Photo of Davinia Brennan

The UK Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons is vicariously liable to 5,000 employees for misuse of their personal data by a rogue employee.

The decision is causing shockwaves amongst businesses, as it shows that a company may be held vicariously liable for a data breach caused by an employee, even if the employee’s motive in committing the breach was to harm the company (Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339).

The amount of compensation to be awarded has yet to be determined. The Court of Appeal acknowledged that data breaches caused by either corporate system failures or negligence by individuals acting in the course of their employment may lead to a large number of claims against companies for ”potentially ruinous amounts”, and said that the solution is to insure against such catastrophes. In the court’s view, the availability of such insurance was a valid answer to the “Doomsday or Armageddon arguments” about the effect of its decision.

Although this is a UK decision, it will be of persuasive authority to the Irish courts if a similar action is brought here. It remains to be seen whether the decision will open the floodgates to vicarious liability actions being taken against companies for data breaches caused by employees. However, it is likely to be easier to take such actions, as the Irish Data Protection Act 2018 allows compensation to be awarded to data subjects for non-material loss, such as emotional distress. Morrisons has indicated that it intends to appeal the decision to the UK Supreme Court.

Our blog on the High Court’s decision is available here.

Photo of Daniel Harrington

Speaking at A&L Goodbody’s breakfast seminar, ‘GDPR The Last Lap‘, Anna Morgan, Deputy Data Protection Commissioner, has warned that companies who ‘over-report’ and adopt an overly conservative approach to the GDPR’s breach notification requirements may risk enforcement action from the Data Protection Commission (DPC).

Continue Reading Over-Reporting Data Breaches to Data Protection Commission may result in enforcement action, warns Deputy Data Protection Commissioner

Photo of Vladimir Rakhmanin

The European Commission (EC) has issued a notice reminding stakeholders that due to the UK’s intention to leave the EU, they will be considered a ‘third country’ for the purposes of data transfers from 10 March 2019 (available here).

Continue Reading European Commission reminds stakeholders that UK is a third country for data transfers from 10 March 2019

Photo of Davinia Brennan

In its recent Report on the Privacy Shield, the Article 29 Working Party (WP29) recognised the progress of the Privacy Shield in comparison with the invalidated Safe Harbour, and the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield. However, the WP29 identified a number of concerns. Like the European Commission (EC), in its first annual review of the EU-US Privacy Shield, the WP29 called for the appointment of a permanent Privacy Shield Ombudsperson (and further explanation of the rules of procedure including by declassification), and filling the remaining positions on the Privacy and Civil Liberties Oversight Board (PCLOB).  The WP29 requested these concerns to be prioritised and addressed prior to 25 May 2018, when the GDPR comes into force.

The WP29 further called for clear guidance on the Privacy Shield Principles, HR data and onward transfers, and increased supervision of compliance with the Privacy Shield principles.  The US authorities are also requested to clearly distinguish the status of processors from that of controllers both at the time of their self-certification and at the time of further check.  The WP29 demands these remaining issues to be resolved, at the latest, at the time of the next annual review of the Privacy Shield. If no remedies are brought to address the concerns raised by the WP29 within these time frames, the WP29 warned it will bring the Privacy Shield adequacy decision to the national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.

Continue Reading What’s the current status of the Privacy Shield?

Photo of Davinia Brennan

We have updated our GDPR Guide for Businesses to take account of new EU regulatory guidance. The guide is a ‘living document‘, which we will expand as more regulatory guidance is published.

The EU Article 29 Working Party has published guidance on a number of key changes introduced by the GDPR, including: administrative fines, mandatory breach notification, data protection officers, lead supervisory authority, data portability, profiling, and data protection impact assessments.

More regulatory guidance is expected shortly, as well as publication of the new Irish Data Protection Bill, which will give effect to, and provide for derogations from, the GDPR.

With only 6 months left until the GDPR comes into force, it is essential to start making preparations now, if you have not already done so.

For more information see our dedicated GDPR site.

Photo of Davinia Brennan

At its plenary meeting this month, the WP29 adopted the final version of its Data Protection Impact Assessment (DPIA) guidelines.

It also adopted draft guidelines on data breach notification and profiling, and administrative fines, which will be open for public consultation for 6 weeks before their final adoption. The guidelines are expected to be published shortly on the European Commission’s WP29 webpage.

Each WP29 subgroup provided a state of play of its work on the WP29’s priorities on the GDPR, including guidelines on consent, transparency, and update of data transfer tools which are to be adopted between November 2017 and February 2018.

On certification, the discussions are continuing and the guidelines should be proposed for adoption at the February 2018 WP29 plenary.

The WP29 also worked on the organization and structure of the EDPB and of the cooperation system to be ready for May 2018.

Photo of Davinia Brennan

The UK Information Commissioner’s Office (ICO) is consulting on draft GDPR guidance on contracts and liabilities between controllers and processors. The guidance seeks to help organisations understand what must be included in contracts under the GDPR, and the new responsibilities and liabilities of processors.

Continue Reading ICO opens consultation on draft guidance on controller/processor contracts and liabilities

Photo of Davinia Brennan

The EU Council has proposed amendments to the draft ePrivacy Regulation (the Regulation). The Presidency points out that work on the text will be incremental and this is only its first redraft.

Proposed amendments include:

Scope – The Presidency clarifies the precise material and territorial scope of the Regulation, as including:

  • the processing of electronic communications content in transmission, and of electronic communications metadata carried out in connection with the provision of electronic communications services to end-users in the EU;
  • information related to, processed by, or stored in the terminal equipment of end users located in the EU;
  • the placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the internet;
  • the offering of a publicly available directory of end-users of electronic communications services located in the EU, and
  • the sending or presenting of direct marketing communications to end users located in the EU.

Continue Reading EU Council proposes revisions to the draft ePrivacy Regulation

Photo of Davinia Brennan

Employee monitoring versus privacy rights is back in the spotlight due to today’s decision by the Grand Chamber of the European Court of Human Rights (ECHR) in Bărbulescu v. Romania.  The Grand Chamber held there had been a violation of Article 8 of the European Convention on Human Rights, where an employer monitored and accessed personal emails sent by an employee during work hours from his Yahoo Messenger account, using a company computer, without notifying the employee in advance of such monitoring.

Continue Reading ECHR rules employees must receive prior notice of email monitoring

Photo of Davinia Brennan

The Data Protection Commissioner (DPC) has initiated a consultation seeking submissions in regard to how some key concepts in the GDPR should be interpreted and applied, including:

  • Consent
  • Profiling
  • Personal data breach notifications
  • Certification

The Article 29 Working Party (WP29) (consisting of representatives of the EU data protection authorities) is currently preparing guidance on these concepts, and EU data protection authorities are undertaking consultation processes with the purpose of ensuring that the views of stakeholders are heard.  The questions asked in the consultation demonstrate the lack of detail in the GDPR in regard to these key concepts.

Continue Reading DPC launches consultation on consent, profiling, data breach notifications and certification under the GDPR