The Online Safety and Media Regulation Bill 2022 was signed into law on Saturday, 10 December 2022.

Online safety is one of the headline items covered by the new legislation, and it will be overseen by the newly-established Media Commission (Coimisiún na Meán). The legislation also seeks to implement a number of other key legislative

The Digital Services Act (DSA) was published in the Official Journal of the European Union today. It will enter into force on 16 November 2022, i.e. 20 days from the date of publication in the Official Journal.

Who will be affected?

The DSA will apply to a range of providers of digital

Photo of Grace Moore

On 25 May the Grand Chamber of the European Court of Human Rights, (ECtHR) ruled that the UK’s surveillance regime of bulk interception of online communications violated the European Convention on Human Rights (Convention) in the case of Big Brother Watch v United Kingdom.  According to the ECtHR this regime breached the rights to privacy and freedom of expression enshrined within Article 8 and 10 of the Convention, a ruling that will have significant implications for state surveillance across Europe.
Continue Reading Big Brother was watching: ECHR Grand Chamber rules that UK bulk interception surveillance regime violates human rights

Photo of Davinia Brennan

The Bavarian Data Protection Authority (DPA) recently ruled that a German publisher should cease using a US-based email marketing platform to send newsletters to its subscribers. The Bavarian DPA found that transfers of email addresses of EU subscribers by the German publisher to the US-based platform to be unlawful.  When using the platform, the German publisher relied on the Standard Contractual Clauses (SCCs) for its data transfers from Germany to the US.
Continue Reading Bavarian DPA finds data transfers to US-based email marketing platform unlawful

Photo of Davinia Brennan

The Irish Data Protection Commission (DPC) has imposed a €70,000 fine on University College Dublin (UCD) for failure to implement appropriate security measures; storing data longer than necessary, and delaying in notifying the DPC of a data breach. This is the sixth GDPR fine imposed by the DPC.  Previous GDPR fines included 3 fines on Tusla (the Child and Family Agency) amounting to a total of €200,000; a €450,000 fine on Twitter, and a €65,000 fine on the HSE. These fines similarly concerned failure to implement appropriate security measures to prevent the unauthorised disclosure of personal data; delaying in notifying the  DPC of the data breach; and failing to adequately document the breach.
Continue Reading DPC fines UCD €70,000 for GDPR breach

Photo of Davinia Brennan

On 24 December 2020, the EU and UK reached a consensus on the Trade and Cooperation Agreement (the Agreement). The agreement allows personal data to continue to flow freely from the EU/EEA to the UK for up to 6 months after 1 January 2021, or until an adequacy decision is adopted (whichever is earlier). This provides the European Commission with some further time to make an adequacy decision in relation to the UK.
Continue Reading Trade Agreement keeps EU-UK personal data flowing for 6 months

Photo of Davinia Brennan

The European Commission recently published its new draft Standard Contractual Clauses (SCCs) for international transfers of personal data to third parties located outside of the EEA.

The new SCCs have been expected for some time in light of the coming into force of the GDPR. The existing set of SCCs were implemented under the former Data Protection Directive 95/46/EC and still referenced that regime. The delay was due to the European Commission reconciling the new SCCs with the decision of the European Court of Justice in Schrems II.

Whilst the new SCCs align with the GDPR, address the Schrems II decision, and directly incorporate some of the European Data Protection Board (EDPB) Recommendations on Supplementary Measures (01/2020), they are not a catch-all solution for international data transfers. Parties will still be required to undertake a risk assessment, and adopt supplementary measures (where necessary), to ensure the effectiveness of the new SCCs in the third country concerned.  Where the new SCCs and supplementary measures do not provide an adequate level of protection in the third country, then companies will be obliged to suspend and/or terminate the transfer.Continue Reading European Commission publishes draft new SCCs

Photo of Davinia Brennan

​The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.
Continue Reading EDPB’s register of one-stop-shop decisions now live