The European Data Protection Board (EDPB) has published its Annual Report covering the period from 25 May – 31 December 2018. It provides an overview of the EDPB’s activities last year, and discusses the areas it intends to focus on in 2019-2020.
Continue Reading
In the past two days, the UK Information Commissioner’s Office (ICO) has issued (potential) GDPR fines of £183.39m and £99.2m on British Airways (BA) and Marriott International Inc., respectively. These are the first fines to be issued by the ICO under the GDPR, and the biggest fines issued by an EU Data Protection Authority (DPA) to date. As the fines affected individuals in multiple Member States, the ‘one stop shop’ provisions in the GDPR apply, and the ICO has therefore been required to liaise with other EU DPAs.
The fines highlight the importance of companies ensuring that robust security measures are in place to protect personal data and undertaking appropriate due diligence in corporate mergers and acquisitions. As the EU DPAs are encouraged to adopt a consistent approach to the imposition of administrative fines, the ICO’s fines serve as a warning to companies of the level of GDPR fines that may be imposed by the Irish Data Protection Commission for data breaches resulting from weak security measures.
The ICO does not routinely publish notices of intent to levy a penalty, however the ICO’s policy on “Communicating Regulatory Enforcement Activity” states that such notices may be published in certain circumstances, including where the matter is already in the public domain; there are financial market reporting obligations; or it is necessary for international regulatory cooperation. The ICO statements of intent to fine BA and Marriott were issued in response to an announcement by BA to the London Stock Exchange, and a filing by Marriott with the US Securities and Exchange Commission, that the ICO intended to fine them for breaches of data protection law.
The DPC has released new CCTV Guidance to assist owners and occupiers of premises to understand their data protection obligations when using CCTV. Data controllers should already be aware that footage or images containing identifiable individuals captured by CCTV is personal data and therefore data protection laws apply.
Continue Reading
A recent survey of regional data protection authorities in Germany has revealed 75 cases of reported personal data breaches since the GDPR came into effect on 25 May 2018. As a result, German authorities have imposed punitive fines totalling €449,000.
Germany differs from Ireland as the responsibility for monitoring and ensuring compliance with the GDPR and national data protection laws is delegated to each of the 16 German states, with each state possessing its own authority. A committee consisting of representatives from each regional authority (the ‘Data Protection Conference’) has also been appointed to ensure that a consistent approach is taken throughout the states.
So far, fines have been imposed in six of the sixteen federal states. The highest fines have been reported in the Baden-Wurttemberg region (€203, 000 across seven cases), Rhineland-Palatinate region (€124,000 across nine cases) and Berlin (€105,600 across eighteen cases). Examples of commonly reported GDPR violations include inadequate technical or organisational security measures (e.g. storing user password in non-encrypted form), non-compliance with information duties (e.g. lack of transparency around processing activities) and unauthorized marketing e-mails.
The European Commission’s High Level Expert Group on Artificial Intelligence has released a new set of guidelines for ensuring that AI is “trustworthy”, following a public consultation with feedback from over 500 contributors.
The updated guidelines set out the EU’s guidance for assisting developers and deployers in achieving “trustworthy AI”, maximizing the benefits and minimizing the risks associated with this emerging area of technology.
Following its European strategy on AI (published in April 2018), the guidelines were drafted by an independent expert group, comprising of 52 representatives from academia, industry and society.
In Ryanair dac v SC Vola.ro srl [2019] IEHC 239 the Irish High Court confirmed the enforceability of a jurisdiction clause contained within a website’s Terms of Use, finding the user had agreed to it via a “click-wrap” agreement. Following previous Ryanair screen-scraping cases, the court held the click-wrap agreement met the requirements of Article
On 1 May 2019, Ms Helen Dixon, the Data Protection Commissioner (DPC), appeared before the US Senate Committee on Commerce, Science and Transportation. She was invited to testify on Ireland’s implementation of the GDPR, as the US is considering introducing a federal data privacy framework. California has already passed a new data privacy law, the California Consumer Privacy Act, which is due to come into effect on 1 January 2020. This note sets out some of the highlights of the DPC’s testimony.
Continue Reading
As we approach the GDPR’s one-year anniversary, we are starting to see more enforcement activity by the EU Data Protection Authorities (DPAs) as they complete their initial investigations into data breaches. This blog looks at two recent fines issued by the Polish and Danish DPAs, which demonstrate the type of conduct likely to lead to enforcement activity.
Continue Reading
The UK Supreme Court has granted supermarket chain Morrisons permission to appeal against a landmark UK Court of Appeal ruling that found it vicariously liable for a deliberate data breach carried out by a former employee (previously discussed here).
Continue Reading
The EDPB has released new draft guidelines 2/2019 on the contractual necessity legal basis for processing personal data in the context of the provision of online services to data subjects. The guidelines emphasise the narrow scope of the contractual necessity legal basis. A controller must be able to demonstrate that the processing is ‘objectively necessary’ for a purpose that is ‘integral’ to the delivery of a contractual service to the data subject in order to rely on this legal basis. If a controller cannot demonstrate such necessity it must consider another legal basis for processing the personal data. This note considers the key highlights of the guidelines.
Continue Reading