Cyber Risk & Data Privacy

Photo of Jessica Morris

The Data Protection Commission (DPC) recently published its decision following a formal inquiry into the Irish Credit Bureau DAC (the ICB) following the ICB’s notification to the DPC of a personal data breach on the 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers.

The personal data breach occurred when the ICB implemented a code change to its database that contained a technical error. As a result, between 28 June 2018 and 30 August 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. This update had the effect of changing key data in a data subject’s record so that it appeared that their accounts had been closed recently, even where the loans or credit facilities had been paid off years before. This caused the ICB to disclose 1,062 inaccurate account records to financial institutions as part of credit checks, which would have potentially resulted in a refusal of credit in circumstances where it would have been granted. The records did not, however, misstate that a balance was outstanding on the accounts.

The incident was handled by the ICB as a data breach and was reported to the DPC. The DPC’s investigation focussed on the application of Data Protection by Design and by Default (Article 25), the appropriateness of organisational and technical controls under Article 24, and whether or not there was a joint controller relationship under Article 26 GDPR between the ICB and the lenders who shared data with them.


Continue Reading Irish Credit Bureau fine offers insight into the DPC’s use of its corrective powers

Photo of Davinia Brennan

In addition to issuing new Standard Contractual Clauses (SCCs) for international transfers of personal data to a third country outside the EEA, the European Commission has also published the finalised Article 28 SCCs for use between controllers and processors.  The Article 28 SCCs came into force on 27 June 2021. Unlike the SCCs for international data transfers, it will not be mandatory to use the Article 28 SCCs.  Companies may therefore continue to negotiate their own individual contracts addressing the compulsory elements of Article 28(3) and (4) of the GDPR.

Continue Reading European Commission publishes finalised Article 28 SCCs

Photo of Davinia Brennan

​The EU Commission has formally adopted two UK adequacy decisions, one under the GDPR and the other under the Law Enforcement Directive (LED). This means that personal data can continue to flow freely from the EU to the UK, without putting in place additional safeguards, such as the Standard Contractual Clauses.

The adequacy decisions were adopted just two days before the interim solution agreed under the EU-UK Trade and Cooperation Agreement, permitting the free flow of data from the EU to the UK, was due to expire on 30 June 2021.


Continue Reading UK Adequacy Decisions adopted by European Commission

Photo of Davinia Brennan

The European Commission recently published its new draft Standard Contractual Clauses (SCCs) for international transfers of personal data to third parties located outside of the EEA.

The new SCCs have been expected for some time in light of the coming into force of the GDPR. The existing set of SCCs were implemented under the former Data Protection Directive 95/46/EC and still referenced that regime. The delay was due to the European Commission reconciling the new SCCs with the decision of the European Court of Justice in Schrems II.

Whilst the new SCCs align with the GDPR, address the Schrems II decision, and directly incorporate some of the European Data Protection Board (EDPB) Recommendations on Supplementary Measures (01/2020), they are not a catch-all solution for international data transfers. Parties will still be required to undertake a risk assessment, and adopt supplementary measures (where necessary), to ensure the effectiveness of the new SCCs in the third country concerned.  Where the new SCCs and supplementary measures do not provide an adequate level of protection in the third country, then companies will be obliged to suspend and/or terminate the transfer.


Continue Reading European Commission publishes draft new SCCs

Photo of Davinia Brennan

The European Commission recently published draft Article 28 Standard Contractual Clauses for use between controllers and processors located within the European Union.  The draft Article 28 Clauses are distinct from, and  should not be confused with, the European Commission’s new draft Standard Contractual Clauses (SCCs) for data transfers out of the EEA.  The latter SCCs contain their own set of Article 28 clauses.

Continue Reading European Commission publishes new draft Article 28 Clauses

Photo of Davinia Brennan

The Government has published its legislation programme for Autumn 2020. The programme includes: 30 priority Bills; 50 Bills that are expected to undergo pre-legislative scrutiny; 87 Bills where preparatory work is underway, and 14 Bills which are currently before the Oireachtas.

Key Bills of relevance to the data protection, commercial and technology sector include:

Priority Legislation 

  • Withdrawal of the United Kingdom from the European Union (Consequential Provisions) Bill – This Bill will provide for the legislative needs that will arise at the end of the Brexit transition period.

Bills expected to undergo pre-legislative scrutiny  

  • Online Safety and Media Regulation Bill – This Bill will provide for the establishment of a Media Commission (including an Online Safety Commissioner), the dissolution of the Broadcasting Authority of Ireland, a regulatory framework to tackle harmful online content, and implementation of the revised Audiovisual Media Services (AVMS) Directive 2018/1808. The general scheme of the Bill was published in January 2020, and the  legislative programme indicates that further heads are in preparation. Member States are expected to implement the AVMS Directive in national law by 19 September 2020, so Ireland will miss this deadline.
  • Consumer Rights Bill– This Bill will give effect to EU Directive 770/2019 on consumer contracts for the supply of digital content and digital services, EU Directive 771/2019 on consumer contracts for the sale of goods, and to update and consolidate the statutory provisions on consumer rights and remedies in relation to contracts for the supply of non-digital services, unfair contract terms, and information and cancellation rights.


Continue Reading Government publishes Legislation Programme for Autumn 2020

Photo of Davinia Brennan

On the 23 July 2020, the European Data Protection Board (EDPB) adopted FAQs on the Schrems II judgment. The FAQs provide answers to questions received by EU data protection authorities (DPAs) and will be developed and complemented by the EDPB in due course.

In brief, the EDPB clarifies:

  • No grace period – The Court of Justice of the European Union (CJEU) has invalidated the Privacy Shield with immediate effect. The judgment does not provide any grace period during which companies can keep transferring personal data to the US without assessing the legal basis for the transfer.
  • Use of SCCs for EEA-US transfers – US law (i.e. Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data to the US based on the Standard Contractual Clauses (SCCs) will depend on the result of your adequacy assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures, along with SCCs, would have to ensure that US law does not impinge on the adequate level of protection they guarantee.


Continue Reading EDPB publish FAQs on Schrems II

Photo of John Cahir

The Court of Justice of the European Union has delivered its eagerly awaited decision, in Schrems II (Case C-311/18).

Why is the case important?

Schrems II calls into the question the ability of companies to lawfully transfer data from the EU to the United States (US) and other countries.

The GDPR contains strict rules on transferring data from the EU to third countries, and this case deals with the compatibility of these rules with surveillance laws in other countries.

What has the Court decided?

The headline outcome is that:

  • The Privacy Shield decision is invalid with immediate effect – this means that companies can no longer rely on a Privacy Shield certification when transferring personal data to the US.
  • Standard contractual clauses (SCCs) are valid – but their use is subject to certain pre-conditions and ongoing obligations.


Continue Reading Schrems II – The Verdict

Photo of Davinia Brennan

In recent weeks, employers have been busy implementing the recommendations set out in the Government’s Return to Work Safely Protocol, in preparation for employees returning to the workplace.  Somewhat surprisingly, the Protocol makes no reference to the need to comply with data protection law, yet the measures recommended by the Protocol involve the processing personal

Photo of Davinia Brennan

​The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.

Continue Reading EDPB’s register of one-stop-shop decisions now live