Photo of Davinia Brennan

The Government has published its legislation programme for Autumn 2020. The programme includes: 30 priority Bills; 50 Bills that are expected to undergo pre-legislative scrutiny; 87 Bills where preparatory work is underway, and 14 Bills which are currently before the Oireachtas.

Key Bills of relevance to the data protection, commercial and technology sector include:

Priority Legislation 

  • Withdrawal of the United Kingdom from the European Union (Consequential Provisions) Bill – This Bill will provide for the legislative needs that will arise at the end of the Brexit transition period.

Bills expected to undergo pre-legislative scrutiny  

  • Online Safety and Media Regulation Bill – This Bill will provide for the establishment of a Media Commission (including an Online Safety Commissioner), the dissolution of the Broadcasting Authority of Ireland, a regulatory framework to tackle harmful online content, and implementation of the revised Audiovisual Media Services (AVMS) Directive 2018/1808. The general scheme of the Bill was published in January 2020, and the  legislative programme indicates that further heads are in preparation. Member States are expected to implement the AVMS Directive in national law by 19 September 2020, so Ireland will miss this deadline.
  • Consumer Rights Bill– This Bill will give effect to EU Directive 770/2019 on consumer contracts for the supply of digital content and digital services, EU Directive 771/2019 on consumer contracts for the sale of goods, and to update and consolidate the statutory provisions on consumer rights and remedies in relation to contracts for the supply of non-digital services, unfair contract terms, and information and cancellation rights.


Continue Reading Government publishes Legislation Programme for Autumn 2020

On 7 September 2020, the European Data Protection Board (EDPB) issued draft guidelines on the concepts of controller and processor. The concepts play a crucial role in the application of the GDPR, as they determine who will be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice.

The concepts have not changed compared to the Data Protection Directive 95/46/EC (now repealed) and the general criteria for how to attribute the different roles remain the same. However, the EDPB acknowledges the necessity of providing clarification on these concepts under the GDPR.  Since the entry into force of the GDPR, many questions have arisen in relation to the implications of the concept of joint controllership (under Article 26 GDPR), and the specific obligations for processors (under Article 28 GDPR). The guidelines replace the previous Opinion of the Article 29 Working Party on the concepts of controller and processor (Opinion 1/2010).

In part I, the guidelines discuss the definitions of the concepts of controller, joint controllers, processor, and third party/recipient. Part II considers the consequences that are attached to the different roles. The guidelines also contain helpful examples of the circumstances when an entity is a controller, joint controller or processor.


Continue Reading EDPB publishes draft guidelines on the concepts of controller and processor

The Irish Court of Appeal has held that while the definition of “personal data” is very broad, to interpret a document as constituting personal data for the sole reason that it was generated as a result of a complaint made by the data subject, would be to “overstretch” the concept of personal data.  In a related judgment, the Court found that the data subject was entitled only to a “copy of his personal data, and not the data in its “original form.

Continue Reading Court of Appeal warns against “overstretching” the concept of personal data

On the 23 July 2020, the European Data Protection Board (EDPB) adopted FAQs on the Schrems II judgment. The FAQs provide answers to questions received by EU data protection authorities (DPAs) and will be developed and complemented by the EDPB in due course.

In brief, the EDPB clarifies:

  • No grace period – The Court of Justice of the European Union (CJEU) has invalidated the Privacy Shield with immediate effect. The judgment does not provide any grace period during which companies can keep transferring personal data to the US without assessing the legal basis for the transfer.
  • Use of SCCs for EEA-US transfers – US law (i.e. Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data to the US based on the Standard Contractual Clauses (SCCs) will depend on the result of your adequacy assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures, along with SCCs, would have to ensure that US law does not impinge on the adequate level of protection they guarantee.


Continue Reading EDPB publish FAQs on Schrems II

In recent weeks, employers have been busy implementing the recommendations set out in the Government’s Return to Work Safely Protocol, in preparation for employees returning to the workplace.  Somewhat surprisingly, the Protocol makes no reference to the need to comply with data protection law, yet the measures recommended by the Protocol involve the processing personal

​The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.

Continue Reading EDPB’s register of one-stop-shop decisions now live

The Data Protection Commission (DPC) has published a two year Regulatory Activities Report, which reviews the range of its regulatory tasks from 25 May 2018 to 25 May 2020.

​The Report notes that the purpose of the two-year assessment is “to provide a wider-angled lens through which to assess the work of the DPC since the implementation of the GDPR; in particular, to examine wider datasets and annual trends to see what patterns can be identified.” 


Continue Reading DPC publishes Regulatory Activities Report for 2018-2020

The threat to global health caused by Covid-19 has led to unprecedented collaboration from the global scientific research community to urgently develop a vaccine. Given the prevalence of data sharing and open science, combined with the sensitive nature of the data involved, data protection concerns have quickly emerged.

The GDPR provides special rules for processing health data for scientific research purposes that are also applicable in the context of the Covid-19 pandemic. The European Data Protection Board (EDPB) recently published Guidelines 03/2020 on the processing of data concerning health for scientific research purposes in the context of Covid-19. The EDPB acknowledges the challenges faced by researchers operating with urgency, and using health data that is not always obtained directly from the data subject for the specific purpose of scientific research. The guidelines provide clarity on issues such as: the legal basis for processing health data; data subjects’ rights, and how health data can be lawfully transferred to a third country outside the EEA for scientific research purposes connected to the Covid-19 pandemic.


Continue Reading EDPB publishes guidelines on processing health data for Covid-19 research

The Data Protection Commission (DPC) has issued its first fine under the GDPR.  Tusla, the child and family state agency, has been fined €75,000 for three data breaches.  It has been reported that the DPC has filed papers in the Circuit Court, in order for the court to confirm the fine. The purpose of this confirmation mechanism, which is required by the Data Protection Act (DPA) 2018, is to ensure that the DPC’s decision to impose a fine has due regard to fair procedures and constitutional justice.

Continue Reading Irish Data Protection Commission issues first GDPR fine

The Annual Report of the Data Protection Commission (DPC) for 2019 reveals some interesting trends and statistics. The DPC received a record 7,215 complaints in 2019 (75% more than in 2018).  At least 40% of the DPC’s resources were devoted to the handling of individual complaints (as opposed to large-scale and more systemic