Photo of Davinia Brennan

In the past two days, the UK Information Commissioner’s Office (ICO) has issued (potential) GDPR fines of £183.39m and £99.2m on British Airways (BA) and Marriott International Inc., respectively. These are the first fines to be issued by the ICO under the GDPR, and the biggest fines issued by an EU Data Protection Authority (DPA) to date.  As the fines affected individuals in multiple Member States, the ‘one stop shop’ provisions in the GDPR apply, and the ICO has therefore been required to liaise with other EU DPAs.

The fines highlight the importance of companies ensuring that robust security measures are in place to  protect personal data and undertaking appropriate due diligence in corporate mergers and acquisitions. As the EU DPAs are encouraged to adopt a consistent approach to the imposition of administrative fines, the ICO’s fines serve as a warning to companies of the level of GDPR fines that may be imposed by the Irish Data Protection Commission for data breaches resulting from weak security measures.

The ICO does not routinely publish notices of intent to levy a penalty, however the ICO’s policy on “Communicating Regulatory Enforcement Activity” states that such notices may be published in certain circumstances, including where the matter is already in the public domain; there are financial market reporting obligations; or it is necessary for international regulatory cooperation. The ICO statements of intent to fine BA and Marriott were issued in response to an announcement by BA to the London Stock Exchange, and a filing by Marriott with the US Securities and Exchange Commission, that the ICO intended to fine them for breaches of data protection law.


Continue Reading

In the case of Eva Glawischnig-Piesczek v Facebook Ireland Ltd (Case C-18/18), the Advocate General (AG) of the Court of Justice (CJEU) was asked to clarify the scope of the obligation that may be imposed on a host provider to remove illegal information. Article 15(1) of the e-Commerce Directive 2000/31/EC (the Directive) prohibits Member States from imposing a general monitoring obligation on host providers, and the CJEU considered whether that provision precludes a court, in the context of an injunction to remove notified illegal content, from ordering a host provider to seek and identify identical or equivalent illegal content. The CJEU also considered the territorial scope of a removal obligation, and whether removal could be ordered on a worldwide basis.

In his Opinion, AG Szpunar concluded that a host provider may be ordered to remove not only notified illegal content, but to seek and identify among the information disseminated by any user of that platform, information ‘identical’ to that which has been characterised as illegal by a court. In addition, a host provider may be ordered to seek and identify information ‘equivalent’ to that characterised as illegal, but only among the information disseminated by the original user, and not by any user.  The AG also considered that since the Directive does not regulate the territorial scope of an obligation to remove information disseminated via a social network platform, it does not preclude a host provider from being ordered to remove such information on a worldwide basis. Whilst the AG’s Opinion is not binding on the CJEU, it will be of persuasive value.
Continue Reading

In Ryanair dac v SC Vola.ro srl [2019] IEHC 239 the Irish High Court confirmed the enforceability of a jurisdiction clause contained within a website’s Terms of Use, finding the user had agreed to it via a “click-wrap” agreement. Following previous Ryanair screen-scraping cases, the court held the click-wrap agreement met the requirements of Article

On 1 May 2019, Ms Helen Dixon, the Data Protection Commissioner (DPC), appeared before the US Senate Committee on Commerce, Science and Transportation.  She was invited to testify on Ireland’s implementation of the GDPR, as the US is considering introducing a federal data privacy framework. California has already passed a new data privacy law, the California Consumer Privacy Act, which is due to come into effect on 1 January 2020. This note sets out some of the highlights of the DPC’s testimony.
Continue Reading

As we approach the GDPR’s one-year anniversary, we are starting to see more enforcement activity by the EU Data Protection Authorities (DPAs) as they complete their initial investigations into data breaches. This blog looks at two recent fines issued by the Polish and Danish DPAs, which demonstrate the type of conduct likely to lead to enforcement activity.

Continue Reading

The EDPB has released new draft guidelines 2/2019 on the contractual necessity legal basis for processing personal data in the context of the provision of online services to data subjects. The guidelines emphasise the narrow scope of the contractual necessity legal basis. A controller must be able to demonstrate that the processing is ‘objectively necessary’ for a purpose that is ‘integral’ to the delivery of a contractual service to the data subject in order to rely on this legal basis. If a controller cannot demonstrate such necessity it must consider another legal basis for processing the personal data. This note considers the key highlights of the guidelines.

Continue Reading

On 3 April 2019, the Joint Committee on Justice and Equality met to discuss the implementation of the GDPR with Ms Anna Morgan (Deputy Commissioner), Ms Jennifer O’Sullivan (Deputy Commissioner), and Mr Cathal Ryan (Assistant Commissioner). The Commissioners discussed a range of issues, including the enforcement powers used by the Data Protection Commission (DPC) post-GDPR, the difficulties with verifying parental consent in relation to the provision of information society services to children, and the DPC’s experience of resolving data access requests by amicable resolution. This note highlights some of the Committee’s questions (in abbreviated form), and the responses given by the Commissioners.

Continue Reading

The UK has published an Online Harms White Paper, setting out its proposals for new online safety laws. Like the Irish Government’s proposals (discussed here), the UK proposals aim to make online platforms more responsible for users’ online safety, especially children and other vulnerable groups. The new laws will apply to any company that allows users to share or discover user-generated content or interact with each other online, including social media platforms, file hosting sites, public discussion forums, messaging services, and search engines. The 12-week consultation period on the new laws runs until 1 July 2019.

The UK consultation paper seeks views on a number of issues including:

  • the online services falling within the remit of the regulatory framework;
  • options for appointing an independent regulator responsible for enforcing the new framework;
  • the regulatory body’s enforcement powers;
  • potential redress mechanisms for online users; and
  • measures to ensure regulation is targeted and proportionate for the industry.


Continue Reading