The Information Commissioner (IC) has made a formal binding decision that records of lobbying communications with the Data Protection Commissioner (ODPC) are not accessible under the Freedom of Information (FOI) Act 2014. In Right to Know CLG v ODPC (Case No. 160447), the IC concluded that the ODPC was justified in refusing the applicant’s request on the ground that the records sought fell outside the scope of the FOI Act, as they did not concern the general administration of the ODPC’s office.
The UK Court of Appeal has clarified the scope of the disproportionate effort exemption, and the relevance of motive, when responding to Data Subject Access Requests (DSARs). The decisions are interesting as the scope of the disproportionate effort exemption has caused considerable confusion in both the UK and Ireland. Neither the English nor Irish Data Protection Acts (DPAs) define what constitutes “disproportionate effort” and there is a paucity of Irish case-law on the issue. Nor has the Irish Data Protection Commissioner (DPC) provided any comprehensive guidance on the exemption.
At a plenary meeting on 7 February 2017, the Article 29 Working Party (WP29) discussed the progress of its guidelines on the GDPR. The WP29 is continuing its work on Data Protection Impact Assessments (DPIAs), Certification and other topics. The DPIA guidelines are expected in April 2017, and the Certification guidelines in June 2017.
In regard to the Privacy Shield, the WP29 has decided that the EU centralised body, in charge of channelling complaints to the Ombudsperson, will be composed by 5 national Data Protection Authorities (DPAs). The WP29 has adopted two sets of template documents serving as complaint forms for submitting commercial related complaints or requests under the Ombudsperson mechanism, and has adopted its rules of procedure.
The WP29 intend to send a letter to the US authorities:
(i) To raise concerns and seek clarification on the impact of Trump’s recent Executive Order on the Shield;
(ii) To request assurances on the way personal data will be dealt with by US authorities regarding complaints under the Shield, and
(iii) To provide answers to questions from the US authorities on the functioning of the centralised body.
The WP29 also intend to issue an Opinion on the draft e-Privacy Regulation, published by the Commission earlier this year, in April 2017.
Press Release: Article 29 Working Party – February 2017 Plenary Meeting
The CJEU has once again been asked to consider the meaning of “communication to the public” within Article 3(1) of the Copyright Directive.
In Stichting Brein v Ziggo BV, XS4ALL Internet BV (Case C‑610/15), the CJEU has been asked to identify the scope of liability for copyright infringement committed by ‘card providers,’ namely sites such as The Pirate Bay, where files containing music and films are shared free of charge, and usually in breach of copyright.
On 8 February, 2017, the Attorney General (AG) delivered an Opinion advising the CJEU to find copyright infringement where a website (such as The Pirate Bay) indexes content available on peer-to-peer (P2P) networks, even where there is no actual content on the website. However the AG found copyright infringement will only occur where the website operator has actual knowledge of the illegality and takes no action. Accordingly, if copyright holders notify a site’s operators of the illegal nature of information appearing on the site, and they fail to take action to make access to that work impossible, then the site operator may be held liable.
The European Commission has published its draft e-Privacy Regulation which, if adopted, will replace the existing e-Privacy Directive. The Regulation broadens the scope of the Directive, enhances the confidentiality of communications, and simplifies the rules on cookies and unsolicited electronic marketing.
The Regulation expands the scope of the e-Privacy Directive, which only applies to traditional telecoms providers. It is proposed that the Regulation will apply to any business that provides any form of online communication service, so all internet based voice and messaging services, will be subject to the new rules. The Regulation calls these providers “over-the-top communications service providers”. So Skype, WhatsApp, Facebook Messenger, Gmail, Viber and so forth, will all come within the Regulation’s remit. This will ensure that these services guarantee the same level of confidentiality of communications as traditional telecoms operators.
EU consumers of online content services such as Netflix, Spotify or Sky Sports will soon be able to access their subscriptions while on holiday in or when otherwise visiting another Member State, due to the lifting of existing restrictions by a proposed new EU Regulation.
January 28th was European Data Protection Day and we marked the event by attending the 9th Annual Data Protection Conference which was held in the Aviva Conference Centre.
The two-day conference featured interactive workshops on the first day on ‘Privacy by Design’ and ‘Conducting a Data Protection Audit’. The second day included a line-up of notable speakers who spoke on topics related to the theme of the conference; “GDPR – It’s here, what’s next”. Dara Murphy, Minister of State for European Affairs, EU Digital Single Market and Data Protection spoke about his department’s work in preparing for GDPR and the importance of having a strong, well-resourced Office of the Data Protection Commissioner (ODPC). The Minister also announced plans for a data summit in June this year.
A&L Goodbody’s Claire Morrissey presented on “Legal Aspects of the GDPR” and took part in a lively Q&A session. Claire highlighted some of the key changes that the GDPR will bring including the need to demonstrate compliance, the new right of data portability, the new security reporting obligations and the ability for individuals to recover financial and non-financial loss (such as damages for distress or embarrassment in the event of inadvertent disclosure of personal data). She also offered some practical tips for ways in which businesses can prepare for the GDPR (some of which are available here).
The Office of the Data Protection Commissioner (the ODPC) has released a guidance note on connected toys (the Guidance Note). The Guidance Note highlights the possible data protection issues that might occur when children and parents use toys with microphones and cameras that have an ability to connect to the internet.
The ODPC warns of certain potential issues with the personification of connected toys, in particular dolls. Some of these toys provide an interactive experience by reacting to selected words. This may give the impression of an emotional response to what the child says or does. In some instances, these toys are enabled to collect and record these “conversations” between the child and the connected toy on apps, smartphones or tablets. The ODPC cautions that some of these connected toys’ terms and conditions allow these potentially sensitive recordings to be shared with other companies and used for the basis of targeted advertising.
The Article 29 Working Party (WP29) has released its Action Plan for 2017, setting out its priorities and objectives in the context of implementation of the EU GDPR for the year ahead. It has committed to finalize its work on topics undertaken in 2016 including guidelines on:
- Processing likely to result in a high risk & Data Protection Impact Assessments (DPIAs);
- Administrative fines;
- Setting up the European Data Protection Board (EDPB) structure;
- Preparation of the one stop shop, and
- The EDPB consistency mechanism.
The WP29 also intends to start work in 2017 on guidelines on:
- Profiling, and
At the same time, the WP29 intends to work on the update of already existing opinions and referentials on data transfers to third countries and data breach notifications.
Last December 2016, the WP29 also issued on data portability, lead authority, and Data Protection Officers. See our blog for more information.
In an earlier blog, we outlined that the UK confirmed its intention to ratify the International Agreement on a Unified Patent Court. In December 2016, the UK government proceeded to sign the Protocol on Privileges and Immunities of the Unified Patent Court. The Protocol provides EU privileges and immunities to the judges of the Unified Patent Court necessary for the exercise of its functions. The Protocol is required in the individual countries hosting divisions of the court, one of which is in London. This positive step would suggest that the UK is moving closer towards ratification.