The European Commission has adopted an adequacy decision on Japan, creating the world’s largest area of safe data flows. The decision means that EU organisations can transfer personal data to organisations in Japan, without having to put in place a transfer mechanism laid down in Chapter 5 of the GDPR (such as the Commission’s standard contractual clauses or Binding Corporate rules). Japan has adopted an equivalent decision, making it simpler for Japanese organisations to transfer personal data to the EU. The adequacy decision, as well as the equivalent decision on the Japanese side, came into force on 23 January 2019.
The Government has published its Legislation Programme for Spring 2019. Preparing for Brexit is the central feature of the Spring Legislation Programme (which covers the period January-March 2019). The Brexit omnibus bill, the Miscellaneous Provisions (Withdrawal of the United Kingdom from the European Union on 29 March 2019) Bill, is the primary item in the Spring Programme.
The Brexit omnibus bill comprises vital legislation across 17 elements that will need to be enacted prior to Brexit in the event of a no-deal Brexit. Part 17 of the proposed Bill will provide for amendments to the Data Protection Act 2018. While the possibility of introducing a number of Brexit-related bills was considered, the Government believes that a single, standalone bill, that contains a number of parts, is the most efficient and effective way of preparing for Brexit. In addition, the Government has stated that many of the provisions will be provided for through statutory instruments that will be ready for signing should they be required in the event of a no-deal Brexit.
While Brexit is the priority, the Government has indicated that work is continuing on other legislation across all Government departments and a number of bills that are at an advanced stage will be introduced in the coming weeks, and progressed alongside those currently on the Dáil Order Paper.
The Data Protection Commission (DPC) has issued guidance in relation to the transfer of personal data to and from the UK in the event of a ‘no deal’ Brexit. The DPC’s guidance is in line with the ‘no deal’ Brexit guidance published on 13 December 2018 by the UK Government (supplementing its September 2018 Technical Note) and by the UK Information Commissioner’s Office (ICO). Some highlights of the guidance issued by the Irish and UK regulators, and UK government, are set out below.
The European Commission has published its Report and Staff Working Document on the second annual review of the Privacy Shield. The Report concludes that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to the 3850 participating companies in the U.S. It notes that the steps taken by the U.S. authorities to implement the recommendations made by the Commission in last year have improved the functioning of the framework.
However, the Commission expects the US authorities to nominate a permanent Ombudsperson by 28 February 2019 to replace the one that is currently acting. The Ombudsperson is an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed. If the Ombudsperson is not appointed by that date, the Commission will consider taking appropriate measures, in accordance with the GDPR.
The DPC has published guidance for drivers concerning their data protection responsibilities when using dash cams. Images and audio recordings captured by dash cams constitute ‘personal data‘ insofar as they relate to an identifiable individual and are therefore subject to the GDPR and Data Protection Act 2018.
Actions to take
In order to comply with the GDPR, in particular, the transparency, purpose limitation, data minimisation, storage limitation and security requirements, as well as individuals’ access rights, the DPC recommends that drivers take the following actions:
- Ensure a clearly visible sign or sticker is place on vehicles indicating that filming is taking place;
- Keep a policy sheet detailing your contact details, the basis on which you are collecting the images and audio of others (if applicable), the purposes for which the data is being used and how long you will retain it for etc. (in compliance with Articles 12 and 13 of the GDPR);
- Provide a copy of the policy sheet on request to anyone who asks for further information about your dash cam, or provide the information verbally;
- In the event of an accident, inform the other party that you have recorded footage of the accident;
- Only retain footage for as long as necessary, in regard to the purpose for which it was obtained. Footage of an accident may be required for a claim or investigation and can be retained for that purpose, but other footage should be routinely deleted;
- Store footage securely and limit access to it, and
- Provide individuals with access to any footage/audio recording their image/voice.
The Data Protection Commissioner (DPC) has published her final Annual Report covering the period of 1 January 2018 to 24 May 2018. The Report includes some interesting case-studies, such as the prosecution of a company for sending marketing emails to work email addresses. It also discusses litigation to which the DPC was a party to this year, including the case of Nowak v DPC, where the High Court followed the CJEU’s decision in YS v Minister voor Immigratie & Ors, finding that a controller exercises some discretion in regard to how to respond to an access request.
The European Data Protection Board (EDPB) has published the eagerly awaited draft Guidelines on the territorial scope of the GDPR. The 23-page Guidelines, which are open to public consultation until 18 January 2019, aim to help EU and non-EU established controllers and processors determine whether their processing operations fall within the scope of the GDPR, and ensure a consistent approach to the application of the GDPR. This note considers some of the EDPB’s key recommendations and examples of when the GDPR does or does not apply.
Following the EDPB’s Opinion last month, the Irish Data Protection Commission (DPC) has published a non-exhaustive list of processing operations requiring a Data Protection Impact Assessment (DPIA) to be carried out. The list encompasses both national and cross-border data processing operations. It should be read in conjunction with Article 35 of the GDPR and the WP29 DPIA Guidelines.
The UK Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons is vicariously liable to 5,000 employees for misuse of their personal data by a rogue employee.
The decision is causing shockwaves amongst businesses, as it shows that a company may be held vicariously liable for a data breach caused by an employee, even if the employee’s motive in committing the breach was to harm the company (Wm Morrisons Supermarkets Plc v Various Claimants  EWCA Civ 2339).
The amount of compensation to be awarded has yet to be determined. The Court of Appeal acknowledged that data breaches caused by either corporate system failures or negligence by individuals acting in the course of their employment may lead to a large number of claims against companies for ”potentially ruinous amounts”, and said that the solution is to insure against such catastrophes. In the court’s view, the availability of such insurance was a valid answer to the “Doomsday or Armageddon arguments” about the effect of its decision.
Although this is a UK decision, it will be of persuasive authority to the Irish courts if a similar action is brought here. It remains to be seen whether the decision will open the floodgates to vicarious liability actions being taken against companies for data breaches caused by employees. However, it is likely to be easier to take such actions, as the Irish Data Protection Act 2018 allows compensation to be awarded to data subjects for non-material loss, such as emotional distress. Morrisons has indicated that it intends to appeal the decision to the UK Supreme Court.
Our blog on the High Court’s decision is available here.
Earlier this year, the Irish Data Protection Commission (DPC) published a draft list of processing operations for which it considers it is mandatory to conduct a Data Protection Impact Assessment (DPIA). Following a public consultation, the DPC submitted its draft list to the European Data Protection Board (EDPB) for approval. The EDPB has now published an opinion on the DPC’s draft list. The DPC has two weeks to communicate to the EDPB whether it intends to amend its draft list or maintain it in its current form, and provide an explanation for its decision.