Cyber Risk & Data Privacy

Photo of Davinia Brennan

In recent weeks, employers have been busy implementing the recommendations set out in the Government’s Return to Work Safely Protocol, in preparation for employees returning to the workplace.  Somewhat surprisingly, the Protocol makes no reference to the need to comply with data protection law, yet the measures recommended by the Protocol involve the processing personal

Photo of Davinia Brennan

​The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.

Continue Reading EDPB’s register of one-stop-shop decisions now live

Photo of Davinia Brennan

The Data Protection Commission (DPC) has published a two year Regulatory Activities Report, which reviews the range of its regulatory tasks from 25 May 2018 to 25 May 2020.

​The Report notes that the purpose of the two-year assessment is “to provide a wider-angled lens through which to assess the work of the DPC since the implementation of the GDPR; in particular, to examine wider datasets and annual trends to see what patterns can be identified.” 


Continue Reading DPC publishes Regulatory Activities Report for 2018-2020

Photo of John Cahir

As part of their lockdown exit strategy, governments around the world are launching Apps with contact tracing functions. The idea behind these Apps is that users will be alerted when another App user has tested positive to Covid-19, thereby enabling them to take appropriate action, such as self-isolating or undergoing testing.

It remains to be

Photo of Steven Craig

The European Data Protection Board (EDPB), the body tasked with ensuring consistent application of the GDPR across Europe, has published its annual report for 2019. As we approach the two year anniversary of the GDPR, the EDPB Chair refers to a “common data protection culture” emerging as a result of the continued cooperation between European Data Protection Authorities (DPAs).

The following are some of the key points from the EDPB’s activities in 2019.


Continue Reading EDPB publishes Annual Report for 2019

Photo of Davinia Brennan

The threat to global health caused by Covid-19 has led to unprecedented collaboration from the global scientific research community to urgently develop a vaccine. Given the prevalence of data sharing and open science, combined with the sensitive nature of the data involved, data protection concerns have quickly emerged.

The GDPR provides special rules for processing health data for scientific research purposes that are also applicable in the context of the Covid-19 pandemic. The European Data Protection Board (EDPB) recently published Guidelines 03/2020 on the processing of data concerning health for scientific research purposes in the context of Covid-19. The EDPB acknowledges the challenges faced by researchers operating with urgency, and using health data that is not always obtained directly from the data subject for the specific purpose of scientific research. The guidelines provide clarity on issues such as: the legal basis for processing health data; data subjects’ rights, and how health data can be lawfully transferred to a third country outside the EEA for scientific research purposes connected to the Covid-19 pandemic.


Continue Reading EDPB publishes guidelines on processing health data for Covid-19 research

Photo of Davinia Brennan

The Data Protection Commission (DPC) has issued its first fine under the GDPR.  Tusla, the child and family state agency, has been fined €75,000 for three data breaches.  It has been reported that the DPC has filed papers in the Circuit Court, in order for the court to confirm the fine. The purpose of this confirmation mechanism, which is required by the Data Protection Act (DPA) 2018, is to ensure that the DPC’s decision to impose a fine has due regard to fair procedures and constitutional justice.

Continue Reading Irish Data Protection Commission issues first GDPR fine

Photo of Davinia Brennan

The Annual Report of the Data Protection Commission (DPC) for 2019 reveals some interesting trends and statistics. The DPC received a record 7,215 complaints in 2019 (75% more than in 2018).  At least 40% of the DPC’s resources were devoted to the handling of individual complaints (as opposed to large-scale and more systemic

Photo of Davinia Brennan

The European Data Protection Board (EDPB) has published updated Guidelines 05/2020 on Consent under the GDPR, replacing the previous Article 29 Working Party Consent Guidelines published in April 2018. The purpose of the updated guidelines is to provide clarity on: (i) data subject consent in relation to cookie walls (which are not allowed), and (ii) scrolling or swiping through a webpage or similar actions (which does not constitute valid consent). ​The paragraphs (38-41 and 86) concerning these two issues have been revised and updated, while the rest of the document has been left unchanged, except for editorial changes.

Continue Reading EDPB issue updated Guidelines on Consent

Photo of James McCarthy

On 6 April 2020, the Data Protection Commission (DPC) published a report on the use of cookies and other tracking technologies (Report) and an updated guidance note on cookies and other tracking technologies (Guidance).

The Report is based on a review carried out by the DPC of websites in various sectors in Ireland, including insurance, banking, media, retail and the public sector. The purpose of the DPC’s report was to examine whether organisations are complying with the law, and, in particular, how organisations are obtaining the consent of users for the use of cookies. The majority of the 38 organisations examined were found to have potential compliance issues, particularly in relation to reliance on implied consent for setting non-necessary cookies; lack of choice for users to reject all cookies; bundling of consent for all purposes; and the possible misclassification of cookies as “necessary” or “strictly necessary“.  The Report gives an overview of the responses received highlighting what the DPC considers to be both “good” and “bad” practices that it encountered on the websites, and the Guidance provides website operators with guidance on how to comply with the rules relating to cookies, which are set out in the Irish ePrivacy Regulations.


Continue Reading DPC publishes Report and Guidance on cookies following a “cross-sector and cross-size” sweep of website operators