Cyber Risk & Data Privacy

Photo of Davinia Brennan

The Article 29 Working Party (WP29) has published a position paper on the scope of the derogation from the obligation to maintain records of processing activities. Article 30.5 provides that the record-keeping obligation does not apply to organisations with less than 250 employees in certain circumstances. The WP29 has stated that the position paper was published as a result of a high number of requests from companies received by national Supervisory Authorities. Despite the existence of the derogation, the WP29 encourages SMEs to maintain records of their processing activities, as it is a useful means of assessing the risk of processing activities on individuals’ rights, and identifying and implementing appropriate security measures to safeguard personal data.  In light of the new accountability principle in the GDPR requiring organisations to be able to demonstrate how they comply with their GDPR obligations, it would certainly be prudent for all organisations, regardless of size, to maintain such records.

The position paper makes it clear that all organisations, without exception, must maintain a record of processing in regard for human resources (HR) data, as such processing is carried out regularly, and cannot be considered “occasional“. Accordingly, all organisations must ensure they can present records relating to HR data to their supervisory authority post-May 2018, if requested. This will entail keeping a record of the types of HR data processed, the categories of data subjects (i.e. employees, ex-employees, candidates, consultants), the purposes of the processing, the recipients of such data (e.g. any third party service providers), the data retention periods for each type of HR data processed, details of any non-EEA transfers of HR data, and the security measures in place to protect such data.

Continue Reading WP29 issues position paper on GDPR record-keeping obligation

Photo of Davinia Brennan

On 26 March 2018 , the US Department of Commerce (DOC) published an update on action it has taken to support the EU-US and Swiss-US Privacy Shield frameworks.  It highlights the oversight and enforcement measures taken in regard to the commercial and national security aspects of the Shield Frameworks.

It remains to be seen whether the measures taken will be sufficient to appease the Article 29 Working Party (WP29) who raised a number of concerns about the EU-US Privacy Shield last November 2017.  The WP29, in particular, called for the appointment of an independent Ombudsperson to be prioritized and the exact powers of the Ombudsperson mechanism need to be clarified, including through the declassification of internal procedures, as well as the appointment of PCLOB members.  It called for those prioritized concerns to be resolved by 25 May 2018, and its other concerns to be addressed at the latest at the second joint review.  The WP29 warned that if no remedy was brought to address its the concerns in the given time-frames, the WP29 would take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling. Whilst the DOC’s update notes that President Trump has nominated three individuals to the PCLOB, it does not clarify whether Ambassador Judith G Garber, who has been ‘acting’ as Privacy Shield Ombudsman, has been permanently appointed to that role, nor is there any mention of declassification of the internal rules of procedure of the Ombudsperson.

On a positive note, the DOC’s update shows that the US has made efforts to address other concerns raised by the WP29, including publishing enhanced guidance on the self-certification process; strengthening monitoring and enforcement of the Shield, through random spot-checks on certified organisations and proactive checks for false certification claims, and developing user-friendly guidance material for individuals, businesses and authorities.

The DOC’s update also highlights that the US government has expressly confirmed that Presidential Policy Directive 28 (PPD-28), providing protection to individuals regardless of nationality with respect to signals intelligence information, remains in place without amendment.  In addition, Congress has reauthorized FISA section 702, reportedly maintaining all elements on which the European Commission’s Privacy Shield determination was based.

Photo of Davinia Brennan

The Data Protection Commissioner (DPC) has published her Annual Report for 2017, which discusses the key activities and challenges of her office last year, as well as her priorities for the coming year. The DPC spent much of 2017 raising awareness of the GDPR.  She continued to engage with organisations in regard to their data protection law compliance, carrying out over 200 consultations and 100 face-to-face meetings in which preparation for the GDPR was a constant feature.  The DPC dealt with a record number of complaints (2,642), most of which were resolved amicably.  She was also busy on the litigation front, particularly in regard to court proceedings concerning the validity of the EU Standard Contractual clauses as a legal mechanism to transfer personal data out of the EEA.

Continue Reading Insights on the Data Protection Commissioner’s Annual Report for 2017

Photo of Davinia Brennan

As a follow-up on its Communication of September 2017 on tackling illegal online content, the European Commission has published a non-binding “Recommendation” which formally lays down operational measures which online platforms and Member States should take, before it determines whether it is necessary to propose legislation to complement the existing regulatory framework. The Recommendation applies to all forms of illegal content which are not in compliance with EU or Member State law, such as terrorist content, racist or xenophobic illegal hate speech, child sexual exploitation, illegal commercial practices, breaches of intellectual property rights and unsafe products.  The Recommendation puts pressure on online platforms to implement more proactive measures to ensure faster detection and removal of illegal content online.  It has been criticised by digital human rights organisations as essentially forcing online platforms to “voluntarily” police and censor the internet, without respect for the fundamental right to freedom of expression.

Continue Reading European Commission publishes “Recommendation” on tackling illegal content online

Photo of Davinia Brennan

Last October 2017, the Government published the General Scheme of the Communications (Retention of Data) Bill 2017 (the Bill).  The draft Bill was published in response to Chief Justice Murray’s Report, which reviewed the law concerning the retention of and access to communications data held by communications service providers, and recent decisions of the EU Court of Justice (CJEU) in the Digital Rights Ireland and Tele2 cases.  Having engaged with stakeholders to hear their views on the draft Bill, the Oireachtas Joint Committee on Justice and Equality has now published its Report on pre-legislative scrutiny of the Bill.

Continue Reading Report on pre-legislative scrutiny of new surveillance legislation published

Photo of Daniel Harrington

Speaking at A&L Goodbody’s breakfast seminar, ‘GDPR The Last Lap‘, Anna Morgan, Deputy Data Protection Commissioner, has warned that companies who ‘over-report’ and adopt an overly conservative approach to the GDPR’s breach notification requirements may risk enforcement action from the Data Protection Commission (DPC).

Continue Reading Over-Reporting Data Breaches to Data Protection Commission may result in enforcement action, warns Deputy Data Protection Commissioner

Photo of Davinia Brennan

The Government has published the eagerly awaited Data Protection Bill 2018 to give effect to the GDPR (2016/679) and to provide, in the limited areas permitted, for national derogations. The Bill repeals the Data Protection Acts 1988 and 2003 (the Acts), except for those provisions relating to the processing of personal data for the purposes of national security, defence and the international relations of the State.  It also provides for similar restrictions on individuals’ rights to those which currently exist under section 5 and 8 of the Acts, such as in regard to data processed for the prevention, detection, investigation and prosecution of criminal offences; or for the exercise or defence of legal claims.

The GDPR does not impose any criminal sanctions on controllers or processors for contravening its provisions, but leaves it to Member States to do so, and the Bill provides for a number of offences.  Unsurprisingly, the Bill proposes that enforced access requests; unauthorised disclosure of personal data by a processor or by an employee or agent of the processor; and disclosure of personal data obtained without authority will continue to constitute offences post-May 2018 . These offences will be punishable by a fine of up to €50,000 and/or up to 5 years’ imprisonment. The Bill also proposes the continuation of personal criminal liability for directors, managers, secretaries, or other officers of a company, for offences committed by a company, which are proved to have been committed with the consent or connivance of, or to be attributable to any neglect of such persons.

Continue Reading Irish Government publishes Data Protection Bill 2018

Photo of Daniel Harrington

The Minister for Communications, Denis Naughten, has confirmed that plans to appoint a Digital Safety Commissioner for Ireland (DSC) will go ahead in 2018. The DSC will act as an ‘Internet regulator’, with powers of enforcement and responsibility for a ‘notice and takedown’ regime, to ensure the online safety of Internet users.

The proposal for a DSC is contained in a Report from the Law Reform Commission (LRC) on Harmful Communications and Digital Safety, which also contains a draft legislative proposal. The LRC has recommended that the scope of regulation by the DSC should include all ‘digital service undertakings’, which would be defined very broadly to cover intermediary service providers, internet service providers, internet intermediaries, online intermediaries, online service providers, search engines, social media platforms and websites and telecommunications undertakings.

The DSC mechanism is partially inspired by the systems in place in Australia and New Zealand, which have specific timelines linked to the obligation to unlawful material, with removal generally being required within 48 hours. In Ireland, under the current LRC proposals, the DSC will be mandated to develop a national Code of Practice for Take Down procedure, which would contain detailed and practical guidance on the procedure for ‘takedowns’, a requirement that the takedown procedure is made available free of charge and timelines within which offending materials should be removed.

It should be noted that the Australian and New Zealand regimes were implemented on a somewhat blank legislative canvas. Any proposal in Ireland must be compliant with the overarching requirements of the eCommerce Directive (which does not contain mandatory timelines, but requires internet intermediaries to ‘act expeditiously’ or risk losing its legal immunity). It remains to be seen whether an additional layer of Irish regulation on tech and Internet companies would have any impact on Ireland’s international reputation as an attractive place to do business.

An Taoiseach Leo Varadkar had previously indicated that Government plans to appoint a DSC were ‘on hold’, however, he has since clarified that he may have ‘mis-spoken’.

The Department of Communications has organised an open digital safety forum on March 8 at the Royal Hospital Kilmainham involving Gardaí, Interpol, NGOs, state bodies and parents groups. We await further detail on this proposal.

Photo of Davinia Brennan

With just over 100 days until the GDPR comes into force, the European Commission has launched GDPR guidance and a new online tool to help businesses to prepare for their new data protection legal obligations. The Commission has also called on national governments to prepare for the new rules.  Although the GDPR is directly applicable across the EU from 25 May 2018, Member States need to take steps to implement national legislation to adapt existing laws, and provide for any derogations from the GDPR.

So far only two Member States, namely Germany and Austria, have adopted the relevant national legislation. The remaining Member States are at different stages in their legislative procedures (State of play available here).  When adapting their national legislation, Member States are prohibited from repeating the text of the GDPR, unless such repetitions are strictly necessary. The Commission warns Member States that it is important to give businesses enough time to prepare for all the provisions that they have to comply with.

Continue Reading EU Commission launches new GDPR online tool