Photo of John Cahir

As part of their lockdown exit strategy, governments around the world are launching Apps with contact tracing functions. The idea behind these Apps is that users will be alerted when another App user has tested positive to Covid-19, thereby enabling them to take appropriate action, such as self-isolating or undergoing testing.

It remains to be seen how effective contact tracing Apps will be in the fight against Covid-19, but it is clear that in order for the Apps to work, they need to be widely downloaded and used. The popularity, acceptance, and use of the Apps will undoubtedly depend on the extent to which the Apps enable individuals to control the collection and use of their personal data.

This briefing note considers the key data protection issues arising in relation to contact tracing apps.

Go to publication

The Belgian Data Protection Authority (Belgian DPA) recently imposed a €50,000 fine on a large telecommunications operator (the company), for failing to comply with the GDPR in relation to the appointment of their Data Protection Officer (DPO).  The Belgian DPA decided that the DPO’s tasks and duties under the GDPR conflicted with its role as Head of Audit, Risk and Compliance.

Continue Reading Belgian DPA issues €50,000 fine for DPO’s conflicting company roles

Photo of Steven Craig

The European Data Protection Board (EDPB), the body tasked with ensuring consistent application of the GDPR across Europe, has published its annual report for 2019. As we approach the two year anniversary of the GDPR, the EDPB Chair refers to a “common data protection culture” emerging as a result of the continued cooperation between European Data Protection Authorities (DPAs).

The following are some of the key points from the EDPB’s activities in 2019.

Continue Reading EDPB publishes Annual Report for 2019

Photo of Davinia Brennan

The threat to global health caused by Covid-19 has led to unprecedented collaboration from the global scientific research community to urgently develop a vaccine. Given the prevalence of data sharing and open science, combined with the sensitive nature of the data involved, data protection concerns have quickly emerged.

The GDPR provides special rules for processing health data for scientific research purposes that are also applicable in the context of the Covid-19 pandemic. The European Data Protection Board (EDPB) recently published Guidelines 03/2020 on the processing of data concerning health for scientific research purposes in the context of Covid-19. The EDPB acknowledges the challenges faced by researchers operating with urgency, and using health data that is not always obtained directly from the data subject for the specific purpose of scientific research. The guidelines provide clarity on issues such as: the legal basis for processing health data; data subjects’ rights, and how health data can be lawfully transferred to a third country outside the EEA for scientific research purposes connected to the Covid-19 pandemic.

Continue Reading EDPB publishes guidelines on processing health data for Covid-19 research

Photo of Davinia Brennan

The Data Protection Commission (DPC) has issued its first fine under the GDPR.  Tusla, the child and family state agency, has been fined €75,000 for three data breaches.  It has been reported that the DPC has filed papers in the Circuit Court, in order for the court to confirm the fine. The purpose of this confirmation mechanism, which is required by the Data Protection Act (DPA) 2018, is to ensure that the DPC’s decision to impose a fine has due regard to fair procedures and constitutional justice.

Continue Reading Irish Data Protection Commission issues first GDPR fine

Photo of Davinia Brennan

The Annual Report of the Data Protection Commission (DPC) for 2019 reveals some interesting trends and statistics. The DPC received a record 7,215 complaints in 2019 (75% more than in 2018).  At least 40% of the DPC’s resources were devoted to the handling of individual complaints (as opposed to large-scale and more systemic investigations). Larger-scale inquiries also consumed considerable resources.

Disputes between employees and employers or former employers remain a significant theme of the complaints, with the battle often staged around a disputed access request. Telcos and banks remain among the most complained about sectors. Complaints against internet platforms have also grown in volume. This briefing note considers some of the key highlights of the report.

Go to publication

Photo of Davinia Brennan

The European Data Protection Board (EDPB) has published updated Guidelines 05/2020 on Consent under the GDPR, replacing the previous Article 29 Working Party Consent Guidelines published in April 2018. The purpose of the updated guidelines is to provide clarity on: (i) data subject consent in relation to cookie walls (which are not allowed), and (ii) scrolling or swiping through a webpage or similar actions (which does not constitute valid consent). ​The paragraphs (38-41 and 86) concerning these two issues have been revised and updated, while the rest of the document has been left unchanged, except for editorial changes.

Continue Reading EDPB issue updated Guidelines on Consent

With the significant increase in the number of people working from home due to the Covid-19 pandemic, the use of video-conferencing technologies and applications (VC Technology) by businesses for both internal and external meetings has seen a sharp increase. Similarly, there has been a surge in individuals relying on the various VC Technologies available to make sure they can still have their Friday after-work drinks, attend their weekly quiz nights, continue their monthly book clubs or simply stay in touch with family and friends, from a safe, online, distance.

To assist both individuals and organisations with navigating this new online working and socialising way of life, the Irish Data Protection Commission (DPC) has published some tips on how to ensure that any use of this Technology is carried out in a safe manner.

Continue Reading Data Protection Commission publishes tips for video-conferencing

Photo of James McCarthy

On 6 April 2020, the Data Protection Commission (DPC) published a report on the use of cookies and other tracking technologies (Report) and an updated guidance note on cookies and other tracking technologies (Guidance).

The Report is based on a review carried out by the DPC of websites in various sectors in Ireland, including insurance, banking, media, retail and the public sector. The purpose of the DPC’s report was to examine whether organisations are complying with the law, and, in particular, how organisations are obtaining the consent of users for the use of cookies. The majority of the 38 organisations examined were found to have potential compliance issues, particularly in relation to reliance on implied consent for setting non-necessary cookies; lack of choice for users to reject all cookies; bundling of consent for all purposes; and the possible misclassification of cookies as “necessary” or “strictly necessary“.  The Report gives an overview of the responses received highlighting what the DPC considers to be both “good” and “bad” practices that it encountered on the websites, and the Guidance provides website operators with guidance on how to comply with the rules relating to cookies, which are set out in the Irish ePrivacy Regulations.

Continue Reading DPC publishes Report and Guidance on cookies following a “cross-sector and cross-size” sweep of website operators

Photo of Steven Craig

In Doolin v DPC [2020], the High Court held that an employer’s use of CCTV footage in an employee’s disciplinary proceedings constituted unlawful further processing. It concluded that the Data Protection Commission (DPC) had made an “error of law” in their finding that no further processing of the CCTV footage had occurred. The Court found that the CCTV footage was lawfully collected for security purposes. However, the CCTV footage was then unlawfully further processed for the purpose of the disciplinary proceedings, which was incompatible with the original purpose for which the CCTV footage was processed. The decision shows the importance of only using personal data, particularly CCTV footage, for the purpose for which it was collected.

Continue Reading Use of CCTV footage in disciplinary proceedings breached employee’s data protection rights