Photo of John Whelan

Last week MoneyConf firmly put Dublin in the Fintech spotlight. The pressure on financial services firms to make better use of technology to reduce costs and improve customer service shows no sign of relenting. At the same time they need to carefully navigate the related regulatory challenges around technology outsourcing. A member of the ECB Supervisory Board recently observed that banks are not “technological houses” and said that the fragmentation of banks’ services across a range of external providers creates a “challenge” for banks’ leaders, who retain responsibility. This statement will resonate, in particular, with financial institutions looking to understand how much they are currently using, and how they can make more and better use of, cloud based technology solutions.

Continue Reading European Banking Authority Recommendations on Outsourcing to Cloud Service Providers

Following the CJEU decision in the Schrems Case on 6 October 2015 invalidating the Safe Harbour regime, the Article 29 Working Party (the group comprised of representatives of European national data protection authorities (Article 29WP)) gave the EU and US a three month timeline in which to agree a political solution to replace Safe Harbour. Following intense negotiations, political agreement on the core elements of a new EU/US Privacy Shield was announced yesterday


Continue Reading Safe Harbour will be replaced by an EU/US Privacy Shield – will it withstand Article 29 Working Party scrutiny?

The Department of Justice yesterday published the Criminal Justice (Offences Relating to Information Systems) Bill 2016. The Bill, which is long overdue, will replace some of the existing patchwork of cybercrime legislation.

The primary purpose of the Bill is to transpose the European Directive 2013/40 or the Cybercrime Directive as it is more commonly known. The Cybercrime Directive is aimed at harmonising Member States’ criminal law in the area of cybercrime by creating minimum rules for the definition of cybercrime offences and the relevant sanctions and to improve cooperation between competent authorities.


Continue Reading The Cybercrime Bill is here

Recent high profile security incidents illustrate that no institution or business is immune from cyber attack. A cyber attack on the White House in 2014 resulted in a partial shutdown of its email system. In a reported attempt to extort money from the ECB, email addresses and other user contact information were stolen in 2014. Confidential movie scripts and emails about staff and movie stars were released as part of the 2014 Sony hack. Already this year, the Carphone Warehouse security breach in early August and the more recent Ashley Madison hack have received extensive media coverage.


Continue Reading Cyber risk – the legal landscape

“The next big financial shock will arise from a succession of cyber-attacks on financial services firms.” 

This is the case according to the Chairman of the International Organisation of Securities Commission as cited by the Central Bank of Ireland’s Deputy Governor, Cyril Roux, during a recent address to the Society of Actuaries.


Continue Reading Cyber Security – The Next Big Financial Shock

Model Contracts are standard contractual clauses for the transfer of personal data outside the EU/EEA which have been approved by the European Commission.  They have been approved on the basis that they provide sufficient safeguards for privacy, fundamental rights and the exercise of those rights.  To date two sets of standard contractual clauses for the transfer of personal data outside the EU/EEA from data controllers to data controllers and one set for transfers from data controllers to data processors have been approved by the Commission.


Continue Reading Transfer Tools Post Schrems: EU Data Protection Authorities’ Common Position on Model Contacts

Those involved in technology deals express differing views on source code escrow. These views range from resignation that the supplier won’t agree to it to the view that even if we do get it, it will only be available on the provided non-negotiable terms or a fear that even if we could get our hands on the code, we wouldn’t know what to do with it. In our experience, the position is not quite as black and white on any of these points. There is an extra aspect to think about in relation to technology offerings which include software as a service and traditional source code escrow may not always be appropriate here. Public disputes on escrow arrangements are few and far between and that’s why a recent English High Court case is worth a read. The decision in the case, Filmflex Movies Limited and Piksel Limited can be accessed here.

Continue Reading Source Code Escrow – Case Law Developments

The political machinations continue at EU level and predictions for publication of a final form Data Protection Regulation increasingly refer to 2016 as the likely date. But to read behind the headlines continues to be a useful exercise for corporates who need to give real consideration now to what their regulatory landscape might look like in the not too distant future.

A key issue will be determining the place of “main establishment” which in turn will determine the appropriate lead authority.

If that isn’t clear, or there is disagreement, it is being proposed that an EU Data Protection Board (EDPB) would have power to make a binding determination.


Continue Reading Data Protection Reform – One Stop Shop Complexity

There has been much debate during 2014 about the effectiveness of the US Safe Harbour regime. Many EU commentators have queried its effectiveness, pointing in particular to the lack of enforcement over the years by the Federal Trade Commission (FTC), the body which effectively is charged with dealing with complaints that companies are not in compliance with their public representations of adherence to the Safe Harbour principles.

Continue Reading SnapChat Signs Up to 20 Years of Data Protection Audits