In Susquehanna International Group Ltd v Needham  IEHC 706, the Irish High Court considered the novel question of whether a court could order a person to make a data access request in aid of making discovery of documents. Ultimately, the High Court held that it could compel a party making discovery to make a data access request in order to obtain documents which were within its power, where that request was not oppressive or disproportionate.
The European Commission (EC) has issued a notice reminding stakeholders that due to the UK’s intention to leave the EU, they will be considered a ‘third country’ for the purposes of data transfers from 10 March 2019 (available here).
Data transfers to third countries outside the EEA are prohibited unless the European Commission has issued an adequacy decision approving that third country as providing an adequate level of protection, or the controller or processor has put in place appropriate safeguards, such as the standard data protection clauses (otherwise known as the ‘Model Clauses’) or binding corporate rules for intra-group data transfers, or one of the other derogations apply. The GDPR also provides for additional transfer mechanisms, including approved codes of conduct and certification mechanisms whereby a controller or processor located in the third country makes binding and enforceable data protection commitments.
The EC notes that a potential outcome of the negotiations on the UK’s withdrawal from the EU, is that the UK could achieve an adequacy decision by the EC, which would allow personal data to flow from an EU data exporter to the UK without any additional safeguards being implemented. The UK Data Protection Minister, Matt Hancock, has reportedly stated that an adequacy decision is one of his aims in the Brexit negotiations, but it is too soon to tell whether this is achievable.
The EC has announced that it has set up stakeholder group consisting of industry, civil society and academics, which will discuss this topic in further detail. The EC has published a position paper on the use of data and protection of information obtained or processed before the withdrawal date which is available here.
In its recent Report on the Privacy Shield, the Article 29 Working Party (WP29) recognised the progress of the Privacy Shield in comparison with the invalidated Safe Harbour, and the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield. However, the WP29 identified a number of concerns. Like the European Commission (EC), in its first annual review of the EU-US Privacy Shield, the WP29 called for the appointment of a permanent Privacy Shield Ombudsperson (and further explanation of the rules of procedure including by declassification), and filling the remaining positions on the Privacy and Civil Liberties Oversight Board (PCLOB). The WP29 requested these concerns to be prioritised and addressed prior to 25 May 2018, when the GDPR comes into force.
The WP29 further called for clear guidance on the Privacy Shield Principles, HR data and onward transfers, and increased supervision of compliance with the Privacy Shield principles. The US authorities are also requested to clearly distinguish the status of processors from that of controllers both at the time of their self-certification and at the time of further check. The WP29 demands these remaining issues to be resolved, at the latest, at the time of the next annual review of the Privacy Shield. If no remedies are brought to address the concerns raised by the WP29 within these time frames, the WP29 warned it will bring the Privacy Shield adequacy decision to the national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
The EU Court of Justice (CJEU) has ruled that a supplier of luxury goods can, by contract, prohibit its authorised distributors from selling those goods on third-party internet platforms such as Amazon. The CJEU held that such a prohibition is appropriate; does not in principle go beyond what is necessary to preserve the luxury image of the goods; and is not necessarily an unlawful restriction of competition (Coty Germany GmbH v Parfümerie Akzente GmbH (Case C-230/16)).
The EU Court of Justice (CJEU) has ruled that a candidate’s exam script is “personal data”, as it constitutes information that is linked to him or her. The CJEU held that the use of the expression “any information” in the definition of the concept of personal data in the Data Protection Directive 95/46/EC (the Directive) reflects the aim of the EU legislature to assign a wide scope to the concept, potentially encompassing all kinds of information provided that it relates to the data subject. As the GDPR contains a similar definition of “personal data” to that in the Directive, namely “any information relating to an identified or identifiable natural person”, the CJEU’s broad interpretation of the concept of personal data will continue to apply post-25 May 2018 when the GDPR comes into force.
The Article 29 Working Party (WP29) has published Guidelines on Administrative Fines. While the GDPR gives national supervisory authorities discretion in deciding which corrective measure to impose and if a fine, the level of that fine, the guidelines emphasise the need for supervisory authorities across the EU to work together to achieve consistent enforcement of the data protection rules. The WP29 recommends the creation of a sub-group attached to the European Data Protection Board to support this ongoing activity.
The UK High Court recently found supermarket chain Morrisons vicariously liable for the actions of an ex-employee who leaked payroll data of almost 100,000 employees. The claim was brought by 5,518 employees of Morrisons. This is an important decision as it is the first class-action case for a personal data breach in the UK, and demonstrates how an employer can be liable for an employee’s data breach.
On 12 December, 2017, the Article 29 Working Party (WP29) published its Guidelines on Transparency. The guidance should assist controllers in understanding the obligation of transparency concerning the processing of personal data under the GDPR. The schedule to the guidance contains a list of the mandatory transparency information that must be provided to a data subject, and this note focuses on the WP29’s recommendations in regard to the provision of that information to data subjects.
A&L Goodbody has launched a new GDPR Ireland App. The App is an essential resource for businesses who will have to comply with increased data protection obligations under the GDPR. The easy to navigate App provides guidance on the substantial changes introduced by the GDPR, and links to regulatory guidance. The A&L Goodbody GDPR Ireland App is part of a suite of GDPR resources which have been developed by the Firm over the past year. We will be keeping the App up-to-date with developments at Irish and European level.
The App is free to download to iPhone and iPad from the apple store.
To view our GDPR resources, visit our dedicated GDPR site.
On 12 December, 2017, the Article 29 Working Party (WP29) published its Guidelines on Consent under the GDPR. Consent is one of the lawful grounds on which personal data processing may be based. The guidance considers the extent to which the GDPR requires controllers to change their consent requests/forms.