Photo of Davinia Brennan

On 12 November 2019, the EDPB published its finalised Guidelines on Territorial Scope of the GDPR (3/2018). The Guidelines aim to assist companies and supervisory authorities in determining whether a particular processing activity falls within the territorial scope of the GDPR.

The key changes to the draft Guidelines include clarification that:

  • whilst some of a controller or processor’s processing activities may fall within the scope of the GDPR, the rest may not. Accordingly, the focus is on whether a particular processing activity falls within the scope of the GDPR, rather than whether a controller or processor does;
  • where there is a connection between the targeting activities by a non-EEA controller caught by the GDPR and the processing activities carried out by a non-EEA processor, that processor will fall within the scope of Article 3(2) of the GDPR;
  • where a non-EU controller or processor ‘inadvertently or incidentally‘ targets its goods or services at a person located in the EU, the related processing of personal data will not fall within the scope of the GDPR.  For example, in the case of an Australian company offering a mobile news service exclusively to users located in Australia. If an Australian subscriber travels to Germany on holiday and continues using the service, the service would not be deemed to be ‘targeting’ individuals in the EU, and the Australian company would not fall within the scope of the GDPR;
  • the GDPR does not establish a substitutive liability of the representative in place of the non-EU established controller or processor that it represents in the EU. The concept of the representative was introduced to enable supervisory authorities to initiate enforcement proceedings against a non-EU established controller or processor through the representative. The possibility of holding a representative directly liable is limited to its direct obligations referred to in Article 30 (record-keeping) and Article 58(1)(a) (respond to information requests from the supervisory authority) of the GDPR;
  • the role of a representative in the EU is not compatible with the role of a Data Protection officer (DPO). A representative acts on behalf of the controller or processor that it represents, and therefore under its instructions, whilst a DPO is required to act independently.

The Guidelines indicate that the EDPB will further assess the interplay between the territorial scope of the GDPR and rules on international data transfers, and additional guidance may be issued in this regard, if necessary.

A comprehensive overview of the finalised Guidelines is available here.

Photo of Jessica Morris

The provisions of the Copyright and Other Intellectual Property Law Provisions Act 2019 (the Act), which was signed into law on 26 June 2019, were commenced on 2 December 2019.

The only provisions which are not yet in effect are sections 2(1), 9 and 21, which will automatically come into operation on 26 December (i.e. 6 months from the passing of the Act on 26 June 2019).

Continue Reading Commencement of the Copyright and Other Intellectual Property Law Provisions Act 2019

Photo of Davinia Brennan

The Minister of Finance has passed new Regulations, the Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2019, permitting data subjects’ rights under Articles 12-22 and Article 34, and controllers’ obligations under Article 5 GDPR, to be restricted to the extent necessary and proportionate to allow the Central Bank of Ireland (CBI) to carry out certain functions.

The restrictions set out in these Regulations are in addition to, and not in substitution of, any other restrictions to data subjects’ rights or controllers’ obligations set out under any other enactment or EU law. The Regulations came into operation on 30 October 2019.


The Regulations apply to personal data (including special categories of personal data and criminal convictions/offences data), in respect of which the CBI is the controller, and are processed by the CBI in the pursuit of a “relevant objective” .

A “relevant objective” is defined as an important objective of general public interest, referred to in paragraphs (b) to (g) or (i) to (m) of section 60(7) of the Data Protection Act (DPA) 2018, and pursued by the CBI in exercising a “relevant function” (regulation 4).

The“relevant objectives” set out in those paragraphs of the DPA 2018 include, amongst others: avoiding obstructions to any official or legal inquiry, investigation or process; preventing, investigating or prosecuting breaches of ethics for regulated professions; taking any action for the purposes of investigating a complaint made to a regulatory body; and safeguarding the economic or financial interests of the EU or the State.

A “relevant function” is defined as a function of the CBI under: (a) financial services legislation; (b) the Treaty on the Functioning of the European Union or
(c) the Statute of the European System of Central Banks and of the European Central Bank,  which relates directly or indirectly to certain prescribed task of the CBI, including protecting the best interests of consumers of financial services, and supervising and enforcing compliance with financial services legislation.


The restriction of data subjects’ rights or controllers’ obligations pursuant to these Regulations must be: (a) necessary to safeguard a relevant objective; and (b) proportionate to the need to safeguard that relevant objective.  This includes, for example, where the exercise of the right or obligation may interfere with: (i) the prevention, detection or investigation of a breach of, or enforcement of, financial services legislation; (ii) a procedure, investigation or settlement being undertaken by the CBI, or (iii) proceedings pending before a court.

Obligation to notify data subjects where a right is restricted

Where a data subject’s right or controller’s obligation is restricted, the CBI must notify the data subject concerned in writing, in a timely manner, unless such notification may prejudice the achievement of a relevant objective.

The notification must inform the data subject of:

(a) the right or obligation affected by the restriction;

(b) whether the right or obligation has been restricted in part or in whole;

(c) the reasons for the restriction, unless such information may prejudice the achievement of a relevant objective; and

(d) the right to lodge a complaint with the Data Protection Commission. The right to lodge a complaint is without prejudice to any other rights or remedies which the data subject concerned may have in relation to the CBI, including judicial review of a decision of the CBI, and the right to appeal a decision of the CBI under the Central Bank Act 1942.

Photo of Davinia Brennan

The Data Protection Commission (DPC) has published guidance which seeks to answer some of the most frequently asked questions in relation to Data Subject Access Requests (DSARs).  Some of the key issues addressed in the guidance are set out below:

  • Format of Request – The GDPR does not prescribe any particular method for making a valid DSAR.  Accordingly, the DPC states that where a controller invites individuals to submit a DSAR through a designated online form, the controller should make it clear that this is not compulsory, and that a DSAR may be made by other means.
  • Time limit to respond – Like the UK ICO, the DPC states that the one month time limit to respond to a DSAR runs from the date that the data controller receives proof of identity (if requested) or more information clarifying the request.  Proof of an individual’s identity should only be requested wherereasonable and proportionate to do so.
  • Scope of request – In line with recital 63 of the GDPR, the DPC confirms that a controller is entitled to ask an individual to clarify their request, by specifying the information or processing activities which they want access to.  However, if an individual refuses to provide any additional information, the controller will still need to endeavour to comply with the request.
  • Specific contact point for DSARs – The DPC notes that a DSAR may be made to any staff member.  A controller may encourage data subjects to contact a designated staff member, but it cannot oblige them to do so.
  • Manifestly unfounded or excessive” requests – The DPC highlights that Article 12(5) of the GDPR permits a DSAR to be refused where it is “manifestly unfounded or excessive” but does not provide any guidance on the meaning of these words.  However, the DPC  warns that a controller will need to be able to meet “a high threshold” in order to prove a request is “manifestly unfounded or excessive“, and a refusal on this ground will be justified in “very few cases”.
  • Third party data – The  guidance  clarifies that there should not be a blanket refusal to respond to a DSAR due to concerns that the request may adversely affect a third party.  Instead, the controller “should endeavour to comply with the request insofar as possible” whilst ensuring adequate protection for the third party’s rights.
  • Refusing DSARs –  Article 12(4) of the  GDPR requires a controller to inform an individual of the reasons for refusing a request. The DPC clarifies that the controller must, in particular, identify the relevant exemption under the GDPR or Data Protection Act 2018, provide an explanation as to why it applies, and demonstrate that reliance on the exemption is necessary and proportionate ​.
Photo of Davinia Brennan

The Government Chief Whip, Seán Kyne TD, has published the Government’s Legislation Programme for Autumn 2019. The Programme lists 32 priority Bills; 27 Bills currently before the Houses of the Oireachtas, and 69 Bills where preparatory work is underway.

The key data protection and technology-related Bills are set out below.  The Programme notes that work is underway on these Bills, but does not provide any indication as to when they will be published.

  • Communications (Retention of Data) Bill–  This Bill will repeal and replace the Communications (Retention of Data) Act 2011 which requires telephony data to be retained by telecommunications service providers for two years, and allows An Garda Síochána and certain other State agencies to access such data for criminal investigative purposes. The Heads of Bill were published in October 2017, following publication of Mr Justice Murray’s Report reviewing the ‘Law on the Retention of and Access to Communications Data’, which found that many features of the 2011 Act are precluded by EU law. In Dwyer v Commissioner of An Garda Siochána [2018] IEHC 685; [2019] IEHC 48, the High Court made a declaration that section 6(1)(a) of the 2011 Act is inconsistent with EU law, insofar it allows telephony data to be retained on a general and indiscriminate basis.  A stay has been placed on that declaration pending an appeal to the Supreme Court, which is due to be heard in December 2019.
  • Online Safety and Media Regulation Bill – Earlier this year, Minister Richard Bruton TD launched a public consultation on this Bill, seeking the views of citizens and stakeholders on an achievable and proportionate approach to regulating harmful online content ( discussed here).
  • Interception of Postal Packets and Telecommunications Messages (Regulation) (Amendment) Bill– This Bill will amend various pieces of legislation in respect of electronic communications.  In 2016, the Department of Justice and Equality published a policy document discussing why this area of law needs to be amended ( discussed here).
  • Cybercrime Bill – This Bill will give effect to those provisions of the Council of Europe Convention on Cybercrime 2001 not already provided for in national law, in order to enable ratification of the Convention.

We will keep you updated on the progress of these Bills.

Photo of Davinia Brennan

For the first time, the Irish High Court has been asked to make a blocking order in regard to the illegal live streaming of Premier League games. Instead of watching Premier League games through legitimate and licensed services, some people were seeking to do so free of charge. The Court granted the blocking order, requiring five Irish ISPs (including  Eir,  Sky Ireland Ltd, Sky Subscribers Services Ltd, Virgin Media Ireland Ltd  and Vodafone Ireland Ltd ) to block illegal live streaming of Premier League games.

Continue Reading High Court blocks illegal live streaming of Premier League Games

Photo of Steven Craig

The Minister for Social Protection, Regina Doherty, and the Minister for Finance, Paschal Donohoe, have informed the government that provision and use of the Public Services Card (PSC), not just by the Department of Employment Affairs and Social Protection (DEASP), but by other public bodies shall continue. The DEASP has written to the Data Protection Commission (DPC) advising it of this decision. In doing so, the Government accepts that it may be necessary for the matter to be referred to the courts for a definitive decision. The DEASP intend to publish the DPC’s investigation report following further engagement with the DPC.

Continue Reading Government challenges findings of Data Protection Commission about Public Services Cards

Photo of Charlotte Turk

The UK Information Commissioner’s Office (ICO) has amended its guidance on the time limit for responding to a subject access request (SAR).

Under Article 12 GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a further two months if the request is complex or a number of requests have been made by the data subject.

The ICO’s previous guidance on SARs noted that the one month time limit should be calculated from the day after the SAR is received until the corresponding calendar date in the next month. This meant that if the SAR was received on 19 August 2019, the response deadline would be 20 September 2019.

The ICO’s guidance has been amended to state that the time limit for a response starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. Therefore, if the SAR was received on 19 August 2019, the data controller should respond by 19 September 2019.

Continue Reading ICO clarifies time limit for responding to subject access requests

Photo of Davinia Brennan

The Oireachtas Committee on Justice and Equality is seeking  written submissions from stakeholders on the issues of online harassment, harmful communications and related offences. The invitation follows an announcement last May 2019, that the Government intends to draft, on a priority basis, amendments to the Harassment, Harmful Communications and Related Offences Bill 2017 .  That Bill is based on a 2016 Report by the Law Reform Commission, which recommended reform and consolidation of criminal law offences concerning harmful communications, and the establishment of Digital Safety Commissioner to oversee national digital safety standards and take-down procedures for harmful digital communications.

Continue Reading Government seeks submissions on online harassment

Photo of Caoimhe Bourke

On Friday 16 August 2019, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC). The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law.

Continue Reading DPC Publishes Statement on the Public Services Card