Photo of Davinia Brennan

Following the EDPB’s Opinion last month, the Irish Data Protection Commission (DPC) has published a non-exhaustive list of processing operations requiring a Data Protection Impact Assessment (DPIA) to be carried out. The list encompasses both national and cross-border data processing operations. It should be read in conjunction with Article 35 of the GDPR and the WP29 DPIA Guidelines.

Continue Reading Data Protection Commission confirms list of processing operations requiring a DPIA

The UK Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons is vicariously liable to 5,000 employees for misuse of their personal data by a rogue employee.

The decision is causing shockwaves amongst businesses, as it shows that a company may be held vicariously liable for a data breach caused by an employee, even if the employee’s motive in committing the breach was to harm the company (Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339).

The amount of compensation to be awarded has yet to be determined. The Court of Appeal acknowledged that data breaches caused by either corporate system failures or negligence by individuals acting in the course of their employment may lead to a large number of claims against companies for ”potentially ruinous amounts”, and said that the solution is to insure against such catastrophes. In the court’s view, the availability of such insurance was a valid answer to the “Doomsday or Armageddon arguments” about the effect of its decision.

Although this is a UK decision, it will be of persuasive authority to the Irish courts if a similar action is brought here. It remains to be seen whether the decision will open the floodgates to vicarious liability actions being taken against companies for data breaches caused by employees. However, it is likely to be easier to take such actions, as the Irish Data Protection Act 2018 allows compensation to be awarded to data subjects for non-material loss, such as emotional distress. Morrisons has indicated that it intends to appeal the decision to the UK Supreme Court.

Our blog on the High Court’s decision is available here.

Earlier this year, the Irish Data Protection Commission (DPC) published a draft list of processing operations for which it considers it is mandatory to conduct a Data Protection Impact Assessment (DPIA). Following a public consultation, the DPC submitted its draft list to the European Data Protection Board (EDPB) for approval.  The EDPB has now published an opinion on the DPC’s draft list.  The DPC has two weeks to communicate to the EDPB whether it intends to amend its draft list or maintain it in its current form, and provide an explanation for its decision.

Continue Reading EDPB publishes opinion on processing operations requiring a DPIA

The Irish Government has published its legislation programme for Autumn 2018.  The programme lists priority legislation for publication this Autumn, as well as legislation expected to undergo pre-legislative scrutiny. Listed below are the data protection, cyber-security and IP-related Bills coming down the track.

Priority Legislation

  • Communications (Retention of Data) Bill – This Bill will revise and replace the Communications (Retention of Data) Act 2011. The Heads of this Bill were published last October 2017, following publication of Mr Justice Murray’s Review of the Law on the Retention of and Access to Communications Data.  That Review concluded that many features of the 2011 Act are precluded by EU law. The 2011 Act requires telephone companies and ISPs to store everyone’s metadata for up to two years which, in Mr Justice Murray words, constitutes “a form of mass surveillance of virtually the entire population of the State”. Mr Justice Murray said that Irish legislation should be consonant with the limitations as to the proper scope of a system of communications data retention and disclosure laid down by the EU Court of Justice in a number of recent cases, including the Tele2 case. The Heads of the Bill are available here.

Continue Reading Priority Data Protection, Cyber-Security and IP Legislation for Autumn 2018

On 12 September 2018, the UK Deputy Information Commissioner, James Dipple-Johnstone, made a speech to the CBI Cyber Security: Business Insight Conference   in which he discussed recent data breach reporting trends in the UK.

The Deputy Commissioner noted that since the GDPR came into effect on 25 May 2018, the ICO has received approximately 500 calls per week to its breach reporting line. After a discussion with the ICO’s officers, roughly one third of these organisations decide that their breach does not meet the reporting threshold.  The Irish Data Protection Commission has also been reported as having received a massive increase in breach notifications since the introduction of the GDPR.

Continue Reading ICO receiving 500 breach notification calls a week

The European Parliament has adopted its position on the controversial proposed Copyright Directive, which includes a proposal for online content sharing service providers to remunerate artists (notably news publishers, journalists, musicians, performers and script authors) for their work when it is used by sharing platforms such as YouTube, Facebook or Twitter. The reform of EU copyright rules is part of the European Commission’s Digital Single Market Strategy. The Commission recognises that whilst online services provide ease of access to creative works and offer opportunities for creative industries to develop, it also generates challenges when copyright protected works are uploaded without prior authorisation from copyright holders.

Continue Reading European Parliament votes for tech giants to share revenue with artists and journalists

The Law Reform Commission has published an Issues Paper on Privilege for Reports of Court Proceedings under the Defamation Act 2009. The Paper examines and make recommendations on whether changes should be made to the Defamation Act 2009 relating to absolute privilege for reports of court proceedings. Section 17 of the Defamation Act 2009 currently provides that there is absolute privilege (i.e. complete immunity) from a defamation action where the claim is about a “fair and accurate report of proceedings” heard in any court in Ireland, Northern Ireland, or certain European and international courts.

Continue Reading Reports of court proceedings in blogs and social media may no longer be immune from defamation claims

New Regulations require organisations to obtain an individual’s explicit consent in advance of processing personal data for health research purposes.  The Regulations, known as the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (SI 314/2018), set out a number of mandatory suitable and specific safeguards to be put in place when processing personal data for health research purposes. The Regulations came into effect on 8 August 2018.

Continue Reading Explicit consent required to use personal data for health research purposes

The CJEU has ruled that an unauthorised reposting of a photograph on a website which is already publicly accessible, with the consent of the photographer and without restriction preventing it from being downloaded, on another website, can infringe the copyright rights of a photographer (Renckhoff, C-161/17). It is of little importance if, as in the present case, the copyright holder does not limit the ways in which the photograph may be used by internet users.

Continue Reading Reposting photograph freely accessible on another website requires reauthorisation of photographer

​New court rules were introduced on 1 August 2018 which will give members of the media permission to access court documents. These measures, which apply in both the civil and criminal courts, will formalise the media’s access to information. The rules give effect to Section 159 (7) of the Data Protection Act 2018 to facilitate fair and accurate reporting of court proceedings.

Read more