Photo of Davinia Brennan

The Data Protection Commission (DPC) has published guidance which seeks to answer some of the most frequently asked questions in relation to Data Subject Access Requests (DSARs).  Some of the key issues addressed in the guidance are set out below:

  • Format of Request – The GDPR does not prescribe any particular method for making a valid DSAR.  Accordingly, the DPC states that where a controller invites individuals to submit a DSAR through a designated online form, the controller should make it clear that this is not compulsory, and that a DSAR may be made by other means.
  • Time limit to respond – Like the UK ICO, the DPC states that the one month time limit to respond to a DSAR runs from the date that the data controller receives proof of identity (if requested) or more information clarifying the request.  Proof of an individual’s identity should only be requested wherereasonable and proportionate to do so.
  • Scope of request – In line with recital 63 of the GDPR, the DPC confirms that a controller is entitled to ask an individual to clarify their request, by specifying the information or processing activities which they want access to.  However, if an individual refuses to provide any additional information, the controller will still need to endeavour to comply with the request.
  • Specific contact point for DSARs – The DPC notes that a DSAR may be made to any staff member.  A controller may encourage data subjects to contact a designated staff member, but it cannot oblige them to do so.
  • Manifestly unfounded or excessive” requests – The DPC highlights that Article 12(5) of the GDPR permits a DSAR to be refused where it is “manifestly unfounded or excessive” but does not provide any guidance on the meaning of these words.  However, the DPC  warns that a controller will need to be able to meet “a high threshold” in order to prove a request is “manifestly unfounded or excessive“, and a refusal on this ground will be justified in “very few cases”.
  • Third party data – The  guidance  clarifies that there should not be a blanket refusal to respond to a DSAR due to concerns that the request may adversely affect a third party.  Instead, the controller “should endeavour to comply with the request insofar as possible” whilst ensuring adequate protection for the third party’s rights.
  • Refusing DSARs –  Article 12(4) of the  GDPR requires a controller to inform an individual of the reasons for refusing a request. The DPC clarifies that the controller must, in particular, identify the relevant exemption under the GDPR or Data Protection Act 2018, provide an explanation as to why it applies, and demonstrate that reliance on the exemption is necessary and proportionate ​.
Photo of Davinia Brennan

The Government Chief Whip, Seán Kyne TD, has published the Government’s Legislation Programme for Autumn 2019. The Programme lists 32 priority Bills; 27 Bills currently before the Houses of the Oireachtas, and 69 Bills where preparatory work is underway.

The key data protection and technology-related Bills are set out below.  The Programme notes that work is underway on these Bills, but does not provide any indication as to when they will be published.

  • Communications (Retention of Data) Bill–  This Bill will repeal and replace the Communications (Retention of Data) Act 2011 which requires telephony data to be retained by telecommunications service providers for two years, and allows An Garda Síochána and certain other State agencies to access such data for criminal investigative purposes. The Heads of Bill were published in October 2017, following publication of Mr Justice Murray’s Report reviewing the ‘Law on the Retention of and Access to Communications Data’, which found that many features of the 2011 Act are precluded by EU law. In Dwyer v Commissioner of An Garda Siochána [2018] IEHC 685; [2019] IEHC 48, the High Court made a declaration that section 6(1)(a) of the 2011 Act is inconsistent with EU law, insofar it allows telephony data to be retained on a general and indiscriminate basis.  A stay has been placed on that declaration pending an appeal to the Supreme Court, which is due to be heard in December 2019.
  • Online Safety and Media Regulation Bill – Earlier this year, Minister Richard Bruton TD launched a public consultation on this Bill, seeking the views of citizens and stakeholders on an achievable and proportionate approach to regulating harmful online content ( discussed here).
  • Interception of Postal Packets and Telecommunications Messages (Regulation) (Amendment) Bill– This Bill will amend various pieces of legislation in respect of electronic communications.  In 2016, the Department of Justice and Equality published a policy document discussing why this area of law needs to be amended ( discussed here).
  • Cybercrime Bill – This Bill will give effect to those provisions of the Council of Europe Convention on Cybercrime 2001 not already provided for in national law, in order to enable ratification of the Convention.

We will keep you updated on the progress of these Bills.

Photo of Davinia Brennan

For the first time, the Irish High Court has been asked to make a blocking order in regard to the illegal live streaming of Premier League games. Instead of watching Premier League games through legitimate and licensed services, some people were seeking to do so free of charge. The Court granted the blocking order, requiring five Irish ISPs (including  Eir,  Sky Ireland Ltd, Sky Subscribers Services Ltd, Virgin Media Ireland Ltd  and Vodafone Ireland Ltd ) to block illegal live streaming of Premier League games.

Continue Reading High Court blocks illegal live streaming of Premier League Games

Photo of Steven Craig

The Minister for Social Protection, Regina Doherty, and the Minister for Finance, Paschal Donohoe, have informed the government that provision and use of the Public Services Card (PSC), not just by the Department of Employment Affairs and Social Protection (DEASP), but by other public bodies shall continue. The DEASP has written to the Data Protection Commission (DPC) advising it of this decision. In doing so, the Government accepts that it may be necessary for the matter to be referred to the courts for a definitive decision. The DEASP intend to publish the DPC’s investigation report following further engagement with the DPC.

Continue Reading Government challenges findings of Data Protection Commission about Public Services Cards

Photo of Charlotte Turk

The UK Information Commissioner’s Office (ICO) has amended its guidance on the time limit for responding to a subject access request (SAR).

Under Article 12 GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a further two months if the request is complex or a number of requests have been made by the data subject.

The ICO’s previous guidance on SARs noted that the one month time limit should be calculated from the day after the SAR is received until the corresponding calendar date in the next month. This meant that if the SAR was received on 19 August 2019, the response deadline would be 20 September 2019.

The ICO’s guidance has been amended to state that the time limit for a response starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. Therefore, if the SAR was received on 19 August 2019, the data controller should respond by 19 September 2019.

Continue Reading ICO clarifies time limit for responding to subject access requests

Photo of Davinia Brennan

The Oireachtas Committee on Justice and Equality is seeking  written submissions from stakeholders on the issues of online harassment, harmful communications and related offences. The invitation follows an announcement last May 2019, that the Government intends to draft, on a priority basis, amendments to the Harassment, Harmful Communications and Related Offences Bill 2017 .  That Bill is based on a 2016 Report by the Law Reform Commission, which recommended reform and consolidation of criminal law offences concerning harmful communications, and the establishment of Digital Safety Commissioner to oversee national digital safety standards and take-down procedures for harmful digital communications.

Continue Reading Government seeks submissions on online harassment

Photo of Caoimhe Bourke

On Friday 16 August 2019, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC). The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law.

Continue Reading DPC Publishes Statement on the Public Services Card

Photo of Steven Craig

On 29 July 2019, the Court of Justice of the European Union (CJEU) held​ that Red Bull’s signature blue and silver colour trademarks were invalid. This followed an earlier decision by the General Court of the European Union in 2017 which found that the graphic representation and description of the two colours were not sufficiently precise.

The threshold for successfully registering a trademark consisting of a single colour or combination of colours has been set purposefully high, in order to avoid situations where a large company is able to effectively monopolise a particular colour within a particular class of goods or services. A company seeking to register a colour trademark must demonstrate that their mark has acquired distinctiveness, and be able to describe it in a sufficiently clear and precise manner.

Continue Reading European Court declares Red Bull’s colour trademarks invalid

Photo of Davinia Brennan

In the Fashion ID case (C-40/17) , the Court of Justice of the European Union (CJEU) found that the operator of a website that features a plug-in (such as a Facebook ‘Like’ button), can be considered a joint controller with the plug-in provider, in respect of the collection and transmission to that plug-in provider of the personal data of visitors to its website. However the website operator will not be a joint controller or liable for any subsequent processing of the personal data by the plug-in provider.

The CJEU also held that the website operator  is responsible for obtaining consent from website visitors for the collection and transmission of their personal data and providing notice to visitors about the use and disclosure of their personal data.

Although the case was decided under the the Data Protection Directive 95/46/EC (the Directive), it will continue to be relevant under the GDPR, since the relevant definitions and obligations continue to apply under the new regime. The decision will have an impact not only on website operators that embed social plug-ins, but to any website operator that uses cookies to collect and transmit personal data of their visitors to third parties, such as AdTech providers.

Continue Reading A website operator embedding a Facebook ‘Like’ button is a joint controller with Facebook

Photo of Davinia Brennan

In Amazon EU Case C-649/17, the Court of Justice of the European Union (CJEU) held that the Consumer Rights (CR) Directive 2011/83/EU does not require an e-commerce platform to make a telephone number available to consumers before the conclusion of a contract. It is sufficient for traders, when concluding distance contracts with consumers, to use other means of communications, such as online chat services or telephone call-back, as long as consumers have a means of contacting traders quickly and efficiently.

Continue Reading E-Commerce platforms not obliged to make telephone number available to consumers