Photo of Davinia Brennan

The Minister of Finance has passed new Regulations, the Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2019, permitting data subjects’ rights under Articles 12-22 and Article 34, and controllers’ obligations under Article 5 GDPR, to be restricted to the extent necessary and proportionate to allow the Central Bank of Ireland (

Photo of Daniel Jackson

On 17 April 2018, the European Commission proposed new rules in the form of a Regulation and an accompanying Directive, which aim to improve law enforcement authorities’ cross-border access to e-evidence.

The proposed Regulation on European Production and Preservation Orders enables a judicial authority in a Member State to obtain electronic evidence in criminal matters directly from a service provider in another Member State. The Directive complements the Regulation, as it sets out the rules for the appointment of service providers’ legal representatives, whose role is to receive and respond to judicial orders. The new rules will ensure swift access to e-evidence, with service providers being required to respond to judicial orders within 10 days and in emergency cases within 6 hours, compared to 10 months under the current Mutual Legal Assistance process.


Continue Reading

Photo of Davinia Brennan

The Data Protection Commission (DPC) has published its Annual Report for 25 May-31 December 2018. As always, the Report reveals some interesting statistics and case studies. In the coming months, the DPC expects to conclude a number of statutory inquiries, which it launched in 2018, into multinational technology companies with EU headquarters situated in Ireland. The DPC anticipates that the conclusion of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services. This briefing note sets out some of the highlights of the Report.
Continue Reading

Photo of Davinia Brennan

The European Commission has published an infographic on compliance with and enforcement of the GDPR since from May 2018 to January 2019. The infographic reveals some interesting statistics, including:

  • 95,180 complaints have been made to EU national data protection authorities (DPAs) by individuals who believe their rights under the GDPR have been violated. The majority of these complaints concerned telemarketing, promotional emails, and video surveillance/CCTV.


Continue Reading

Photo of Davinia Brennan

The UK Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons is vicariously liable to 5,000 employees for misuse of their personal data by a rogue employee.

The decision is causing shockwaves amongst businesses, as it shows that a company may be held vicariously liable for a data breach caused

Photo of Daniel Harrington

Speaking at A&L Goodbody’s breakfast seminar, ‘GDPR The Last Lap‘, Anna Morgan, Deputy Data Protection Commissioner, has warned that companies who ‘over-report’ and adopt an overly conservative approach to the GDPR’s breach notification requirements may risk enforcement action from the Data Protection Commission (DPC).

Continue Reading

Photo of Davinia Brennan

In its recent Report on the Privacy Shield, the Article 29 Working Party (WP29) recognised the progress of the Privacy Shield in comparison with the invalidated Safe Harbour, and the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield. However, the WP29 identified a number of concerns. Like the European Commission (EC), in its first annual review of the EU-US Privacy Shield, the WP29 called for the appointment of a permanent Privacy Shield Ombudsperson (and further explanation of the rules of procedure including by declassification), and filling the remaining positions on the Privacy and Civil Liberties Oversight Board (PCLOB).  The WP29 requested these concerns to be prioritised and addressed prior to 25 May 2018, when the GDPR comes into force.

The WP29 further called for clear guidance on the Privacy Shield Principles, HR data and onward transfers, and increased supervision of compliance with the Privacy Shield principles.  The US authorities are also requested to clearly distinguish the status of processors from that of controllers both at the time of their self-certification and at the time of further check.  The WP29 demands these remaining issues to be resolved, at the latest, at the time of the next annual review of the Privacy Shield. If no remedies are brought to address the concerns raised by the WP29 within these time frames, the WP29 warned it will bring the Privacy Shield adequacy decision to the national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.


Continue Reading

Photo of Davinia Brennan

We have updated our GDPR Guide for Businesses to take account of new EU regulatory guidance. The guide is a ‘living document‘, which we will expand as more regulatory guidance is published.

The EU Article 29 Working Party has published guidance on a number of key changes introduced by the GDPR, including: administrative fines,