On 1 January 2021, the Trade and Co-operation Agreement (TCA) came into force and the general principles of EU law, existing EU treaties and EU free movement rights ceased to apply in the UK, after the transition period set out in the Withdrawal Agreement ended on 31 December 2020. Under the European Union (Withdrawal) Act 2018, EU regulations only continue to apply in the UK to the extent that they have not been modified or revoked by regulations under that Act.

The TCA itself had very little impact on IP rights – it provides minimum measures for IP protection with scope for implementing stricter measures. The minimum measures have already been implemented in the UK and EU. Under the TCA, intellectual property rights (IPRs) (both registered and unregistered) will continue to be protected to at least the standards required by the international agreements which the UK and EU are both parties to, and, in many cases, to a higher standard.

Read More

Photo of Davinia Brennan

The EU Commission looks set to adopt two adequacy decisions in favour of the UK, which will allow businesses to continue to freely transfer personal data from the EU/EEA to the UK.  On 19 February 2021, the EU Commission published two draft adequacy decisions permitting transfers of personal data to the UK under the GDPR, and under the Law Enforcement Directive (LED).

Once adopted, the decisions will replace the interim solution agreed under the EU-UK Trade and Cooperation Agreement (previously discussed here). That agreement allows businesses to transfer personal data from the EU/EEA to the UK, without putting in place additional safeguards, until 30 June 2021 or an adequacy decision comes into effect, whichever is sooner.

Next steps

The EU Commission will next obtain an opinion from the EDPB. It will then need to obtain the green light from a committee of representatives of the EU Member States.  Once this procedure is completed, the EU Commission may adopt the UK adequacy decisions. In line with Article 45(3) of the GDPR and Article 36 of the LED, the UK adequacy decisions will be reviewed every four years to ensure the UK continues to offer an adequate level of protection.

The UK Government’s Press Release welcoming the draft adequacy decisions is available here.


Photo of Davinia Brennan

On 10 February 2021, the EU Member States agreed on the EU Council’s negotiating mandate for the draft ePrivacy Regulation. The new Regulation will repeal and replace the existing ePrivacy Directive 2002/58/EC. The text approved by the EU Member States allows the EU Council to start negotiations with the European Parliament on the final text of the ePrivacy Regulation.

Key Highlights

The EU Council’s Press Release sets out the key highlights of the draft ePrivacy Regulation, which include:

  • The rules will apply when end-users are in the EU. This also covers cases where the processing takes place outside the EU or the service provider is established or located outside the EU.
  • The Regulation will cover electronic communications content and metadata (such as information on location, time and recipient of a communication).

Continue Reading EU Council agrees its position on draft ePrivacy Regulation

Photo of Davinia Brennan

The Irish Data Protection Commission (DPC) has imposed a €70,000 fine on University College Dublin (UCD) for failure to implement appropriate security measures; storing data longer than necessary, and delaying in notifying the DPC of a data breach. This is the sixth GDPR fine imposed by the DPC.  Previous GDPR fines included 3 fines on Tusla (the Child and Family Agency) amounting to a total of €200,000; a €450,000 fine on Twitter, and a €65,000 fine on the HSE. These fines similarly concerned failure to implement appropriate security measures to prevent the unauthorised disclosure of personal data; delaying in notifying the  DPC of the data breach; and failing to adequately document the breach.

Continue Reading DPC fines UCD €70,000 for GDPR breach

Photo of Davinia Brennan

On 15 December 2020, the Minister for Health announced Ireland’s National COVID-19 Vaccination Strategy. The first vaccine was approved for use on 21 December 2020, with the first dose administered in Ireland on 29 December 2020. A second vaccine was approved for use on 6 January 2021 and the approval of additional vaccines is anticipated in the coming months.

In light of the rapidly deteriorating public health situation and the widespread prevalence of COVID-19 in the community, it is clear that the prompt implementation of Ireland’s vaccination strategy is the only viable way out of this pandemic. With this in mind, employers need to get to grips with some novel and complex issues that will arise this year as some, but perhaps not all, of their workforce is vaccinated. In this publication we consider some of the key issues (including data protection concerns), that employers are likely to encounter as the vaccination strategy is ramped up and more of the working population become eligible for vaccination.

Go to publication

No doubt the famous fictional detective would have been only too happy to lend his detective skills to get to the bottom of the copyright infringement case brought by Arthur Conan Doyle’s estate against, amongst others, Netflix and the producers of the recent Netflix film, Enola Holmes. The case was dismissed in December, presumably because the parties reached a settlement, although this hasn’t been confirmed.


For those who haven’t yet worked their way through all of Netflix’s recent releases, ‘Enola Holmes’ is a film based on a book by Nancy Springer, and centres around the teenage sister of the famous detective, as she goes to London in search of her mother who has disappeared.

The film was released in September 2020, but three months before that, the Conan Doyle Estate (CDE) issued legal proceedings in the USA against, amongst other defendants, Nancy Springer, Netflix and the producers of the film, for (i) copyright infringement in relation to the film’s depiction of Sherlock Holmes, and (ii) trade mark infringement in relation to the use of the ‘Holmes’ name in the film’s title.

Continue Reading Sherlock Holmes and the copyright infringement claim

Photo of Davinia Brennan

The Government has published its legislation programme for Spring 2021. The programme contains 32 bills for publication and prioritisation by the Government.

Key Bills of relevance to the data protection, commercial and technology sector include:

Bills expected to undergo pre-legislative scrutiny  

  • Online Safety and Media Regulation Bill – This Bill will provide for the establishment of a Media Commission (including an Online Safety Commissioner), the dissolution of the Broadcasting Authority of Ireland, a regulatory framework to tackle the spread of harmful online content, and implementation of the revised Audiovisual Media Services (AVMS) Directive 2018/1808. The heads of Bill were published on 9 January 2020, and 8 December 2020. Member States were due to implement the revised AVMS Directive in national law by 19 September 2020, so Ireland has missed this deadline.
  • Hate Crime Bill– This Bill will repeal the Prohibition of Incitement to Hatred Act 1989, to provide for new and aggravated offences, including an offence of incitement. The Heads of Bill are in preparation.

Continue Reading Government publishes Spring Legislative Programme

Photo of Davinia Brennan

On 24 December 2020, the EU and UK reached a consensus on the Trade and Cooperation Agreement (the Agreement). The agreement allows personal data to continue to flow freely from the EU/EEA to the UK for up to 6 months after 1 January 2021, or until an adequacy decision is adopted (whichever is earlier). This provides the European Commission with some further time to make an adequacy decision in relation to the UK.

Continue Reading Trade Agreement keeps EU-UK personal data flowing for 6 months

Photo of Davinia Brennan

The European Data Protection Board (EDPB) recently published new Guidelines to help businesses comply with their obligation to adopt a Data Protection by Design and by Default (DPbDD) approach when processing personal data.

Article 25 GDPR requires controllers to implement appropriate technical and organisational measures and safeguards that provide effective implementation of the data protection principles, and protect data subjects’ rights, by design and by default.  Article 25 prescribes both design and default elements that should be taken into account.

A controller must adopt a DPbDD approach at all stages of developing processing activities, including tenders, outsourcing, development, support, maintenance, testing, storage, deletion, etc.  The importance of complying with the DPbDD obligation is underlined by the fact that it is a factor for competent supervisory authorities to consider when  determining whether to impose an administrative fine and the level of that fine (Article 83(2)(d)).

Continue Reading EDPB publish new guidelines on data protection by design and by default

The purpose of copyright is to protect original artistic works, but Banksy is well-known for his view that “copyright is for losers”, which may well be linked to the fact that he would likely lose his anonymity by asserting copyright over his works. He has instead sought protection from commercialisation by third parties of his works through various trade mark registrations. However, a recent decision by the EUIPO has put an end to his trade mark registration protecting one of his most famous pieces of art.

Continue Reading Banksy loses EU trade mark due to “bad faith”