Photo of Matthew McGrogan

On 17 April 2019, the European Parliament approved a new Regulation on platform-to-business trading practices. It requires online platforms and online search engines to comply with certain legal obligations and also encourages them to take voluntary complimentary steps. The Regulation aims to ensure that businesses using online intermediation services and general online search engines have greater certainty and clarity with respect to the rules governing their relationships with these platforms and how to resolve potential disputes.

The text adopted by the European Parliament has not yet been formally approved by the Council of the EU. Once approved, the Regulation will enter into force 12 months after its publication in the Official Journal.

Continue Reading European Parliament agrees new rules to improve fairness of online platforms

Photo of Davinia Brennan

In Ryanair dac v SC srl [2019] IEHC 239 the Irish High Court confirmed the enforceability of a jurisdiction clause contained within a website’s Terms of Use, finding the user had agreed to it via a “click-wrap” agreement. Following previous Ryanair screen-scraping cases, the court held the click-wrap agreement met the requirements of Article 25(1) (c) of the Brussels I Recast Regulation (EU 1215/2012) (the Regulation). The court rejected the defendant’s arguments that there had been no assent to the Terms of Use, and the jurisdiction clause, because there was an element of “auto-ticking” by the Ryanair system as distinct from manual ticking by the user.

Read More

Photo of Davinia Brennan

On 1 May 2019, Ms Helen Dixon, the Data Protection Commissioner (DPC), appeared before the US Senate Committee on Commerce, Science and Transportation.  She was invited to testify on Ireland’s implementation of the GDPR, as the US is considering introducing a federal data privacy framework. California has already passed a new data privacy law, the California Consumer Privacy Act, which is due to come into effect on 1 January 2020. This note sets out some of the highlights of the DPC’s testimony. Continue Reading DPC testifies before US Senate Committee on GDPR implementation

Photo of Davinia Brennan

As we approach the GDPR’s one-year anniversary, we are starting to see more enforcement activity by the EU Data Protection Authorities (DPAs) as they complete their initial investigations into data breaches. This blog looks at two recent fines issued by the Polish and Danish DPAs, which demonstrate the type of conduct likely to lead to enforcement activity.

Continue Reading GDPR enforcement action – Polish & Danish DPAs issue their first fines

Photo of Davinia Brennan

The UK Supreme Court has granted supermarket chain Morrisons permission to appeal against a landmark UK Court of Appeal ruling that found it vicariously liable for a deliberate data breach carried out by a former employee (previously discussed here).

Continue Reading UK Supreme Court grants Morrisons permission to appeal class action data breach

Photo of Davinia Brennan

The EDPB has released new draft guidelines 2/2019 on the contractual necessity legal basis for processing personal data in the context of the provision of online services to data subjects. The guidelines emphasise the narrow scope of the contractual necessity legal basis. A controller must be able to demonstrate that the processing is ‘objectively necessary’ for a purpose that is ‘integral’ to the delivery of a contractual service to the data subject in order to rely on this legal basis. If a controller cannot demonstrate such necessity it must consider another legal basis for processing the personal data. This note considers the key highlights of the guidelines.

Continue Reading EDPB issues draft guidelines on the contractual necessity legal basis in the context of online services

Photo of Davinia Brennan

On 3 April 2019, the Joint Committee on Justice and Equality met to discuss the implementation of the GDPR with Ms Anna Morgan (Deputy Commissioner), Ms Jennifer O’Sullivan (Deputy Commissioner), and Mr Cathal Ryan (Assistant Commissioner). The Commissioners discussed a range of issues, including the enforcement powers used by the Data Protection Commission (DPC) post-GDPR, the difficulties with verifying parental consent in relation to the provision of information society services to children, and the DPC’s experience of resolving data access requests by amicable resolution. This note highlights some of the Committee’s questions (in abbreviated form), and the responses given by the Commissioners.

Continue Reading Deputy Data Protection Commissioners discuss GDPR implementation with Oireachtas Committee

Photo of Davinia Brennan

The UK has published an Online Harms White Paper, setting out its proposals for new online safety laws. Like the Irish Government’s proposals (discussed here), the UK proposals aim to make online platforms more responsible for users’ online safety, especially children and other vulnerable groups. The new laws will apply to any company that allows users to share or discover user-generated content or interact with each other online, including social media platforms, file hosting sites, public discussion forums, messaging services, and search engines. The 12-week consultation period on the new laws runs until 1 July 2019.

The UK consultation paper seeks views on a number of issues including:

  • the online services falling within the remit of the regulatory framework;
  • options for appointing an independent regulator responsible for enforcing the new framework;
  • the regulatory body’s enforcement powers;
  • potential redress mechanisms for online users; and
  • measures to ensure regulation is targeted and proportionate for the industry.

Continue Reading UK proposes new online safety laws

Photo of Davinia Brennan

The Government Chief Whip, Seán Kyne TD, has published the Government’s legislation programme for Summer 2019.  The updated programme follows on from the special programme launched in January 2019 which focused on Brexit. We have set out below the key data protection and technology-related legislation coming down the tracks.

Priority Legislation

  • Communications (Retention of Data) Bill –  This Bill will repeal and replace the Communications (Retention of Data) Act 2011 which requires data generated by mobile phones to be retained by telecommunications service providers for two years, and allows An Garda Síochána and certain other State agencies to access such data for criminal investigative purposes. The Heads of Bill were published last October 2017, following publication of Mr Justice Murray’s Review of the Law on the Retention of and Access to Communications Data, which found that many features of the 2011 Act are precluded by EU law. The Irish High Court also recently held, in Dwyer v Commissioner of An Garda Siochána [2018] IEHC 685; [2019] IEHC 48, that certain sections of the 2011 act are incompatible with EU law.

Continue Reading Government publishes legislation programme for Summer 2019

Photo of Davinia Brennan

The EDPB has published its first review of the implementation of the GDPR, in particular the functioning of the cooperation and consistency mechanism. The GDPR requires EU Data Protection Supervisory Authorities (SAs) to cooperate in order to provide a consistent application of the GDPR. The EDPB concludes that nine months after the entry into force of the GDPR, the cooperation and consistency mechanism is working well. All one-stop-shop cases have so far been resolved smoothly, with no cross-border case being escalated to the EDPB for dispute resolution purposes.

To support the cooperation and consistency mechanism, the EDPB have customised an existing IT system, the Internal Market Information System (IMI), in order to provide a structured and confidential way for SAs to share information.

Some of the highlights of the review are set out below.

Continue Reading EDPB publishes review of GDPR cooperation and consistency mechanism