers a number of data processing at work scenarios in which new technologies have the potential to result in high risks to the privacy of employees. In all such cases the WP29 highlight that the employer must consider whether the proposed processing is: (i) necessary, and if so the legal grounds that apply; (ii) fair to employees; (iii) proportionate to the concerns raised; and (iv) transparent.

The full opinion can be read here.

Photo of John Cahir

The General Scheme of the Data Protection Bill 2017 was published last Friday and we have prepared a summary of its main provisions here.

The drafting of the Bill is a complex task. There is a need to repeal the provisions of the Data Protection Acts 1988 and 2003 that are replaced by the directly effective provisions of the GDPR, to transpose the Law Enforcement Directive (2016/680) and at the same time to give effect to provisions of the GDPR that require national implementing measures.

Although not stated definitively, it appears that consideration is being given to having a full repeal of the Data Protection Acts 1988 and 2003 with the new Act to be a consolidating measure. That would be a welcome development.

The stand out proposals of general interest in the Bill include:

  • Confirmation that only public authorities who compete with the private sector will be susceptible to administrative fines.
  • The proposal that additional due process in the form of an oral hearing or a written “right of reply” will be available under the new administrative sanctions procedure.
  • A new power of the DPC to direct that a controller/processer engage an independent reviewer to prepare a written report on any matter specified by the DPC with the cost of the report to be borne by the data controller/processor. This is an entirely new investigative mechanism that has been designed to deal with “large scale cases”.

We will provide regular updates on the Bill’s progress.

Photo of Davinia Brennan

The Article 29 Working Party (WP29) (consisting of data protection regulators from the 28 Member States) has adopted an Opinion 01/2017 on the proposed e-Privacy Regulation, which will repeal and replace the e-Privacy Directive. Whilst the WP29 welcomes the proposal, it identifies several points of concern, and sets out how the proposal can be improved.

Continue Reading WP29 gives lukewarm welcome to proposed e-Privacy Regulation

Photo of Davinia Brennan

The Article 29 Working Party (WP29) has proposed guidelines to help organisations identify when it is necessary to carry out a Data Protection Impact Assessment (DPIA) and how to do so. The guidelines are open to public comment until 23 May 2017.  DPIAs involve evaluating the potential impact that a new project will have on the privacy of individuals, and identifying ways to mitigate or avoid any adverse effects in advance of processing.  The GDPR requires DPIAs to be carried out when processing is likely to result in a “high risk” to the rights and freedoms of natural persons.

Continue Reading WP29 publishes draft guidelines on DPIAs

Photo of Davinia Brennan

The Data Protection Commissioner (DPC) has published her Annual Report for 2016.  It highlights key developments and activities of her Office last year, as well as priorities for 2017, which will be “all about GDPR readiness“.  2016 was a busy year for the DPC’s Office.  It dealt with an increased number of queries, complaints and data breach notifications. The DPC continued her engaged approach to regulation, engaging extensively with multinational companies, such as Facebook, LinkedIn, Apple and WhatsApp on proposed new policies, products and services, conducting over 100 face-to-face meetings. The DPC also engaged with a number of entities in the public, health and private/financial sectors.

Continue Reading Data Protection Commissioner publishes Annual Report for 2016

Photo of Davinia Brennan

The Article 29 Working Party (WP29) has issued its final guidance on Data Protection Officers (DPOs), Data Portability and Lead Supervisory Authority, in response to stakeholders’ comments. Some of the new points raised in the revised guidance are set out below.

Continue Reading WP29 issues final guidance on DPOs, Data Portability and Lead Authority

Photo of Davinia Brennan

The CJEU has ruled (Case C-398/15) that there is no general right to be forgotten in respect of personal data in the companies register. However, upon expiry of a sufficiently long period after dissolution of a company, Member States may provide for restricted access to such data by third parties in exceptional cases. The CJEU’s decision is in line with its ruling in Google Spain (Case C-131/12) that the right to be forgotten is not absolute, and will always need to be balanced against other fundamental rights.

Continue Reading No right to be forgotten in respect of personal data in the companies register

Photo of Davinia Brennan

The Information Commissioner (IC) has made a formal binding decision that records of lobbying communications with the Data Protection Commissioner (ODPC) are not accessible under the Freedom of Information (FOI) Act 2014. In Right to Know CLG v ODPC (Case No. 160447), the IC concluded that the ODPC was justified in refusing the applicant’s request on the ground that the records sought fell outside the scope of the FOI Act, as they did not concern the general administration of the ODPC’s office.

Continue Reading Data Protection Commissioner not required to disclose lobbying communications