On 4 March 2019, Minister Richard Bruton TD announced that he will introduce an Online Safety Act to regulate harmful content online and ensure children are safe online.  The Act will also implement the revised Audiovisual Media Services (AVMS) Directive (which Member States are required to implement by 19 September 2020).  The Minister stated that the era of self-regulation in regard to online safety is over.  It is proposed that an Online Safety Commissioner would oversee the new system. The Department of Communications, Climate Action and Environment is seeking views on the proposed legislation, and has launched a six-week consultation period which is open until 15 April 2019.

Continue Reading Government consults on new Online Safety Act

The Data Protection Commission (DPC) has published the results of the annual Global Privacy Sweep for 2018, which examined how well organisations are implementing the concept of accountability.  The Global Privacy Enforcement Network members made contact with 356 organisations in 18 countries during the Sweep. It found that while there were examples of good practice reported, a number of organisations had no processes in place to deal with complaints and queries raised by data subjects, and were not equipped to handle data security incidents appropriately.

Continue Reading DPC publishes results of Global Privacy Sweep for 2018

By any measure, 2018 was a historic year for data protection law with the coming into effect of the GDPR on 25 May 2018.  Ireland plays an important role in the regulation and enforcement of data protection law and decisions of the Irish courts have had a disproportionate impact on European data protection jurisprudence. With the introduction of the one-stop-shop mechanism under the GDPR it is to be expected that this trend will continue in the years ahead.  This briefing note highlights the key data protection legislative developments and Irish court decisions over the past year.

Go to Publication

The EDPB has published information notes on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority to help organisations prepare for a no-deal Brexit. The information notes build on guidance already issued by the UK ICO and Irish Data Protection Commission (discussed here).

The Information Note on Data Transfers warns that, in the event of a no-deal Brexit, the UK will be a ‘third country’ from 30 March 2019. As a result, personal data cannot be transferred from the EEA to the UK unless organisations implement a data transfer mechanism under the GDPR, such as standard contractual clauses; ad hoc contractual clauses; binding corporate rules (BCRs); codes of conduct and certification mechanisms, or a derogation. In regard to data transfers from the UK to the EEA, the UK Government have confirmed the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit.

Continue Reading EDPB publishes information notes on data transfers in the event of a no-deal Brexit and on BCRs

The European Data Protection Board (EDPB) has published its work program for the next two years. The program lists the guidelines, consistency opinions, and other types of activities the EDPB intends to carry out. The program is based on the needs identified by the EDPB as priority for individuals, stakeholders, as well as the EU legislator planned activities. The Guidelines due to be published over the coming two years include:

• Guidelines on reliance on Art. 6(1) b in the context of online services (i.e. the contractual necessity legal basis)
• Guidelines on concepts of controller and processor (Update of the WP29 Opinion)
• Guidelines on the notion of legitimate interest of the data controller (Update of the WP29 Opinion)
• Guidelines on the Territorial Scope of the GDPR (finalisation after the public consultation)

Continue Reading EDPB publishes Work Program for 2019/2020

The European Data Protection Board (EDPB) has adopted an Opinion (3/2019) on the interplay between the EU Clinical Trials Regulation (536/2014) (CTR) and the GDPR, following a request from the European Commission to review its Q&A on the topic. The CTR, which is expected to enter into force in 2020, aims to harmonise the rules for conducting clinical trials throughout the EU. It does not contain any derogations from the GDPR and will therefore apply simultaneously with the GDPR.

The EDPB’s Opinion focuses on: (1) the legal basis under the GDPR for processing personal data in the course of a clinical trial protocol (primary use), and (2) further use of clinical trial data for other scientific purposes (secondary use). Some highlights of the EDPB’s Opinion are set out below.

Continue Reading EDPB adopts Opinion on the Clinical Trials Regulation and the GDPR

It looks unlikely that the draft e-Privacy Regulation will come into effect before 2021. European Council negotiations on the text of the draft Regulation are currently ongoing, and trilogue discussions by the Council, Parliament and Commission will then take place. However, the upcoming May 2019 European elections may lead to a delay in the Council adopting a common position and the trilogue discussions commencing. In addition, the latest draft text of the Regulation, published by the European Council, provides that it will apply 24 months from the date it is adopted, with the result that even if it is adopted imminently, it may not come into effect until 2021.

Continue Reading What’s the status of the draft e-Privacy Regulation?