Photo of Charlotte Turk

The UK Information Commissioner’s Office (ICO) has amended its guidance on the time limit for responding to a subject access request (SAR).

Under Article 12 GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a further two months if the request is complex or a number of requests have been made by the data subject.

Continue Reading ICO clarifies time limit for responding to subject access requests

Photo of Davinia Brennan

The Oireachtas Committee on Justice and Equality is seeking  written submissions from stakeholders on the issues of online harassment, harmful communications and related offences. The invitation follows an announcement last May 2019, that the Government intends to draft, on a priority basis, amendments to the Harassment, Harmful Communications and Related Offences Bill 2017 .  That Bill is based on a 2016 Report by the Law Reform Commission, which recommended reform and consolidation of criminal law offences concerning harmful communications, and the establishment of Digital Safety Commissioner to oversee national digital safety standards and take-down procedures for harmful digital communications.

Continue Reading Government seeks submissions on online harassment

Photo of Caoimhe Bourke

On Friday 16 August 2019, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC). The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law.

Continue Reading DPC Publishes Statement on the Public Services Card

Photo of Steven Craig

On 29 July 2019, the Court of Justice of the European Union (CJEU) held​ that Red Bull’s signature blue and silver colour trademarks were invalid. This followed an earlier decision by the General Court of the European Union in 2017 which found that the graphic representation and description of the two colours were not sufficiently precise.

The threshold for successfully registering a trademark consisting of a single colour or combination of colours has been set purposefully high, in order to avoid situations where a large company is able to effectively monopolise a particular colour within a particular class of goods or services. A company seeking to register a colour trademark must demonstrate that their mark has acquired distinctiveness, and be able to describe it in a sufficiently clear and precise manner.

Continue Reading European Court declares Red Bull’s colour trademarks invalid

Photo of Davinia Brennan

In the Fashion ID case (C-40/17) , the Court of Justice of the European Union (CJEU) found that the operator of a website that features a plug-in (such as a Facebook ‘Like’ button), can be considered a joint controller with the plug-in provider, in respect of the collection and transmission to that plug-in provider of the personal data of visitors to its website. However the website operator will not be a joint controller or liable for any subsequent processing of the personal data by the plug-in provider.

The CJEU also held that the website operator  is responsible for obtaining consent from website visitors for the collection and transmission of their personal data and providing notice to visitors about the use and disclosure of their personal data.

Although the case was decided under the the Data Protection Directive 95/46/EC (the Directive), it will continue to be relevant under the GDPR, since the relevant definitions and obligations continue to apply under the new regime. The decision will have an impact not only on website operators that embed social plug-ins, but to any website operator that uses cookies to collect and transmit personal data of their visitors to third parties, such as AdTech providers.

Continue Reading A website operator embedding a Facebook ‘Like’ button is a joint controller with Facebook

Photo of Davinia Brennan

In Amazon EU Case C-649/17, the Court of Justice of the European Union (CJEU) held that the Consumer Rights (CR) Directive 2011/83/EU does not require an e-commerce platform to make a telephone number available to consumers before the conclusion of a contract. It is sufficient for traders, when concluding distance contracts with consumers, to use other means of communications, such as online chat services or telephone call-back, as long as consumers have a means of contacting traders quickly and efficiently.

Continue Reading E-Commerce platforms not obliged to make telephone number available to consumers

Photo of Daniel Jackson

On 26 June 2019, the Copyright and Other Intellectual Property Law Provisions Act 2019 (the 2019 Act) was signed into law. The Act amends the Copyright and Related Rights Act 2000 and modernises Irish copyright law in accordance with the Report of the Copyright Review Committee on Modernising Copyright, published in October 2013. The Act also recognises exceptions to copyright permitted by the Information Society Directive 2001/29/EC. The Copyright and Related Rights Acts 2000 and 2007, along with Part 2 and Schedules 1 and 2 of the 2019 Act may be cited together as the Copyright and Related Rights Acts 2000 to 2019.

Continue Reading Government signs the Copyright and Other Intellectual Property Law Provisions Act 2019 into law

Photo of Davinia Brennan

In the past two days, the UK Information Commissioner’s Office (ICO) has issued (potential) GDPR fines of £183.39m and £99.2m on British Airways (BA) and Marriott International Inc., respectively. These are the first fines to be issued by the ICO under the GDPR, and the biggest fines issued by an EU Data Protection Authority (DPA) to date.  As the fines affected individuals in multiple Member States, the ‘one stop shop’ provisions in the GDPR apply, and the ICO has therefore been required to liaise with other EU DPAs.

The fines highlight the importance of companies ensuring that robust security measures are in place to  protect personal data and undertaking appropriate due diligence in corporate mergers and acquisitions. As the EU DPAs are encouraged to adopt a consistent approach to the imposition of administrative fines, the ICO’s fines serve as a warning to companies of the level of GDPR fines that may be imposed by the Irish Data Protection Commission for data breaches resulting from weak security measures.

The ICO does not routinely publish notices of intent to levy a penalty, however the ICO’s policy on “Communicating Regulatory Enforcement Activity” states that such notices may be published in certain circumstances, including where the matter is already in the public domain; there are financial market reporting obligations; or it is necessary for international regulatory cooperation. The ICO statements of intent to fine BA and Marriott were issued in response to an announcement by BA to the London Stock Exchange, and a filing by Marriott with the US Securities and Exchange Commission, that the ICO intended to fine them for breaches of data protection law.

Continue Reading ICO announces biggest GDPR fines to date

Photo of Davinia Brennan

In the case of Eva Glawischnig-Piesczek v Facebook Ireland Ltd (Case C-18/18), the Advocate General (AG) of the Court of Justice (CJEU) was asked to clarify the scope of the obligation that may be imposed on a host provider to remove illegal information. Article 15(1) of the e-Commerce Directive 2000/31/EC (the Directive) prohibits Member States from imposing a general monitoring obligation on host providers, and the CJEU considered whether that provision precludes a court, in the context of an injunction to remove notified illegal content, from ordering a host provider to seek and identify identical or equivalent illegal content. The CJEU also considered the territorial scope of a removal obligation, and whether removal could be ordered on a worldwide basis.

In his Opinion, AG Szpunar concluded that a host provider may be ordered to remove not only notified illegal content, but to seek and identify among the information disseminated by any user of that platform, information ‘identical’ to that which has been characterised as illegal by a court. In addition, a host provider may be ordered to seek and identify information ‘equivalent’ to that characterised as illegal, but only among the information disseminated by the original user, and not by any user.  The AG also considered that since the Directive does not regulate the territorial scope of an obligation to remove information disseminated via a social network platform, it does not preclude a host provider from being ordered to remove such information on a worldwide basis. Whilst the AG’s Opinion is not binding on the CJEU, it will be of persuasive value. Continue Reading Advocate General delivers significant Opinion on scope of host providers’ obligation to remove illegal content