Cyber Risk & Data Privacy

Photo of Davinia Brennan

The Government has published its legislation programme for Autumn 2017.  The programme lists priority legislation, legislation due to undergo pre-legislative scrutiny, and all other legislation it is working on. Listed below are the data protection, cyber-security and IP-related Bills coming down the track.

Priority legislation

  • Data Protection Bill – This Bill will give effect to and provide for derogations from the GDPR, and transpose the Law Enforcement Directive (2016/680). The Heads of Bill were published in May 2017, and pre-legislative scrutiny was completed on July 2017.  The legislation programme lists the Bill as “priority legislation for publication” this Autumn, but there is no indication as to when exactly the Bill is expected to be finalised and start its passage through the Oireachtas. See our blog post on the Heads of Bill here.

Continue Reading Data Protection, Cyber-Security & IP legislation coming down the track

Photo of John Cahir

In a much anticipated judgment, the Irish High Court yesterday decided to ask the Court of Justice of the European Union (CJEU) to rule on the validity of Standard Contractual Clauses (SCCs).


What is at stake?

SCCs, also known as “Model Contracts”, are contractual terms approved by the European Commission for validating transfers of personal data to countries outside the EEA region. SCCs are perhaps the most widely used legal instrument supporting EU-US data transfers. For many businesses, they are the only available means of lawfully transferring data to the US or other third countries.

If the SCCs are held to be invalid by the CJEU, many businesses operating from Europe will find themselves unable to lawfully transfer personal data to the US. This will in turn pose severe logistical and economic challenges to EU-US trade.

The legal challenge to the SCCs touches on the politically sensitive areas of data privacy and state surveillance. Therefore, a ruling that invalidates the SCCs will also present a fresh challenge for the EU and US authorities to negotiate a long lasting solution to transatlantic data transfers.

Pending the CJEU’s ruling, businesses can continue to rely on the SCCs.

How did the case come about?

Back in 2013, Mr Schrems complained to the Irish Data Protection Commissioner (DPC) about the transfer of his personal data by Facebook in Ireland to its parent company in the US under the EU-US Safe Harbour mechanism.

That complaint resulted in the invalidation of the EU-US Safe Harbour mechanism by the CJEU (Schrems I). Following the CJEU decision, Facebook placed reliance on the SCCs for making legal transfers of data between Ireland and the US, and Mr Schrems decided to reformulate his complaint against Facebook.

In the course of carrying out the new investigation, the DPC determined that she had “well-founded” objections in relation to the validity of the SCCs. In particular, she was concerned that there was an absence of effective legal remedies for EU citizens whose data are transferred to the US, and she believed that the SCCs do not answer these concerns. Only the CJEU can decide on the validity of European Commission decisions such as the SCCs. Therefore, the DPC applied to the Irish High Court so that questions regarding the validity of the SCCs could be brought before the CJEU.

What did the Irish High Court say?

Ms Justice Costello delivered a wide-ranging 152 page judgement. Of particular note are the following:

Court’s Jurisdiction

  • The Court rejected the argument advanced by Facebook that the case is concerned with processing of data for “national security” purposes and that consequently it falls outside the scope of EU law by virtue of Article 4(2) of the Treaty on the European Union, which reserves competence over national security issues to Member States.
  • In particular, the Court held that this submission was inconsistent with the ruling of the High Court and the CJEU in Schrems I, where the court proceeded on the basis that it had jurisdiction to rule on the reference.
  • The Court also rejected the argument that that the EU-US Privacy Shield precludes the making of a reference to the CJEU.  The Court held that the Privacy Shield is a decision that is confined to data transferred to US organisations that have self-certified as complying with the Privacy Shield principles, and that it is not an unconditional adequacy decision.

SCCs

  • The Court agreed with the DPC that the SCCs alone cannot ensure an adequate level of protection in third countries for data protection rights. Even when data has been transferred to a third country under the SCCs, “the data is still entitled to a high level of protection” and “DPAs have an obligation to ensure that the data still receives a high level of protection and they are expressly granted powers to suspend or prohibit data transfers” (paragraph 153).
  • The terms of the SCCs do not themselves provide an answer to the concerns raised by the DPC and the Court focussed on the question of whether Article 4 of the SCCs and Article 28 of the Data Protection Directive (the Directive) alleviated those concerns – these provisions enable a national data protection authority to ban or suspend data transfers to third countries.
  • The Court ruled that a referral to the CJEU is necessary to determine whether the existence of the discretionary power conferred on the DPC by Article 4 of the SCCs and Article 28(3) of the Directive to suspend or ban data transfers to a non-EEA country, on the basis of the legal regime in that country, is sufficient to secure the validity of the SCCs.

Article 47/52 of the Charter

  • The Court held that the DPC had raised well-founded concerns that there is an absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter of Fundamental Rights, for an EU citizen whose data are transferred to the US.
  • The Court agreed with the DPC that there are well-founded concerns that the limitations on the Article 47 right, faced by EU data subjects in the US, are not proportionate or strictly necessary within the meaning of Article 52(1) of the Charter.

Uniformity

  • The Court noted the undesirability of having data transfers banned in one Member State under the SCCs on the basis of the inadequate laws of the third country, but without that ban impacting on transfers made to the same third country from other EU member states.  The Court indicated that only a decision of the CJEU can resolve the potential for inconsistent applications of the Directive in this regard.

Privacy Shield Ombudsperson

  • The Court agreed with the DPC that there are well-founded concerns that the Privacy Shield Ombudsperson redress mechanism, which is available to data subjects whose data are transferred under SCCs (as well as the EU-US Privacy Shield), does not respect the essence of EU citizens’ rights under Article 47 of the Charter.
  • The Court held that a decision of the CJEU is necessary to determine whether the mechanism amounts to a remedy satisfying the requirements of Article 47.

What next?

The Court has not yet framed the questions to be sent to the CJEU.  The parties to the proceedings will be afforded an opportunity to make written submissions on the form of such questions to be referred to the CJEU, and the Court will then determine the exact questions to refer.

Once the reference is made, it will be for the CJEU to fix a hearing date. It usually takes an average of 1.5 years before the CJEU rules on a reference, although the CJEU may decide to prioritise the hearing of this case given its importance.

For further information, please contact John WhelanJohn CahirMark Rasdale or Claire Morrissey.

Photo of Davinia Brennan

The Data Protection Commissioner (DPC) has called for submissions on issues of Transparency and International Data Transfers under the GDPR. The submissions received by the DPC from its consultation will be shared with the Article 29 Working Party (WP29), at its third Fablab in Brussels on 18 October 2017 to inform the preparation of new guidelines on transparency under the GDPR and the updating of existing guidelines on international data transfers.

Continue Reading DPC consultation on international transfers & transparency under the GDPR

Photo of Davinia Brennan

The EU Council has proposed amendments to the draft ePrivacy Regulation (the Regulation). The Presidency points out that work on the text will be incremental and this is only its first redraft.

Proposed amendments include:

Scope – The Presidency clarifies the precise material and territorial scope of the Regulation, as including:

  • the processing of electronic communications content in transmission, and of electronic communications metadata carried out in connection with the provision of electronic communications services to end-users in the EU;
  • information related to, processed by, or stored in the terminal equipment of end users located in the EU;
  • the placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the internet;
  • the offering of a publicly available directory of end-users of electronic communications services located in the EU, and
  • the sending or presenting of direct marketing communications to end users located in the EU.

Continue Reading EU Council proposes revisions to the draft ePrivacy Regulation

Photo of Davinia Brennan

The U.S. Federal Trade Commission (FTC) announced on 8 September that three U.S. companies have agreed to settle FTC charges that they misled consumers, by falsely claiming they were certified to participate in the Privacy Shield. In separate complaints, the FTC alleges, all three companies failed to complete the certification process for the Shield.  As part of their settlements with the FTC, the three companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, and must comply with FTC reporting requirements. The actions against the three companies are the first cases the FTC has brought to enforce the Shield, which was adopted last July 2016.

Continue Reading Three U.S. companies charged for falsely claiming compliance with Privacy Shield

Photo of Davinia Brennan

Employee monitoring versus privacy rights is back in the spotlight due to today’s decision by the Grand Chamber of the European Court of Human Rights (ECHR) in Bărbulescu v. Romania.  The Grand Chamber held there had been a violation of Article 8 of the European Convention on Human Rights, where an employer monitored and accessed personal emails sent by an employee during work hours from his Yahoo Messenger account, using a company computer, without notifying the employee in advance of such monitoring.

Continue Reading ECHR rules employees must receive prior notice of email monitoring

Photo of Chris Stynes

On 26 July 2017 the Court of Justice of the European Union (CJEU) delivered its Opinion that the draft Passenger Name Record (PNR) Agreement between the EU and Canada is not compatible with the EU Charter of Fundamental Rights (the Charter) and may not be concluded in its current form. The Opinion follows a referral by the European Parliament to the CJEU and is the first time the Court has been requested to examine the compatibility of an international agreement with the EU Charter.

The Court observed that the Charter rights are not absolute, and that an agreement allowing for the transfer and retention of data to ensure public security would be capable of justifying even serious interference with fundamental rights such as privacy and personal data protection. Any such interference should, however, be (1) proportionate, (2) strictly necessary and (3) guided by clear and precise rules governing its scope and application. The transfer of sensitive data would also require a precise and solid justification in addition to that of public security and the Court concluded that in this instance, there was no such justification.

Retention of Data

The envisaged Agreement provided that PNR data may be retained by Canada for five years after receipt of such data. The Court observed that the retention of data for the duration of a visitor’s stay in Canada did not exceed the limits of what is strictly necessary, but noted that as PNR data would be used as part of the verification process to grant entry into the territory, subsequent use of that data would require fresh justification by way of new circumstances or objective evidence. The Court suggested that except in cases of valid urgency, any decision by Canadian authorities to use PSN data after entry has been granted should be subject to prior review by a court or independent body. The retention of data after departure from Canada should also be limited to air passengers only when there is objective evidence available inferring a terrorism or crime risk.

The Court declared that as a number of other provisions were vague and did not adequately address the processing of PNR data in a clear and precise manner, it was not satisfied that the Agreement in its current form was compatible with the Charter.

 

Photo of Davinia Brennan

Stakeholders have written a joint letter to Article 29 Working Party (WP29) expressing their concerns about the GDPR consultation process. ​ They believe that the GDPR consultation processes which have taken place so far with 30-day deadlines to respond were much too short, and that a reasonable consultation period (for example 8 weeks) should be set.

An additional concern is that the WP29 guidelines effectively introduce additional rules. The WP29 guidelines are non-binding, but can still be introduced as compulsory requirements at national level.  The stakeholders therefore point out that whilst it is important that they provide clarity and help facilitate implementation, they should not undermine the GDPR’s provisions.

To date, the WP29 have issued guidelines on data portability, data protection officers and lead supervisory authorities, as well as draft guidelines on data protection impact assessments.  Further guidance is being prepared by the WP29 on:

  • Administrative fines
  • Certification
  • Consent
  • Profiling
  • Notification of personal data breaches
  • Transparency
  • Tools for international transfers

 

Joint letter to express concerns about the stakeholder consultation for Article 29 Working Party data protection guidelines

Photo of Chris Stynes

The Article 29 Working Party (WP29) has recently provided its Opinion 2/2017 on data processing at work. The Opinion, adopted on 8 June 2017, highlights the risks and challenges of processing employees’ personal data in light of new technologies. While the Opinion focuses on the current data protection regime, it also considers some of the obligations arising under the General Data Protection Regulation (GDPR) from 25 May 2018.

The Opinion emphasises that despite a proliferation of new and affordable technologies that facilitate both covert and overt surveillance, fundamental principles of data protection will continue to apply. These principles include:

  • the satisfaction of a legal basis to process under Article 7 of the DPD;
  • whether the processing activity is both necessary and fair to the employee;
  • whether the processing activity is proportionate; and
  • whether the processing activity is transparent.

The WP29 reiterate that due to the imbalance between employer and employee, consent as a legal basis of processing will not be satisfactory for the majority of data processing at work. In some cases, the employer will be able to rely on contractual necessity to process personal data (such as paying the employee). The imposition of legal obligations (such as for the purpose of tax calculation) will also constitute a valid legal basis for processing. In order to rely on legitimate interests to legitimise data processing, the technology or method utilised must be necessary, proportionate and carried out in the least intrusive manner possible.

The WP29 emphasise that regardless of the legal basis for processing, a proportionality test should be undertaken prior to its commencement to consider whether the processing is necessary to achieve a legitimate purpose, as well as ensuring that any measures infringing the right to private life and secrecy of communications are limited to a minimum. This can form part of a Data Protection Impact Assessment (DPIA).

GDPR

The WP29 comment that  the GDPR requires the most privacy friendly settings to be provided as default when an employer issues a device to an employee. The GDPR also requires a DPIA to be carried out when processing is likely to result in a high risk to the rights and freedoms of employees, particularly when using new technologies. The employer must consult the supervisory authority prior to processing if these risks cannot be adequately addressed. The WP29 Opinion considers a number of data processing at work scenarios in which new technologies have the potential to result in high risks to the privacy of employees. In all such cases the WP29 highlight that the employer must consider whether the proposed processing is: (i) necessary, and if so the legal grounds that apply; (ii) fair to employees; (iii) proportionate to the concerns raised; and (iv) transparent.

The full opinion can be read here.

Photo of John Cahir

The General Scheme of the Data Protection Bill 2017 was published last Friday and we have prepared a summary of its main provisions here.

The drafting of the Bill is a complex task. There is a need to repeal the provisions of the Data Protection Acts 1988 and 2003 that are replaced by the directly effective provisions of the GDPR, to transpose the Law Enforcement Directive (2016/680) and at the same time to give effect to provisions of the GDPR that require national implementing measures.

Although not stated definitively, it appears that consideration is being given to having a full repeal of the Data Protection Acts 1988 and 2003 with the new Act to be a consolidating measure. That would be a welcome development.

The stand out proposals of general interest in the Bill include:

  • Confirmation that only public authorities who compete with the private sector will be susceptible to administrative fines.
  • The proposal that additional due process in the form of an oral hearing or a written “right of reply” will be available under the new administrative sanctions procedure.
  • A new power of the DPC to direct that a controller/processer engage an independent reviewer to prepare a written report on any matter specified by the DPC with the cost of the report to be borne by the data controller/processor. This is an entirely new investigative mechanism that has been designed to deal with “large scale cases”.

We will provide regular updates on the Bill’s progress.