Photo of Davinia Brennan

In the past two days, the UK Information Commissioner’s Office (ICO) has issued (potential) GDPR fines of £183.39m and £99.2m on British Airways (BA) and Marriott International Inc., respectively. These are the first fines to be issued by the ICO under the GDPR, and the biggest fines issued by an EU Data Protection Authority (DPA) to date.  As the fines affected individuals in multiple Member States, the ‘one stop shop’ provisions in the GDPR apply, and the ICO has therefore been required to liaise with other EU DPAs.

The fines highlight the importance of companies ensuring that robust security measures are in place to  protect personal data and undertaking appropriate due diligence in corporate mergers and acquisitions. As the EU DPAs are encouraged to adopt a consistent approach to the imposition of administrative fines, the ICO’s fines serve as a warning to companies of the level of GDPR fines that may be imposed by the Irish Data Protection Commission for data breaches resulting from weak security measures.

The ICO does not routinely publish notices of intent to levy a penalty, however the ICO’s policy on “Communicating Regulatory Enforcement Activity” states that such notices may be published in certain circumstances, including where the matter is already in the public domain; there are financial market reporting obligations; or it is necessary for international regulatory cooperation. The ICO statements of intent to fine BA and Marriott were issued in response to an announcement by BA to the London Stock Exchange, and a filing by Marriott with the US Securities and Exchange Commission, that the ICO intended to fine them for breaches of data protection law.

Continue Reading ICO announces biggest GDPR fines to date

Photo of Davinia Brennan

In the case of Eva Glawischnig-Piesczek v Facebook Ireland Ltd (Case C-18/18), the Advocate General (AG) of the Court of Justice (CJEU) was asked to clarify the scope of the obligation that may be imposed on a host provider to remove illegal information. Article 15(1) of the e-Commerce Directive 2000/31/EC (the Directive) prohibits Member States from imposing a general monitoring obligation on host providers, and the CJEU considered whether that provision precludes a court, in the context of an injunction to remove notified illegal content, from ordering a host provider to seek and identify identical or equivalent illegal content. The CJEU also considered the territorial scope of a removal obligation, and whether removal could be ordered on a worldwide basis.

In his Opinion, AG Szpunar concluded that a host provider may be ordered to remove not only notified illegal content, but to seek and identify among the information disseminated by any user of that platform, information ‘identical’ to that which has been characterised as illegal by a court. In addition, a host provider may be ordered to seek and identify information ‘equivalent’ to that characterised as illegal, but only among the information disseminated by the original user, and not by any user.  The AG also considered that since the Directive does not regulate the territorial scope of an obligation to remove information disseminated via a social network platform, it does not preclude a host provider from being ordered to remove such information on a worldwide basis. Whilst the AG’s Opinion is not binding on the CJEU, it will be of persuasive value. Continue Reading Advocate General delivers significant Opinion on scope of host providers’ obligation to remove illegal content

Photo of Jessica Morris

​The DPC has released new CCTV Guidance to assist owners and occupiers of premises to understand their data protection obligations when using CCTV. Data controllers should already be aware that footage or images containing identifiable individuals captured by CCTV is personal data and therefore data protection laws apply.

Continue Reading Guidance on the Use of CCTV for Data Controllers

Photo of Steven Craig

A recent survey of regional data protection authorities in Germany has revealed 75 cases of reported personal data breaches since the GDPR came into effect on 25 May 2018. As a result, German authorities have imposed punitive fines totalling €449,000.

Germany differs from Ireland as the responsibility for monitoring and ensuring compliance with the GDPR and national data protection laws is delegated to each of the 16 German states, with each state possessing its own authority. A committee consisting of representatives from each regional authority (the ‘Data Protection Conference’) has also been appointed to ensure that a consistent approach is taken throughout the states.

So far, fines have been imposed in six of the sixteen federal states. The highest fines have been reported in the Baden-Wurttemberg region (€203, 000 across seven cases), Rhineland-Palatinate region (€124,000 across nine cases) and Berlin (€105,600 across eighteen cases). Examples of commonly reported GDPR violations include inadequate technical or organisational security measures (e.g. storing user password in non-encrypted form), non-compliance with information duties (e.g. lack of transparency around processing activities) and unauthorized marketing e-mails.

Continue Reading German data protection authorities issue fines in 75 cases for GDPR breaches

Photo of Rebecca Townsend

The European Commission’s High Level Expert Group on Artificial Intelligence has released a new set of guidelines for ensuring that AI is “trustworthy”, following a public consultation with feedback from over 500 contributors.

The updated guidelines set out the EU’s guidance for assisting developers and deployers in achieving “trustworthy AI”, maximizing the benefits and minimizing the risks associated with this emerging area of technology.

Following its European strategy on AI (published in April 2018), the guidelines were drafted by an independent expert group, comprising of 52 representatives from academia, industry and society.

Continue Reading Future of Technology: EU guidelines for developing ethical AI

Photo of Jaymee Cronolly

The Information Commissioner’s Office (ICO) has launched a consultation on a code of practice for online services to ensure they adequately safeguard children’s personal data. This follows on from the UK consultation for new online safety laws (discussed here). The Irish government has also recently launched guidance in relation to online safety (discussed here). The UK Data Protection Act (DPA) 2018 also requires the ICO to produce an age-appropriate design code of practice to give guidance to organisations about the privacy standards they should adopt when offering online services and apps that children are likely to access and which will process their personal data. Continue Reading ICO launches consultation on Code of Practice to help protect children online

Photo of Daniel Jackson

On 17 April 2018, the European Commission proposed new rules in the form of a Regulation and an accompanying Directive, which aim to improve law enforcement authorities’ cross-border access to e-evidence.

The proposed Regulation on European Production and Preservation Orders enables a judicial authority in a Member State to obtain electronic evidence in criminal matters directly from a service provider in another Member State. The Directive complements the Regulation, as it sets out the rules for the appointment of service providers’ legal representatives, whose role is to receive and respond to judicial orders. The new rules will ensure swift access to e-evidence, with service providers being required to respond to judicial orders within 10 days and in emergency cases within 6 hours, compared to 10 months under the current Mutual Legal Assistance process.

Continue Reading European Council reaches position on proposed e-evidence Directive

Photo of Matthew McGrogan

On 17 April 2019, the European Parliament approved a new Regulation on platform-to-business trading practices. It requires online platforms and online search engines to comply with certain legal obligations and also encourages them to take voluntary complimentary steps. The Regulation aims to ensure that businesses using online intermediation services and general online search engines have greater certainty and clarity with respect to the rules governing their relationships with these platforms and how to resolve potential disputes.

The text adopted by the European Parliament has not yet been formally approved by the Council of the EU. Once approved, the Regulation will enter into force 12 months after its publication in the Official Journal.

Continue Reading European Parliament agrees new rules to improve fairness of online platforms

Photo of Davinia Brennan

In Ryanair dac v SC Vola.ro srl [2019] IEHC 239 the Irish High Court confirmed the enforceability of a jurisdiction clause contained within a website’s Terms of Use, finding the user had agreed to it via a “click-wrap” agreement. Following previous Ryanair screen-scraping cases, the court held the click-wrap agreement met the requirements of Article 25(1) (c) of the Brussels I Recast Regulation (EU 1215/2012) (the Regulation). The court rejected the defendant’s arguments that there had been no assent to the Terms of Use, and the jurisdiction clause, because there was an element of “auto-ticking” by the Ryanair system as distinct from manual ticking by the user.

Read More

Photo of Davinia Brennan

On 1 May 2019, Ms Helen Dixon, the Data Protection Commissioner (DPC), appeared before the US Senate Committee on Commerce, Science and Transportation.  She was invited to testify on Ireland’s implementation of the GDPR, as the US is considering introducing a federal data privacy framework. California has already passed a new data privacy law, the California Consumer Privacy Act, which is due to come into effect on 1 January 2020. This note sets out some of the highlights of the DPC’s testimony. Continue Reading DPC testifies before US Senate Committee on GDPR implementation