The EDPB has released new draft guidelines 2/2019 on the contractual necessity legal basis for processing personal data in the context of the provision of online services to data subjects. The guidelines emphasise the narrow scope of the contractual necessity legal basis. A controller must be able to demonstrate that the processing is ‘objectively necessary’ for a purpose that is ‘integral’ to the delivery of a contractual service to the data subject in order to rely on this legal basis. If a controller cannot demonstrate such necessity it must consider another legal basis for processing the personal data. This note considers the key highlights of the guidelines.
On 3 April 2019, the Joint Committee on Justice and Equality met to discuss the implementation of the GDPR with Ms Anna Morgan (Deputy Commissioner), Ms Jennifer O’Sullivan (Deputy Commissioner), and Mr Cathal Ryan (Assistant Commissioner). The Commissioners discussed a range of issues, including the enforcement powers used by the Data Protection Commission (DPC) post-GDPR, the difficulties with verifying parental consent in relation to the provision of information society services to children, and the DPC’s experience of resolving data access requests by amicable resolution. This note highlights some of the Committee’s questions (in abbreviated form), and the responses given by the Commissioners.
The UK has published an Online Harms White Paper, setting out its proposals for new online safety laws. Like the Irish Government’s proposals (discussed here), the UK proposals aim to make online platforms more responsible for users’ online safety, especially children and other vulnerable groups. The new laws will apply to any company that allows users to share or discover user-generated content or interact with each other online, including social media platforms, file hosting sites, public discussion forums, messaging services, and search engines. The 12-week consultation period on the new laws runs until 1 July 2019.
The UK consultation paper seeks views on a number of issues including:
- the online services falling within the remit of the regulatory framework;
- options for appointing an independent regulator responsible for enforcing the new framework;
- the regulatory body’s enforcement powers;
- potential redress mechanisms for online users; and
- measures to ensure regulation is targeted and proportionate for the industry.
The Government Chief Whip, Seán Kyne TD, has published the Government’s legislation programme for Summer 2019. The updated programme follows on from the special programme launched in January 2019 which focused on Brexit. We have set out below the key data protection and technology-related legislation coming down the tracks.
- Communications (Retention of Data) Bill – This Bill will repeal and replace the Communications (Retention of Data) Act 2011 which requires data generated by mobile phones to be retained by telecommunications service providers for two years, and allows An Garda Síochána and certain other State agencies to access such data for criminal investigative purposes. The Heads of Bill were published last October 2017, following publication of Mr Justice Murray’s Review of the Law on the Retention of and Access to Communications Data, which found that many features of the 2011 Act are precluded by EU law. The Irish High Court also recently held, in Dwyer v Commissioner of An Garda Siochána  IEHC 685;  IEHC 48, that certain sections of the 2011 act are incompatible with EU law.
The EDPB has published its first review of the implementation of the GDPR, in particular the functioning of the cooperation and consistency mechanism. The GDPR requires EU Data Protection Supervisory Authorities (SAs) to cooperate in order to provide a consistent application of the GDPR. The EDPB concludes that nine months after the entry into force of the GDPR, the cooperation and consistency mechanism is working well. All one-stop-shop cases have so far been resolved smoothly, with no cross-border case being escalated to the EDPB for dispute resolution purposes.
To support the cooperation and consistency mechanism, the EDPB have customised an existing IT system, the Internal Market Information System (IMI), in order to provide a structured and confidential way for SAs to share information.
Some of the highlights of the review are set out below.
The European Parliament voted on 26 March 2019 in favour of the controversial EU Copyright Directive, which will implement sweeping changes to regulation around online copyright. MEPs voted in favour of the compromise text as agreed on 13 February 2019 (previously discussed here). The Directive was approved by 348 votes to 274, concluding one of the most contested and intensely lobbied law proposals in recent years. A last minute vote on debating amendments to the reforms (in relation to Articles 11 and 13) was also rejected by just five votes. The text approved by Parliament can be accessed here. Continue Reading EU Approves Controversial New Copyright Rules
The European Data Protection Board (EDPB) has adopted an Opinion on the interplay of the e-Privacy Directive 2002/58 with the GDPR. The Opinion was adopted in response to a request made by the Belgian Data Protection Authority (DPA) to clarify: (i) the material scope of the e-Privacy Directive and the GDPR; (ii) the interplay of each set of rules and extent to which processing can be governed by both; (iii) the competence, tasks and powers of EU DPAs, and (iv) the applicability of the cooperation and consistency mechanism by DPAs in relation to processing that triggers both sets of rules. The EDPB’s Opinion is without prejudice to the outcome of the current negotiations concerning the proposed e-Privacy Regulation. We have set out below some of the highlights of the Opinion.
The Advocate General of the Court of Justice of the EU (CJEU) has delivered an Opinion in the Planet49 case (Case C-673/17), finding that a pre-ticked checkbox giving consent for cookies does not constitute valid consent under the e-Privacy Directive 2002/58 read in conjunction with the Data Protection Directive 95/46 or the GDPR.
The Data Protection Commission (DPC) has published its Annual Report for 25 May-31 December 2018. As always, the Report reveals some interesting statistics and case studies. In the coming months, the DPC expects to conclude a number of statutory inquiries, which it launched in 2018, into multinational technology companies with EU headquarters situated in Ireland. The DPC anticipates that the conclusion of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services. This briefing note sets out some of the highlights of the Report. Continue Reading DPC publishes Annual Report for May-December 2018
On 4 March 2019, Minister Richard Bruton TD announced that he will introduce an Online Safety Act to regulate harmful content online and ensure children are safe online. The Act will also implement the revised Audiovisual Media Services (AVMS) Directive (which Member States are required to implement by 19 September 2020). The Minister stated that the era of self-regulation in regard to online safety is over. It is proposed that an Online Safety Commissioner would oversee the new system. The Department of Communications, Climate Action and Environment is seeking views on the proposed legislation, and has launched a six-week consultation period which is open until 15 April 2019.