Cyber Risk & Data Privacy

Photo of John Cahir

The General Scheme of the Data Protection Bill 2017 was published last Friday and we have prepared a summary of its main provisions here.

The drafting of the Bill is a complex task. There is a need to repeal the provisions of the Data Protection Acts 1988 and 2003 that are replaced by the directly effective provisions of the GDPR, to transpose the Law Enforcement Directive (2016/680) and at the same time to give effect to provisions of the GDPR that require national implementing measures.

Although not stated definitively, it appears that consideration is being given to having a full repeal of the Data Protection Acts 1988 and 2003 with the new Act to be a consolidating measure. That would be a welcome development.

The stand out proposals of general interest in the Bill include:

  • Confirmation that only public authorities who compete with the private sector will be susceptible to administrative fines.
  • The proposal that additional due process in the form of an oral hearing or a written “right of reply” will be available under the new administrative sanctions procedure.
  • A new power of the DPC to direct that a controller/processer engage an independent reviewer to prepare a written report on any matter specified by the DPC with the cost of the report to be borne by the data controller/processor. This is an entirely new investigative mechanism that has been designed to deal with “large scale cases”.

We will provide regular updates on the Bill’s progress.

Photo of Davinia Brennan

The Article 29 Working Party (WP29) (consisting of data protection regulators from the 28 Member States) has adopted an Opinion 01/2017 on the proposed e-Privacy Regulation, which will repeal and replace the e-Privacy Directive. Whilst the WP29 welcomes the proposal, it identifies several points of concern, and sets out how the proposal can be improved.

Continue Reading WP29 gives lukewarm welcome to proposed e-Privacy Regulation

Photo of Davinia Brennan

The Article 29 Working Party (WP29) has proposed guidelines to help organisations identify when it is necessary to carry out a Data Protection Impact Assessment (DPIA) and how to do so. The guidelines are open to public comment until 23 May 2017.  DPIAs involve evaluating the potential impact that a new project will have on the privacy of individuals, and identifying ways to mitigate or avoid any adverse effects in advance of processing.  The GDPR requires DPIAs to be carried out when processing is likely to result in a “high risk” to the rights and freedoms of natural persons.

Continue Reading WP29 publishes draft guidelines on DPIAs

Photo of Davinia Brennan

The Data Protection Commissioner (DPC) has published her Annual Report for 2016.  It highlights key developments and activities of her Office last year, as well as priorities for 2017, which will be “all about GDPR readiness“.  2016 was a busy year for the DPC’s Office.  It dealt with an increased number of queries, complaints and data breach notifications. The DPC continued her engaged approach to regulation, engaging extensively with multinational companies, such as Facebook, LinkedIn, Apple and WhatsApp on proposed new policies, products and services, conducting over 100 face-to-face meetings. The DPC also engaged with a number of entities in the public, health and private/financial sectors.

Continue Reading Data Protection Commissioner publishes Annual Report for 2016

Photo of Davinia Brennan

The Article 29 Working Party (WP29) has issued its final guidance on Data Protection Officers (DPOs), Data Portability and Lead Supervisory Authority, in response to stakeholders’ comments. Some of the new points raised in the revised guidance are set out below.

Continue Reading WP29 issues final guidance on DPOs, Data Portability and Lead Authority

Photo of Davinia Brennan

The CJEU has ruled (Case C-398/15) that there is no general right to be forgotten in respect of personal data in the companies register. However, upon expiry of a sufficiently long period after dissolution of a company, Member States may provide for restricted access to such data by third parties in exceptional cases. The CJEU’s decision is in line with its ruling in Google Spain (Case C-131/12) that the right to be forgotten is not absolute, and will always need to be balanced against other fundamental rights.

Continue Reading No right to be forgotten in respect of personal data in the companies register

Photo of Davinia Brennan

The Information Commissioner (IC) has made a formal binding decision that records of lobbying communications with the Data Protection Commissioner (ODPC) are not accessible under the Freedom of Information (FOI) Act 2014. In Right to Know CLG v ODPC (Case No. 160447), the IC concluded that the ODPC was justified in refusing the applicant’s request on the ground that the records sought fell outside the scope of the FOI Act, as they did not concern the general administration of the ODPC’s office.

Continue Reading Data Protection Commissioner not required to disclose lobbying communications

Photo of Davinia Brennan

The UK Court of Appeal has clarified the scope of the disproportionate effort exemption, and the relevance of motive, when responding to Data Subject Access Requests (DSARs).  The decisions are interesting as the scope of the disproportionate effort exemption has caused considerable confusion in both the UK and Ireland.  Neither the English nor Irish Data Protection Acts (DPAs) define what constitutes “disproportionate effort” and there is a paucity of Irish case-law on the issue. Nor has the Irish Data Protection Commissioner (DPC) provided any comprehensive guidance on the exemption.

Continue Reading Data Subject Access Requests – Proportionality and Motive

Photo of Davinia Brennan

At a plenary meeting on 7 February 2017, the Article 29 Working Party (WP29) discussed the progress of its guidelines on the GDPR.  The WP29 is continuing its work on Data Protection Impact Assessments (DPIAs), Certification and other topics.  The DPIA guidelines are expected in April 2017, and the Certification guidelines in June 2017.

In regard to the Privacy Shield, the WP29 has decided that the EU centralised body, in charge of channelling complaints to the Ombudsperson, will be composed by 5 national Data Protection Authorities (DPAs).  The WP29 has adopted two sets of template documents serving as complaint forms for submitting commercial related complaints or requests under the Ombudsperson mechanism, and has adopted its rules of procedure.

The WP29 intend to send a letter to the US authorities:
(i) To raise concerns and seek clarification on the impact of Trump’s recent Executive Order on the Shield;
(ii) To request assurances on the way personal data will be dealt with by US authorities regarding complaints under the Shield, and
(iii) To provide answers to questions from the US authorities on the functioning of the centralised body.

The WP29 also intend to issue an Opinion on the draft e-Privacy Regulation, published by the Commission earlier this year, in April 2017.

Press Release: Article 29 Working Party – February 2017 Plenary Meeting

Photo of Davinia Brennan

The European Commission has published its draft e-Privacy Regulation which, if adopted, will replace the existing e-Privacy Directive.  The Regulation broadens the scope of the Directive, enhances the confidentiality of communications, and simplifies the rules on cookies and unsolicited electronic marketing.

Scope

The Regulation expands the scope of the e-Privacy Directive, which only applies to traditional telecoms providers.  It is proposed that the Regulation will apply to any business that provides any form of online communication service, so all internet based voice and messaging services, will be subject to the new rules.  The Regulation calls these providers “over-the-top communications service providers”. So Skype, WhatsApp, Facebook Messenger, Gmail, Viber and so forth, will all come within the Regulation’s remit. This will ensure that these services guarantee the same level of confidentiality of communications as traditional telecoms operators.

 

Continue Reading The e-Privacy Regulation – What’s new?