Photo of Davinia Brennan

The Government has published its legislation programme for Autumn 2021. We have set out below the status of key Bills of relevance to the data protection, commercial and technology sector.

Priority legislation for publication and drafting this Autumn

  • Online Safety and Media Regulation (OSMR) Bill – This Bill will provide for the establishment of a multi-person Media Commission (including an Online Safety Commissioner), the dissolution of the Broadcasting Authority of Ireland, a regulatory framework to tackle the spread of harmful online content, and implementation of the revised Audiovisual Media Services (AVMS) Directive 2018/1808. The Heads of Bill were published on 9 January 2020, with additional provisions approved on 8 December 2020 and 18 May 2021. The government also approved the integration of the Broadcasting (Amendment) Bill into the OSMR Bill. Member States were due to implement the revised AVMS Directive in national law by 19 September 2020, so Ireland has missed this deadline. Pre-legislative scrutiny is ongoing. Further background information information on the proposed Bill is available here.
  • Consumer Rights Bill – This Bill will give effect to two EU Directives (770/2019 and 771/2019) on consumer contracts for the supply of digital content and digital services, and on consumer contracts for the sale of goods. It will also update and consolidate the statutory provisions on consumer rights and remedies in relation to contracts for the supply of non-digital services, unfair contract terms, and information and cancellation rights. The General Scheme of the Bill has been published for public consultation. The Heads of Bill were approved on 20 April 2021.


Continue Reading Government publishes legislation programme for Autumn 2021

The DPC recently fined WhatsApp €225m for failing to discharge its transparency obligations under the GDPR. The decision will have implications for all businesses, particularly regarding their privacy notices and transparency obligations. The decision sets out the DPC’s high expectations in regard to businesses’ transparency obligations. It also clarifies the relevance of the consolidated turnover

The finalised EDPB Guidelines on the concepts of controller and processor (07/2020) in the GDPR were published this week. The Guidelines set out the EDPB’s recommendations on what should be included in data processing contracts between controllers and processors, in order to ensure compliance with Article 28 GDPR. We have set out some key highlights of the Guidelines below.

Continue Reading EDPB provides guidance on requirements of data processing contracts

In addition to issuing new Standard Contractual Clauses (SCCs) for international transfers of personal data to a third country outside the EEA, the European Commission has also published the finalised Article 28 SCCs for use between controllers and processors.  The Article 28 SCCs came into force on 27 June 2021. Unlike the SCCs for international data transfers, it will not be mandatory to use the Article 28 SCCs.  Companies may therefore continue to negotiate their own individual contracts addressing the compulsory elements of Article 28(3) and (4) of the GDPR.

Continue Reading European Commission publishes finalised Article 28 SCCs

The Court of Justice of the European Union (CJEU) has confirmed the limited competence of a national supervisory authority, that is not the lead supervisory authority (LSA), to bring legal proceedings in their national courts for alleged infringements of the GDPR. The CJEU concluded that in cases of cross-border data processing, a national supervisory authority that is not the LSA has power to bring legal proceedings in its national courts, only if: (i) that power is exercised in one of the situations where the GDPR confers on that supervisory authority a competence to adopt a decision finding that such processing infringes the rules contained in the GDPR, and (ii) that power is exercised with due regard to the cooperation and consistency procedures laid down by the GDPR.

Continue Reading CJEU confirms limited derogations from the GDPR’s one-stop-shop mechanism

The Data Protection Commission (DPC) has published guidelines addressing the issue of what information employers can process in relation to their employees’ return to the workplace. In particular, the DPC considers the question as to whether employers can lawfully collect and process information about the Covid-19 vaccination status of their employees.

Information about a person’s vaccination status is special category personal data for the purposes of GDPR. It represents part of their personal health record, and is afforded additional protections under data protection law. The guidelines make it clear that the DPC does not consider there is any general legal basis for employers to request the vaccination status of their employees at this time.


Continue Reading DPC publishes Guidelines on collection of vaccination data of employees

​The EU Commission has formally adopted two UK adequacy decisions, one under the GDPR and the other under the Law Enforcement Directive (LED). This means that personal data can continue to flow freely from the EU to the UK, without putting in place additional safeguards, such as the Standard Contractual Clauses.

The adequacy decisions were adopted just two days before the interim solution agreed under the EU-UK Trade and Cooperation Agreement, permitting the free flow of data from the EU to the UK, was due to expire on 30 June 2021.


Continue Reading UK Adequacy Decisions adopted by European Commission

The European Commission has published its final Implementing Decision on new standard contractual clauses (SCCs) for the transfer of personal data to third countries.

The new SCCs have been expected for some time in order to address the entry into force of the GDPR and the requirements of that regime. The delay to the update was due partly to the European Court of Justice’s decision in Schrems II (C-311/18), and the need for the European Commission to reconcile the new SCCs with that decision. They also take into account the Joint Opinion (2/2021) of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on the draft SCCs, as well as the EDPB’s draft recommendations on supplementary measures.


Continue Reading European Commission publishes finalised SCCs

The Data Protection Commission (DPC) has completed its ‘own volition’ inquiry into whether the Department of Employment Affairs and Social Protection interfered with the role of its Data Protection Officer (DPO).  The inquiry concerned the process leading to the amendment of the Department’s Privacy Statement on 6 July 2018. The DPC examined whether the Department’s DPO was involved in a proper and timely manner in the process (as required by Article 38(1) of the GDPR); and whether the DPO received instructions regarding the exercise of his tasks (contrary to Article 38(3) of the GDPR). The DPC concluded that the Department had not breached Articles 38(1) or 38(3) of the GDPR.

Continue Reading DPC completes statutory inquiry into suspected interference with role of DPO