The Online Safety and Media Regulation Bill 2022 was signed into law on Saturday, 10 December 2022.
Online safety is one of the headline items covered by the new legislation, and it will be overseen by the newly-established Media Commission (Coimisiún na Meán). The legislation also seeks to implement a number of other key legislative
The Digital Services Act (DSA) was published in the Official Journal of the European Union today. It will enter into force on 16 November 2022, i.e. 20 days from the date of publication in the Official Journal.
Who will be affected?
The DSA will apply to a range of providers of digital
When the European Commission adopted the new EU Standard Contractual Clauses (new SCCs) for international data transfers earlier this year, we highlighted 3 key dates to be aware of. As one of those dates – 27 September 2021 – has now passed, its timely to remind ourselves why those dates are important.
Continue Reading Old EU SCCs now repealed
On 25 May the Grand Chamber of the European Court of Human Rights, (ECtHR) ruled that the UK’s surveillance regime of bulk interception of online communications violated the European Convention on Human Rights (Convention) in the case of Big Brother Watch v United Kingdom. According to the ECtHR this regime breached the rights to privacy and freedom of expression enshrined within Article 8 and 10 of the Convention, a ruling that will have significant implications for state surveillance across Europe.
Continue Reading Big Brother was watching: ECHR Grand Chamber rules that UK bulk interception surveillance regime violates human rights
The Bavarian Data Protection Authority (DPA) recently ruled that a German publisher should cease using a US-based email marketing platform to send newsletters to its subscribers. The Bavarian DPA found that transfers of email addresses of EU subscribers by the German publisher to the US-based platform to be unlawful. When using the platform, the German publisher relied on the Standard Contractual Clauses (SCCs) for its data transfers from Germany to the US.
Continue Reading Bavarian DPA finds data transfers to US-based email marketing platform unlawful
The Irish Data Protection Commission (DPC) has imposed a €70,000 fine on University College Dublin (UCD) for failure to implement appropriate security measures; storing data longer than necessary, and delaying in notifying the DPC of a data breach. This is the sixth GDPR fine imposed by the DPC. Previous GDPR fines included 3 fines on Tusla (the Child and Family Agency) amounting to a total of €200,000; a €450,000 fine on Twitter, and a €65,000 fine on the HSE. These fines similarly concerned failure to implement appropriate security measures to prevent the unauthorised disclosure of personal data; delaying in notifying the DPC of the data breach; and failing to adequately document the breach.
Continue Reading DPC fines UCD €70,000 for GDPR breach
On 24 December 2020, the EU and UK reached a consensus on the Trade and Cooperation Agreement (the Agreement). The agreement allows personal data to continue to flow freely from the EU/EEA to the UK for up to 6 months after 1 January 2021, or until an adequacy decision is adopted (whichever is earlier). This provides the European Commission with some further time to make an adequacy decision in relation to the UK.
Continue Reading Trade Agreement keeps EU-UK personal data flowing for 6 months
The European Commission recently published its new draft Standard Contractual Clauses (SCCs) for international transfers of personal data to third parties located outside of the EEA.
The new SCCs have been expected for some time in light of the coming into force of the GDPR. The existing set of SCCs were implemented under the former Data Protection Directive 95/46/EC and still referenced that regime. The delay was due to the European Commission reconciling the new SCCs with the decision of the European Court of Justice in Schrems II.
Whilst the new SCCs align with the GDPR, address the Schrems II decision, and directly incorporate some of the European Data Protection Board (EDPB) Recommendations on Supplementary Measures (01/2020), they are not a catch-all solution for international data transfers. Parties will still be required to undertake a risk assessment, and adopt supplementary measures (where necessary), to ensure the effectiveness of the new SCCs in the third country concerned. Where the new SCCs and supplementary measures do not provide an adequate level of protection in the third country, then companies will be obliged to suspend and/or terminate the transfer.
Continue Reading European Commission publishes draft new SCCs
The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.
Continue Reading EDPB’s register of one-stop-shop decisions now live
The European Data Protection Board (EDPB) has published updated Guidelines 05/2020 on Consent under the GDPR, replacing the previous Article 29 Working Party Consent Guidelines published in April 2018. The purpose of the updated guidelines is to provide clarity on: (i) data subject consent in relation to cookie walls (which are not allowed), and (ii) scrolling or swiping through a webpage or similar actions (which does not constitute valid consent). The paragraphs (38-41 and 86) concerning these two issues have been revised and updated, while the rest of the document has been left unchanged, except for editorial changes.
Continue Reading EDPB issue updated Guidelines on Consent