Photo of Emma Creaven

The new Enforcement and Modernisation Directive 2019/2161, more commonly known as the ‘Omnibus Directive’ (the Directive), aims to strengthen consumer rights through enhanced enforcement measures and increased transparency requirements.

Key dates

EU Member States must adopt national implementation measures by 28 November 2021. The new requirements set out in the Directive must then come into force by 28 May 2022.

Who the Directive applies to

Those engaged in online business-to-consumer (B2C) transactions as well as companies offering digital services to consumers where payment by the consumers is in the form of personal data rather than money, will fall under the remit of the Directive.

Continue Reading New Deal for EU Consumers- the Omnibus Directive explained

Photo of Davinia Brennan

The Government has published its legislation programme for Autumn 2021. We have set out below the status of key Bills of relevance to the data protection, commercial and technology sector.

Priority legislation for publication and drafting this Autumn

  • Online Safety and Media Regulation (OSMR) Bill – This Bill will provide for the establishment of a multi-person Media Commission (including an Online Safety Commissioner), the dissolution of the Broadcasting Authority of Ireland, a regulatory framework to tackle the spread of harmful online content, and implementation of the revised Audiovisual Media Services (AVMS) Directive 2018/1808. The Heads of Bill were published on 9 January 2020, with additional provisions approved on 8 December 2020 and 18 May 2021. The government also approved the integration of the Broadcasting (Amendment) Bill into the OSMR Bill. Member States were due to implement the revised AVMS Directive in national law by 19 September 2020, so Ireland has missed this deadline. Pre-legislative scrutiny is ongoing. Further background information information on the proposed Bill is available here.
  • Consumer Rights Bill – This Bill will give effect to two EU Directives (770/2019 and 771/2019) on consumer contracts for the supply of digital content and digital services, and on consumer contracts for the sale of goods. It will also update and consolidate the statutory provisions on consumer rights and remedies in relation to contracts for the supply of non-digital services, unfair contract terms, and information and cancellation rights. The General Scheme of the Bill has been published for public consultation. The Heads of Bill were approved on 20 April 2021.

Continue Reading Government publishes legislation programme for Autumn 2021

Photo of Davinia Brennan

The DPC recently fined WhatsApp €225m for failing to discharge its transparency obligations under the GDPR. The decision will have implications for all businesses, particularly regarding their privacy notices and transparency obligations. The decision sets out the DPC’s high expectations in regard to businesses’ transparency obligations. It also clarifies the relevance of the consolidated turnover of the entire group of companies when calculating both the maximum fining cap, and the appropriate fine to impose.

This publication provides a deep dive into the DPC’s findings and considers their impact on businesses.

Photo of Sarah Cleary

The European Data Protection Board (EDPB) published its finalised Guidelines on the concepts of controller and processor in the GDPR (07/2020) (Guidelines) in July. These concepts play a crucial role in the application of the GDPR as they determine who is responsible for compliance with GDPR obligations and how data subjects can exercise their data protection rights in practice. In Part I, we outlined some of the key highlights of the Guidelines in respect of the controller and processor concepts. This Part II addresses the key highlights in respect of the joint controller concept and the implications of the joint controller relationship.

Continue Reading EDPB provides guidance on the concepts of controller and processor in the GDPR (Part II)

Photo of Sarah Cleary

The European Data Protection Board (EDPB) published its finalised Guidelines on the concepts of controller and processor in the GDPR (07/2020) (Guidelines) in July. These concepts play a crucial role in the application of the GDPR as they determine who is responsible for compliance with GDPR obligations and how data subjects can exercise their data protection rights in practice. In Part I of this blog, we outline some of the key highlights of the Guidelines in respect of the controller and processor concepts and the implications of the controller to processor relationship. Part II will address the key highlights of the Guidelines in respect of joint controllers.

Continue Reading EDPB provides guidance on the concepts of controller and processor in the GDPR (Part I)

Photo of John Whelan

The Agreement on a Unified EU Patent Court (UPC Agreement) has been ratified by Germany following legal challenges in recent years over the constitutionality of the ratification bill.

The UPC Agreement provides for the establishment of a Unified Patent Court (UPC) as a court common to all participating Member States, with exclusive competence in respect of European patents and European patents with unitary effect.

The UPC will replace all individual enforcement courts in participating Member States and is intended to remove the need for and the cost of multi-jurisdictional patent disputes.

Continue Reading One Step Closer to a Unified EU Patent Court

Photo of Davinia Brennan

The finalised EDPB Guidelines on the concepts of controller and processor (07/2020) in the GDPR were published this week. The Guidelines set out the EDPB’s recommendations on what should be included in data processing contracts between controllers and processors, in order to ensure compliance with Article 28 GDPR. We have set out some key highlights of the Guidelines below.

Continue Reading EDPB provides guidance on requirements of data processing contracts

Photo of Jessica Morris

The Data Protection Commission (DPC) recently published its decision following a formal inquiry into the Irish Credit Bureau DAC (the ICB) following the ICB’s notification to the DPC of a personal data breach on the 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers.

The personal data breach occurred when the ICB implemented a code change to its database that contained a technical error. As a result, between 28 June 2018 and 30 August 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. This update had the effect of changing key data in a data subject’s record so that it appeared that their accounts had been closed recently, even where the loans or credit facilities had been paid off years before. This caused the ICB to disclose 1,062 inaccurate account records to financial institutions as part of credit checks, which would have potentially resulted in a refusal of credit in circumstances where it would have been granted. The records did not, however, misstate that a balance was outstanding on the accounts.

The incident was handled by the ICB as a data breach and was reported to the DPC. The DPC’s investigation focussed on the application of Data Protection by Design and by Default (Article 25), the appropriateness of organisational and technical controls under Article 24, and whether or not there was a joint controller relationship under Article 26 GDPR between the ICB and the lenders who shared data with them.

Continue Reading Irish Credit Bureau fine offers insight into the DPC’s use of its corrective powers

Photo of Davinia Brennan

In addition to issuing new Standard Contractual Clauses (SCCs) for international transfers of personal data to a third country outside the EEA, the European Commission has also published the finalised Article 28 SCCs for use between controllers and processors.  The Article 28 SCCs came into force on 27 June 2021. Unlike the SCCs for international data transfers, it will not be mandatory to use the Article 28 SCCs.  Companies may therefore continue to negotiate their own individual contracts addressing the compulsory elements of Article 28(3) and (4) of the GDPR.

Continue Reading European Commission publishes finalised Article 28 SCCs