The Government Chief Whip, Seán Kyne TD, has published the Government’s Legislation Programme for Autumn 2019. The Programme lists 32 priority Bills; 27 Bills currently before the Houses of the Oireachtas, and 69 Bills where preparatory work is underway.
The key data protection and technology-related Bills are set out below. The Programme notes that
The Minister for Social Protection, Regina Doherty, and the Minister for Finance, Paschal Donohoe, have informed the government that provision and use of the Public Services Card (PSC), not just by the Department of Employment Affairs and Social Protection (DEASP), but by other public bodies shall continue. The DEASP has written to the Data Protection Commission (DPC) advising it of this decision. In doing so, the Government accepts that it may be necessary for the matter to be referred to the courts for a definitive decision. The DEASP intend to publish the DPC’s investigation report following further engagement with the DPC.
Continue Reading
On Friday 16 August 2019, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC). The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law.
Continue Reading
In the Fashion ID case (C-40/17) , the Court of Justice of the European Union (CJEU) found that the operator of a website that features a plug-in (such as a Facebook ‘Like’ button), can be considered a joint controller with the plug-in provider, in respect of the collection and transmission to that plug-in provider of the personal data of visitors to its website. However the website operator will not be a joint controller or liable for any subsequent processing of the personal data by the plug-in provider.
The CJEU also held that the website operator is responsible for obtaining consent from website visitors for the collection and transmission of their personal data and providing notice to visitors about the use and disclosure of their personal data.
Although the case was decided under the the Data Protection Directive 95/46/EC (the Directive), it will continue to be relevant under the GDPR, since the relevant definitions and obligations continue to apply under the new regime. The decision will have an impact not only on website operators that embed social plug-ins, but to any website operator that uses cookies to collect and transmit personal data of their visitors to third parties, such as AdTech providers.
The European Data Protection Board (EDPB) has published its Annual Report covering the period from 25 May – 31 December 2018. It provides an overview of the EDPB’s activities last year, and discusses the areas it intends to focus on in 2019-2020.
Continue Reading
In the past two days, the UK Information Commissioner’s Office (ICO) has issued (potential) GDPR fines of £183.39m and £99.2m on British Airways (BA) and Marriott International Inc., respectively. These are the first fines to be issued by the ICO under the GDPR, and the biggest fines issued by an EU Data Protection Authority (DPA) to date. As the fines affected individuals in multiple Member States, the ‘one stop shop’ provisions in the GDPR apply, and the ICO has therefore been required to liaise with other EU DPAs.
The fines highlight the importance of companies ensuring that robust security measures are in place to protect personal data and undertaking appropriate due diligence in corporate mergers and acquisitions. As the EU DPAs are encouraged to adopt a consistent approach to the imposition of administrative fines, the ICO’s fines serve as a warning to companies of the level of GDPR fines that may be imposed by the Irish Data Protection Commission for data breaches resulting from weak security measures.
The ICO does not routinely publish notices of intent to levy a penalty, however the ICO’s policy on “Communicating Regulatory Enforcement Activity” states that such notices may be published in certain circumstances, including where the matter is already in the public domain; there are financial market reporting obligations; or it is necessary for international regulatory cooperation. The ICO statements of intent to fine BA and Marriott were issued in response to an announcement by BA to the London Stock Exchange, and a filing by Marriott with the US Securities and Exchange Commission, that the ICO intended to fine them for breaches of data protection law.
The DPC has released new CCTV Guidance to assist owners and occupiers of premises to understand their data protection obligations when using CCTV. Data controllers should already be aware that footage or images containing identifiable individuals captured by CCTV is personal data and therefore data protection laws apply.
Continue Reading
A recent survey of regional data protection authorities in Germany has revealed 75 cases of reported personal data breaches since the GDPR came into effect on 25 May 2018. As a result, German authorities have imposed punitive fines totalling €449,000.
Germany differs from Ireland as the responsibility for monitoring and ensuring compliance with the GDPR and national data protection laws is delegated to each of the 16 German states, with each state possessing its own authority. A committee consisting of representatives from each regional authority (the ‘Data Protection Conference’) has also been appointed to ensure that a consistent approach is taken throughout the states.
So far, fines have been imposed in six of the sixteen federal states. The highest fines have been reported in the Baden-Wurttemberg region (€203, 000 across seven cases), Rhineland-Palatinate region (€124,000 across nine cases) and Berlin (€105,600 across eighteen cases). Examples of commonly reported GDPR violations include inadequate technical or organisational security measures (e.g. storing user password in non-encrypted form), non-compliance with information duties (e.g. lack of transparency around processing activities) and unauthorized marketing e-mails.
The European Commission’s High Level Expert Group on Artificial Intelligence has released a new set of guidelines for ensuring that AI is “trustworthy”, following a public consultation with feedback from over 500 contributors.
The updated guidelines set out the EU’s guidance for assisting developers and deployers in achieving “trustworthy AI”, maximizing the benefits and minimizing the risks associated with this emerging area of technology.
Following its European strategy on AI (published in April 2018), the guidelines were drafted by an independent expert group, comprising of 52 representatives from academia, industry and society.
In Ryanair dac v SC Vola.ro srl [2019] IEHC 239 the Irish High Court confirmed the enforceability of a jurisdiction clause contained within a website’s Terms of Use, finding the user had agreed to it via a “click-wrap” agreement. Following previous Ryanair screen-scraping cases, the court held the click-wrap agreement met the requirements of Article