On 12 November 2019, the EDPB published its finalised Guidelines on Territorial Scope of the GDPR (3/2018). The Guidelines aim to assist companies and supervisory authorities in determining whether a particular processing activity falls within the territorial scope of the GDPR.
The provisions of the Copyright and Other Intellectual Property Law Provisions Act 2019 (the Act), which was signed into law on 26 June 2019, were commenced on 2 December 2019.
The only provisions which are not yet in effect are sections 2(1), 9 and 21, which will automatically come into operation on 26 December (i.e. 6 months from the passing of the Act on 26 June 2019).
The Minister of Finance has passed new Regulations, the Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2019, permitting data subjects’ rights under Articles 12-22 and Article 34, and controllers’ obligations under Article 5 GDPR, to be restricted to the extent necessary and proportionate to allow the Central Bank of Ireland (CBI) to carry out certain functions.
The Data Protection Commission (DPC) has published guidance which seeks to answer some of the most frequently asked questions in relation to Data Subject Access Requests (DSARs). Some of the key issues addressed in the guidance are set out below:
The Government Chief Whip, Seán Kyne TD, has published the Government’s Legislation Programme for Autumn 2019. The Programme lists 32 priority Bills; 27 Bills currently before the Houses of the Oireachtas, and 69 Bills where preparatory work is underway.
For the first time, the Irish High Court has been asked to make a blocking order in regard to the illegal live streaming of Premier League games. Instead of watching Premier League games through legitimate and licensed services, some people were seeking to do so free of charge. The Court granted the blocking order, requiring five Irish ISPs (including Eir, Sky Ireland Ltd, Sky Subscribers Services Ltd, Virgin Media Ireland Ltd and Vodafone Ireland Ltd ) to block illegal live streaming of Premier League games.
The Minister for Social Protection, Regina Doherty, and the Minister for Finance, Paschal Donohoe, have informed the government that provision and use of the Public Services Card (PSC), not just by the Department of Employment Affairs and Social Protection (DEASP), but by other public bodies shall continue. The DEASP has written to the Data Protection Commission (DPC) advising it of this decision. In doing so, the Government accepts that it may be necessary for the matter to be referred to the courts for a definitive decision. The DEASP intend to publish the DPC’s investigation report following further engagement with the DPC.
The UK Information Commissioner’s Office (ICO) has amended its guidance on the time limit for responding to a subject access request (SAR).
Under Article 12 GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a further two months if the request is complex or a number of requests have been made by the data subject.
The Oireachtas Committee on Justice and Equality is seeking written submissions from stakeholders on the issues of online harassment, harmful communications and related offences. The invitation follows an announcement last May 2019, that the Government intends to draft, on a priority basis, amendments to the Harassment, Harmful Communications and Related Offences Bill 2017 . That Bill is based on a 2016 Report by the Law Reform Commission, which recommended reform and consolidation of criminal law offences concerning harmful communications, and the establishment of Digital Safety Commissioner to oversee national digital safety standards and take-down procedures for harmful digital communications.
On Friday 16 August 2019, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC). The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law.