Speaking at A&L Goodbody’s breakfast seminar, ‘GDPR – The Last Lap‘, Anna Morgan, Deputy Data Protection Commissioner, has warned that companies who ‘over-report’ and adopt an overly conservative approach to the GDPR’s breach notification requirements may risk enforcement action from the Data Protection Commission (DPC).
Following on from Davinia’s post last week, we have now prepared an update that covers the key aspects of the Data Protection Bill 2018 of most relevance to businesses that are in the process of preparing for the GDPR.
The Government has published the eagerly awaited Data Protection Bill 2018 to give effect to the GDPR (2016/679) and to provide, in the limited areas permitted, for national derogations. The Bill repeals the Data Protection Acts 1988 and 2003 (the Acts), except for those provisions relating to the processing of personal data for the purposes of national security, defence and the international relations of the State. It also provides for similar restrictions on individuals’ rights to those which currently exist under section 5 and 8 of the Acts, such as in regard to data processed for the prevention, detection, investigation and prosecution of criminal offences; or for the exercise or defence of legal claims.
The GDPR does not impose any criminal sanctions on controllers or processors for contravening its provisions, but leaves it to Member States to do so, and the Bill provides for a number of offences. Unsurprisingly, the Bill proposes that enforced access requests; unauthorised disclosure of personal data by a processor or by an employee or agent of the processor; and disclosure of personal data obtained without authority will continue to constitute offences post-May 2018 . These offences will be punishable by a fine of up to €50,000 and/or up to 5 years’ imprisonment. The Bill also proposes the continuation of personal criminal liability for directors, managers, secretaries, or other officers of a company, for offences committed by a company, which are proved to have been committed with the consent or connivance of, or to be attributable to any neglect of such persons.
The Minister for Communications, Denis Naughten, has confirmed that plans to appoint a Digital Safety Commissioner for Ireland (DSC) will go ahead in 2018. The DSC will act as an ‘Internet regulator’, with powers of enforcement and responsibility for a ‘notice and takedown’ regime, to ensure the online safety of Internet users.
The proposal for a DSC is contained in a Report from the Law Reform Commission (LRC) on Harmful Communications and Digital Safety, which also contains a draft legislative proposal. The LRC has recommended that the scope of regulation by the DSC should include all ‘digital service undertakings’, which would be defined very broadly to cover intermediary service providers, internet service providers, internet intermediaries, online intermediaries, online service providers, search engines, social media platforms and websites and telecommunications undertakings.
The DSC mechanism is partially inspired by the systems in place in Australia and New Zealand, which have specific timelines linked to the obligation to unlawful material, with removal generally being required within 48 hours. In Ireland, under the current LRC proposals, the DSC will be mandated to develop a national Code of Practice for Take Down procedure, which would contain detailed and practical guidance on the procedure for ‘takedowns’, a requirement that the takedown procedure is made available free of charge and timelines within which offending materials should be removed.
It should be noted that the Australian and New Zealand regimes were implemented on a somewhat blank legislative canvas. Any proposal in Ireland must be compliant with the overarching requirements of the eCommerce Directive (which does not contain mandatory timelines, but requires internet intermediaries to ‘act expeditiously’ or risk losing its legal immunity). It remains to be seen whether an additional layer of Irish regulation on tech and Internet companies would have any impact on Ireland’s international reputation as an attractive place to do business.
An Taoiseach Leo Varadkar had previously indicated that Government plans to appoint a DSC were ‘on hold’, however, he has since clarified that he may have ‘mis-spoken’.
The Department of Communications has organised an open digital safety forum on March 8 at the Royal Hospital Kilmainham involving Gardaí, Interpol, NGOs, state bodies and parents groups. We await further detail on this proposal.
With just over 100 days until the GDPR comes into force, the European Commission has launched GDPR guidance and a new online tool to help businesses to prepare for their new data protection legal obligations. The Commission has also called on national governments to prepare for the new rules. Although the GDPR is directly applicable across the EU from 25 May 2018, Member States need to take steps to implement national legislation to adapt existing laws, and provide for any derogations from the GDPR.
So far only two Member States, namely Germany and Austria, have adopted the relevant national legislation. The remaining Member States are at different stages in their legislative procedures (State of play available here). When adapting their national legislation, Member States are prohibited from repeating the text of the GDPR, unless such repetitions are strictly necessary. The Commission warns Member States that it is important to give businesses enough time to prepare for all the provisions that they have to comply with.
In Susquehanna International Group Ltd v Needham  IEHC 706, the Irish High Court considered the novel question of whether a court could order a person to make a data access request in aid of making discovery of documents. Ultimately, the High Court held that it could compel a party making discovery to make a data access request in order to obtain documents which were within its power, where that request was not oppressive or disproportionate.
The European Commission (EC) has issued a notice reminding stakeholders that due to the UK’s intention to leave the EU, they will be considered a ‘third country’ for the purposes of data transfers from 10 March 2019 (available here).
Data transfers to third countries outside the EEA are prohibited unless the European Commission has issued an adequacy decision approving that third country as providing an adequate level of protection, or the controller or processor has put in place appropriate safeguards, such as the standard data protection clauses (otherwise known as the ‘Model Clauses’) or binding corporate rules for intra-group data transfers, or one of the other derogations apply. The GDPR also provides for additional transfer mechanisms, including approved codes of conduct and certification mechanisms whereby a controller or processor located in the third country makes binding and enforceable data protection commitments.
The EC notes that a potential outcome of the negotiations on the UK’s withdrawal from the EU, is that the UK could achieve an adequacy decision by the EC, which would allow personal data to flow from an EU data exporter to the UK without any additional safeguards being implemented. The UK Data Protection Minister, Matt Hancock, has reportedly stated that an adequacy decision is one of his aims in the Brexit negotiations, but it is too soon to tell whether this is achievable.
The EC has announced that it has set up stakeholder group consisting of industry, civil society and academics, which will discuss this topic in further detail. The EC has published a position paper on the use of data and protection of information obtained or processed before the withdrawal date which is available here.
In its recent Report on the Privacy Shield, the Article 29 Working Party (WP29) recognised the progress of the Privacy Shield in comparison with the invalidated Safe Harbour, and the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield. However, the WP29 identified a number of concerns. Like the European Commission (EC), in its first annual review of the EU-US Privacy Shield, the WP29 called for the appointment of a permanent Privacy Shield Ombudsperson (and further explanation of the rules of procedure including by declassification), and filling the remaining positions on the Privacy and Civil Liberties Oversight Board (PCLOB). The WP29 requested these concerns to be prioritised and addressed prior to 25 May 2018, when the GDPR comes into force.
The WP29 further called for clear guidance on the Privacy Shield Principles, HR data and onward transfers, and increased supervision of compliance with the Privacy Shield principles. The US authorities are also requested to clearly distinguish the status of processors from that of controllers both at the time of their self-certification and at the time of further check. The WP29 demands these remaining issues to be resolved, at the latest, at the time of the next annual review of the Privacy Shield. If no remedies are brought to address the concerns raised by the WP29 within these time frames, the WP29 warned it will bring the Privacy Shield adequacy decision to the national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
The EU Court of Justice (CJEU) has ruled that a supplier of luxury goods can, by contract, prohibit its authorised distributors from selling those goods on third-party internet platforms such as Amazon. The CJEU held that such a prohibition is appropriate; does not in principle go beyond what is necessary to preserve the luxury image of the goods; and is not necessarily an unlawful restriction of competition (Coty Germany GmbH v Parfümerie Akzente GmbH (Case C-230/16)).
The EU Court of Justice (CJEU) has ruled that a candidate’s exam script is “personal data”, as it constitutes information that is linked to him or her. The CJEU held that the use of the expression “any information” in the definition of the concept of personal data in the Data Protection Directive 95/46/EC (the Directive) reflects the aim of the EU legislature to assign a wide scope to the concept, potentially encompassing all kinds of information provided that it relates to the data subject. As the GDPR contains a similar definition of “personal data” to that in the Directive, namely “any information relating to an identified or identifiable natural person”, the CJEU’s broad interpretation of the concept of personal data will continue to apply post-25 May 2018 when the GDPR comes into force.