In a much anticipated judgment, the Irish High Court yesterday decided to ask the Court of Justice of the European Union (CJEU) to rule on the validity of Standard Contractual Clauses (SCCs).
Continue Reading Schrems II – Data transfers questioned again
The European Commission has published its draft e-Privacy Regulation which, if adopted, will replace the existing e-Privacy Directive. The Regulation broadens the scope of the Directive, enhances the confidentiality of communications, and simplifies the rules on cookies and unsolicited electronic marketing.
Scope
The Regulation expands the scope of the e-Privacy Directive, which only applies to traditional telecoms providers. It is proposed that the Regulation will apply to any business that provides any form of online communication service, so all internet based voice and messaging services, will be subject to the new rules. The Regulation calls these providers “over-the-top communications service providers”. So Skype, WhatsApp, Facebook Messenger, Gmail, Viber and so forth, will all come within the Regulation’s remit. This will ensure that these services guarantee the same level of confidentiality of communications as traditional telecoms operators.
January 28th was European Data Protection Day and we marked the event by attending the 9th Annual Data Protection Conference which was held in the Aviva Conference Centre.
The two-day conference featured interactive workshops on the first day on ‘Privacy by Design’ and ‘Conducting a Data Protection Audit’. The second day included a line-up of notable speakers who spoke on topics related to the theme of the conference; “GDPR – It’s here, what’s next”. Dara Murphy, Minister of State for European Affairs, EU Digital Single Market and Data Protection spoke about his department’s work in preparing for GDPR and the importance of having a strong, well-resourced Office of the Data Protection Commissioner (ODPC). The Minister also announced plans for a data summit in June this year.
A&L Goodbody’s Claire Morrissey presented on “Legal Aspects of the GDPR” and took part in a lively Q&A session. Claire highlighted some of the key changes that the GDPR will bring including the need to demonstrate compliance, the new right of data portability, the new security reporting obligations and the ability for individuals to recover financial and non-financial loss (such as damages for distress or embarrassment in the event of inadvertent disclosure of personal data). She also offered some practical tips for ways in which businesses can prepare for the GDPR (some of which are available here).
The Office of the Data Protection Commissioner (the ODPC) has released a guidance note on connected toys (the Guidance Note). The Guidance Note highlights the possible data protection issues that might occur when children and parents use toys with microphones and cameras that have an ability to connect to the internet.
The ODPC warns of certain potential issues with the personification of connected toys, in particular dolls. Some of these toys provide an interactive experience by reacting to selected words. This may give the impression of an emotional response to what the child says or does. In some instances, these toys are enabled to collect and record these “conversations” between the child and the connected toy on apps, smartphones or tablets. The ODPC cautions that some of these connected toys’ terms and conditions allow these potentially sensitive recordings to be shared with other companies and used for the basis of targeted advertising.
The Article 29 Working Party (WP29) has released its Action Plan for 2017, setting out its priorities and objectives in the context of implementation of the EU GDPR for the year ahead. It has committed to finalize its work on topics undertaken in 2016 including guidelines on:
The Article 29 Working Party has issued a press release and three sets of guidelines and FAQs on implementation of some key issues under the GDPR:
It welcomes any comments from stakeholders on the guidelines until end January 2017. Guidelines on Data Privacy Impact Assessments and Certification are promised for 2017.
The guidance provides some interesting insights and should help organisations to comply with their new obligations under the GDPR. The guidelines on the Lead Supervisory Authority highlight that there will be more than one lead supervisory authority, where a company carries out several cross-border activities and the decisions on the means and purposes of processing are taken in different establishments. This means that companies will have to consider organising decision-making powers in respect of personal data processing activities in a single location, in order to avail of the “one-stop shop” mechanism.
Continue Reading GDPR guidance on Data Portability, DPOs & Lead Supervisory Authority
The ODPC has published guidance, The GDPR and You – Preparing for 2018, to help organisations prepare for the GDPR. It contains a checklist to provide companies with a practical starting point to ensure full compliance by May 2018. It is important for organisations to start taking steps to prepare now, to ensure that
On 19 October 2016, the CJEU ruled, in Breyer v Bundesrepublik Deutschland (Case C-582/14), that dynamic IP addresses may constitute “personal data” under the Data Protection Directive, where a website operator has the legal means of identifying the visitor by use of additional information held about him/her by the ISP. The decision confirms the stance taken by the Scarlet Extended (Case C-70/10) (at para. 51), where the CJEU essentially held that IP addresses are “personal data” because they allow those users to be precisely identified. However, that finding by the CJEU related to the situation in which the collection and identification of the IP addresses of internet users is carried out by ISPs.
Continue Reading CJEU rules IP addresses may constitute personal data
On 5th October 2016, our IP & Technology team hosted a seminar on the new EU General Data Regulation (GDPR), which takes effect from 25 May 2018. The Data Protection Commissioner, Helen Dixon, gave a keynote address at the event, which was followed by commentary from our IP and Technology Partners, John Whelan,
On 13 September 2016, the Central Bank of Ireland (the CBI) published new guidance on IT risk management and cybersecurity for financial service firms. Publication of the Guidance follows the CBI’s previous actions in relation to cyber risks in the funds, insurance and banking sectors (see previous blog here). The CBI acknowledges that IT plays an integral part in the supply of financial services and calls on Boards and Senior Management of regulated firms to recognise the ever increasing incidences of cyber-attacks and business interruptions. It requests such firms to acknowledge their responsibilities in this regard and prioritise IT security. This responsibility involves establishing and maintaining a resilient IT strategy, while ensuring that it aligns with the firm’s general business strategy. It states that a robust oversight and engagement on IT matters at the Board and Senior Management level promotes an IT and security risk aware culture within the firm.
Continue Reading The Central Bank of Ireland publishes new Cross Industry Guidance on IT and Cybersecurity Risks