The General Data Protection Regulation (GDPR) will automatically come into force across the EU on 25 May 2018. As the deadline fast approaches, Member States are busy progressing their draft implementing legislation. Article 23 of the GDPR provides Member States with discretion over how certain provisions will apply. These proposed derogations to the GDPR have been a focus point for many commentators on the draft national legislation.
The European Commission (EC) has opened an online public consultation on the targeted revision of EU consumer law (the Consultation). The Consultation follows the EC’s publication of the results of its Fitness Check on consumer and marketing law and of the evaluation of the Consumer Rights Directive (Directive 2011/83/EU) (the CRD).
The UK Information Commissioner’s Office (the ICO) has ruled that Virgin Trains East Coast (Virgin) did not break data protection law when it published CCTV images of the UK’s Labour party leader, Jeremy Corbyn. Virgin released the footage last year following Mr Corbyn’s comments that a Virgin train he was travelling on from London to Newcastle was “ram-packed”. The footage shows Mr Corbyn walking past empty seats.
Following its investigation, the ICO found that Virgin had a “legitimate interest” to release the footage of Mr Corbyn: “namely correcting what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests”. The ICO acknowledged that Virgin could not have achieved this without publishing Mr Corbyn’s image.
The ICO did find, however, that Virgin breached the law when it published images of other passengers on the same service. It stated that Virgin should have taken better care to obscure the faces of other passengers on the train. Publication of their images was unfair and a breach of the first principle of the UK Data Protection Act that personal data shall be processed fairly and lawfully.
The ICO stopped short of formal regulatory action against Virgin to reflect “the exceptional circumstances of the breach”. It noted that it was “a one-off incident, and the people identified were unlikely to suffer serious distress or detriment”. However, the ICO did stress that Virgin “has not been let off the hook” and will strengthen its data protection training and policies and ensure it has easy access to pixelation services should the need arise again.
The Office of the Data Protection Commissioner (the ODPC) has released a guidance note on connected toys (the Guidance Note). The Guidance Note highlights the possible data protection issues that might occur when children and parents use toys with microphones and cameras that have an ability to connect to the internet.
The ODPC warns of certain potential issues with the personification of connected toys, in particular dolls. Some of these toys provide an interactive experience by reacting to selected words. This may give the impression of an emotional response to what the child says or does. In some instances, these toys are enabled to collect and record these “conversations” between the child and the connected toy on apps, smartphones or tablets. The ODPC cautions that some of these connected toys’ terms and conditions allow these potentially sensitive recordings to be shared with other companies and used for the basis of targeted advertising.
On 13 September 2016, the Central Bank of Ireland (the CBI) published new guidance on IT risk management and cybersecurity for financial service firms. Publication of the Guidance follows the CBI’s previous actions in relation to cyber risks in the funds, insurance and banking sectors (see previous blog here). The CBI acknowledges that IT plays an integral part in the supply of financial services and calls on Boards and Senior Management of regulated firms to recognise the ever increasing incidences of cyber-attacks and business interruptions. It requests such firms to acknowledge their responsibilities in this regard and prioritise IT security. This responsibility involves establishing and maintaining a resilient IT strategy, while ensuring that it aligns with the firm’s general business strategy. It states that a robust oversight and engagement on IT matters at the Board and Senior Management level promotes an IT and security risk aware culture within the firm.
Following the Brexit Referendum and the uncertainty now surrounding the future of data flows between the UK and the remaining EEA States, the UK Information Commissioner’s Office has published an update on its blog: “GDPR still relevant for the UK“. The update emphasises the importance of the GDPR to many organisations in the UK and notes:
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to explain our view that reform of UK data protection law remains necessary.”
For further guidance and analysis on the impact of Brexit for businesses and investors in both Ireland and Northern Ireland, please see our website here.
The Office of the Data Protection Commissioner (ODPC) has contacted Dublin City Council in relation to its data protection concerns surrounding the City Council’s new anti-litter poster initiative. As part of the initiative the City Council had erected a billboard in the north inner city featuring CCTV images of 12 people who appear to be engaging in illegal dumping around the Amiens Street-Five Lamps area. Although the faces were slightly blurred due to the quality of the CCTV footage, the City Council stated that the people would be able to identify themselves from the images, as most likely would their neighbours.
Due to the personal data element of the CCTV images, it is reported that the ODPC has been in contact with the City Council to advise them that the processing of personal data must be done fairly and proportionally and must not be overly prejudicial to a person’s right to privacy.
In advance of the forthcoming Dáil elections, the Office of the Data Protection Commissioner (ODPC) has issued guidance to candidates for election and their representatives on canvassing, data protection and electronic marketing (the Guidance). Publication of the Guidance follows the ODPC’s previous efforts to boost awareness of individuals’ privacy rights in this area (see previous blog here).
The Guidance includes an overview of the provisions in relation to unsolicited marketing and cookie use as contained in the EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. 336 of 2011). It also emphasises the use of clear and prominent Privacy Statements on websites and data base compliance with the 8 Data Protection Principles.
In its ongoing effort to raise awareness of individuals’ privacy rights, the Office of the Data Protection Commissioner (ODPC) has published a press release on their website on the "Electoral Register and ‘Opting Out’ of the Edited Register".
Every year, the Department of the Environment, Community and Local Government encourages individuals to register to vote or to check that their details are up to date on the Electoral Register in advance of the 25 November deadline. In line with publicising such rights, the ODPC wishes to draw attention to the Edited Electoral Register and how it relates to direct marketing.
On 14 September 2015, Minister of State for International Financial Services Simon Harris TD launched the FPAI, a new trade association founded to further the interests of stakeholders involved in the rapidly evolving Irish FinTech sector.
FinTech (financial technology) is the term used to describe any technology applied to financial services. Across the broad spectrum of FinTech products available, everyday examples include mobile banking, peer to peer lending, digital currency (e.g. Bitcoin), crowdfunding (e.g. Kickstarter) and online payments systems (e.g. Stripe).