By any measure, 2018 was a historic year for data protection law with the coming into effect of the GDPR on 25 May 2018. Ireland plays an important role in the regulation and enforcement of data protection law and decisions of the Irish courts have had a disproportionate impact on European data protection jurisprudence. With
The EDPB has published information notes on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority to help organisations prepare for a no-deal Brexit. The information notes build on guidance already issued by the UK ICO and Irish Data Protection Commission (discussed here).
The Information Note on Data Transfers warns that, in the event of a no-deal Brexit, the UK will be a ‘third country’ from 30 March 2019. As a result, personal data cannot be transferred from the EEA to the UK unless organisations implement a data transfer mechanism under the GDPR, such as standard contractual clauses; ad hoc contractual clauses; binding corporate rules (BCRs); codes of conduct and certification mechanisms, or a derogation. In regard to data transfers from the UK to the EEA, the UK Government have confirmed the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit.
The European Data Protection Board (EDPB) has published its work program for the next two years. The program lists the guidelines, consistency opinions, and other types of activities the EDPB intends to carry out. The program is based on the needs identified by the EDPB as priority for individuals, stakeholders, as well as the EU legislator planned activities. The Guidelines due to be published over the coming two years include:
- Guidelines on reliance on Art. 6(1) b in the context of online services (i.e. the contractual necessity legal basis)
- Guidelines on concepts of controller and processor (Update of the WP29 Opinion)
- Guidelines on the notion of legitimate interest of the data controller (Update of the WP29 Opinion)
- Guidelines on the Territorial Scope of the GDPR (finalisation after the public consultation)
The European Data Protection Board (EDPB) has adopted an Opinion (3/2019) on the interplay between the EU Clinical Trials Regulation (536/2014) (CTR) and the GDPR, following a request from the European Commission to review its Q&A on the topic. The CTR, which is expected to enter into force in 2020, aims to harmonise the rules for conducting clinical trials throughout the EU. It does not contain any derogations from the GDPR and will therefore apply simultaneously with the GDPR.
The EDPB’s Opinion focuses on: (1) the legal basis under the GDPR for processing personal data in the course of a clinical trial protocol (primary use), and (2) further use of clinical trial data for other scientific purposes (secondary use). Some highlights of the EDPB’s Opinion are set out below.
The European Commission has published an infographic on compliance with and enforcement of the GDPR since from May 2018 to January 2019. The infographic reveals some interesting statistics, including:
- 95,180 complaints have been made to EU national data protection authorities (DPAs) by individuals who believe their rights under the GDPR have been violated. The majority of these complaints concerned telemarketing, promotional emails, and video surveillance/CCTV.
It looks unlikely that the draft e-Privacy Regulation will come into effect before 2021. European Council negotiations on the text of the draft Regulation are currently ongoing, and trilogue discussions by the Council, Parliament and Commission will then take place. However, the upcoming May 2019 European elections may lead to a delay in the Council adopting a common position and the trilogue discussions commencing. In addition, the latest draft text of the Regulation, published by the European Council, provides that it will apply 24 months from the date it is adopted, with the result that even if it is adopted imminently, it may not come into effect until 2021.
The European Commission has adopted an adequacy decision on Japan, creating the world’s largest area of safe data flows. The decision means that EU organisations can transfer personal data to organisations in Japan, without having to put in place a transfer mechanism laid down in Chapter 5 of the GDPR (such as the Commission’s standard contractual clauses or Binding Corporate rules). Japan has adopted an equivalent decision, making it simpler for Japanese organisations to transfer personal data to the EU. The adequacy decision, as well as the equivalent decision on the Japanese side, came into force on 23 January 2019.
The Data Protection Commission (DPC) has issued guidance in relation to the transfer of personal data to and from the UK in the event of a ‘no deal’ Brexit. The DPC’s guidance is in line with the ‘no deal’ Brexit guidance published on 13 December 2018 by the UK Government (supplementing its September 2018 Technical Note) and by the UK Information Commissioner’s Office (ICO). Some highlights of the guidance issued by the Irish and UK regulators, and UK government, are set out below.
The European Commission has published its Report and Staff Working Document on the second annual review of the Privacy Shield. The Report concludes that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to the 3850 participating companies in the U.S. It notes that the steps taken by the U.S. authorities to implement the recommendations made by the Commission in last year have improved the functioning of the framework.
However, the Commission expects the US authorities to nominate a permanent Ombudsperson by 28 February 2019 to replace the one that is currently acting. The Ombudsperson is an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed. If the Ombudsperson is not appointed by that date, the Commission will consider taking appropriate measures, in accordance with the GDPR.
The DPC has published guidance for drivers concerning their data protection responsibilities when using dash cams. Images and audio recordings captured by dash cams constitute ‘personal data‘ insofar as they relate to an identifiable individual and are therefore subject to the GDPR and Data Protection Act 2018.
Actions to take
In order to comply with the GDPR, in particular, the transparency, purpose limitation, data minimisation, storage limitation and security requirements, as well as individuals’ access rights, the DPC recommends that drivers take the following actions:
- Ensure a clearly visible sign or sticker is place on vehicles indicating that filming is taking place;
- Keep a policy sheet detailing your contact details, the basis on which you are collecting the images and audio of others (if applicable), the purposes for which the data is being used and how long you will retain it for etc. (in compliance with Articles 12 and 13 of the GDPR);
- Provide a copy of the policy sheet on request to anyone who asks for further information about your dash cam, or provide the information verbally;
- In the event of an accident, inform the other party that you have recorded footage of the accident;
- Only retain footage for as long as necessary, in regard to the purpose for which it was obtained. Footage of an accident may be required for a claim or investigation and can be retained for that purpose, but other footage should be routinely deleted;
- Store footage securely and limit access to it, and
- Provide individuals with access to any footage/audio recording their image/voice.