Photo of Davinia Brennan

In its recent Report on the Privacy Shield, the Article 29 Working Party (WP29) recognised the progress of the Privacy Shield in comparison with the invalidated Safe Harbour, and the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield. However, the WP29 identified a number of concerns. Like the European Commission (EC), in its first annual review of the EU-US Privacy Shield, the WP29 called for the appointment of a permanent Privacy Shield Ombudsperson (and further explanation of the rules of procedure including by declassification), and filling the remaining positions on the Privacy and Civil Liberties Oversight Board (PCLOB).  The WP29 requested these concerns to be prioritised and addressed prior to 25 May 2018, when the GDPR comes into force.

The WP29 further called for clear guidance on the Privacy Shield Principles, HR data and onward transfers, and increased supervision of compliance with the Privacy Shield principles.  The US authorities are also requested to clearly distinguish the status of processors from that of controllers both at the time of their self-certification and at the time of further check.  The WP29 demands these remaining issues to be resolved, at the latest, at the time of the next annual review of the Privacy Shield. If no remedies are brought to address the concerns raised by the WP29 within these time frames, the WP29 warned it will bring the Privacy Shield adequacy decision to the national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.

Continue Reading What’s the current status of the Privacy Shield?

Photo of Davinia Brennan

The EU Court of Justice (CJEU) has ruled that a supplier of luxury goods can, by contract, prohibit its authorised distributors from selling those goods on third-party internet platforms such as Amazon. The CJEU held that such a prohibition is appropriate; does not in principle go beyond what is necessary to preserve the luxury image of the goods; and is not necessarily an unlawful restriction of competition (Coty Germany GmbH v Parfümerie Akzente GmbH (Case C-230/16)).

Continue Reading CJEU rules suppliers of luxury brands can lawfully prohibit resale via third party internet platforms

Photo of Davinia Brennan

The EU Court of Justice (CJEU) has ruled that a candidate’s exam script is “personal data”, as it constitutes information that is linked to him or her. The CJEU held that the use of the expression “any information” in the definition of the concept of personal data in the Data Protection Directive 95/46/EC (the Directive) reflects the aim of the EU legislature to assign a wide scope to the concept, potentially encompassing all kinds of information provided that it relates to the data subject. As the GDPR contains a similar definition of “personal data” to that in the Directive, namely “any information relating to an identified or identifiable natural person”, the CJEU’s broad interpretation of the concept of personal data will continue to apply post-25 May 2018 when the GDPR comes into force.

Continue Reading The expanding scope of ‘personal data’ – CJEU delivers judgment in Nowak

Photo of Davinia Brennan

The Article 29 Working Party (WP29) has published Guidelines on Administrative Fines. While the GDPR gives national supervisory authorities discretion in deciding which corrective measure to impose and if a fine, the level of that fine, the guidelines emphasise the need for supervisory authorities across the EU to work together to achieve consistent enforcement of the data protection rules. The WP29 recommends the creation of a sub-group attached to the European Data Protection Board to support this ongoing activity.

Go to publication

Photo of Davinia Brennan

The UK High Court recently found supermarket chain Morrisons vicariously liable for the actions of an ex-employee who leaked payroll data of almost 100,000 employees. The claim was brought by 5,518 employees of Morrisons. This is an important decision as it is the first class-action case for a personal data breach in the UK, and demonstrates how an employer can be liable for an employee’s data breach.

Continue Reading UK High Court rules on class action claim for data breach

Photo of Davinia Brennan

On 12 December, 2017, the Article 29 Working Party (WP29) published its Guidelines on Transparency. The guidance should assist controllers in understanding the obligation of transparency concerning the processing of personal data under the GDPR. The schedule to the guidance contains a list of the mandatory transparency information that must be provided to a data subject, and this note focuses on the WP29’s recommendations in regard to the provision of that information to data subjects.

Go to publication

Photo of Davinia Brennan

A&L Goodbody has launched a new GDPR Ireland App.  The App is an essential resource for businesses who will have to comply with increased data protection obligations under the GDPR. The easy to navigate App provides guidance on the substantial changes introduced by the GDPR, and links to regulatory guidance. The A&L Goodbody GDPR Ireland App is part of a suite of GDPR resources which have been developed by the Firm over the past year.  We will be keeping the App up-to-date with developments at Irish and European level.

The App is free to download to iPhone and iPad from the apple store.

To view our GDPR resources, visit our dedicated GDPR site.

Photo of Eoghan O'Keeffe

Heading into the Christmas period, festive shoppers may notice an increasing number of retailers are offering receipts via email (e-receipts) rather than the traditional paper docket. Providing a receipt through email has a number of advantages for retailers and consumers. There is the obvious environmental benefit and it provides an easier means for customers to store and find receipts than an over-stuffed wallet.

However, new guidance from the Data Protection Commissioner (DPC) has stressed the need for retailers to ensure that when customers provide their details for the purpose of receiving e-receipts, they should be fully informed and consent to how that data may be used. Of central concern is the retailers’ use of email addresses for subsequent direct marketing.

Continue Reading DPC publishes guidance on e-receipts

Photo of Vladimir Rakhmanin

The new Consumer Protection Cooperation Regulation (CPC) was passed on 14 November 2017, with the goal of providing enforcement authorities with additional powers to combat unlawful online practices. The CPC will also help harmonise consumer protection law across the EU. While the CPC is sure to aid compliance, it remains to be seen how far-reaching some of the powers will become, in particular, the website-blocking power referred to below.

Continue Reading Consumer Protection Cooperation Regulation introduced to combat unlawful online practices