Cyber Risk & Data Privacy

Subscribe to Cyber Risk & Data Privacy via RSS

The UK High Court recently found supermarket chain Morrisons vicariously liable for the actions of an ex-employee who leaked payroll data of almost 100,000 employees. The claim was brought by 5,518 employees of Morrisons. This is an important decision as it is the first class-action case for a personal data breach in the UK, and demonstrates how an employer can be liable for an employee’s data breach.
Continue Reading UK High Court rules on class action claim for data breach

On 12 December, 2017, the Article 29 Working Party (WP29) published its Guidelines on Transparency. The guidance should assist controllers in understanding the obligation of transparency concerning the processing of personal data under the GDPR. The schedule to the guidance contains a list of the mandatory transparency information that must be provided to a data subject, and this note focuses on the WP29’s recommendations in regard to the provision of that information to data subjects.

Go to publication
Continue Reading WP29 publishes Guidelines on Transparency

A&L Goodbody has launched a new GDPR Ireland App.  The App is an essential resource for businesses who will have to comply with increased data protection obligations under the GDPR. The easy to navigate App provides guidance on the substantial changes introduced by the GDPR, and links to regulatory guidance. The A&L Goodbody GDPR Ireland App is part of a suite of GDPR resources which have been developed by the Firm over the past year.  We will be keeping the App up-to-date with developments at Irish and European level.

The App is free to download to iPhone and iPad from
Continue Reading A&L Goodbody launches new GDPR Ireland App

The Government has published its legislation programme for Autumn 2017.  The programme lists priority legislation, legislation due to undergo pre-legislative scrutiny, and all other legislation it is working on. Listed below are the data protection, cyber-security and IP-related Bills coming down the track.

Priority legislation

  • Data Protection Bill – This Bill will give effect to and provide for derogations from the GDPR, and transpose the Law Enforcement Directive (2016/680). The Heads of Bill were published in May 2017, and pre-legislative scrutiny was completed on July 2017.  The legislation programme lists the Bill as “priority legislation for publication” this Autumn, but there is no indication as to when exactly the Bill is expected to be finalised and start its passage through the Oireachtas. See our blog post on the Heads of Bill here.

Continue Reading Data Protection, Cyber-Security & IP legislation coming down the track

The Data Protection Commissioner (DPC) has called for submissions on issues of Transparency and International Data Transfers under the GDPR. The submissions received by the DPC from its consultation will be shared with the Article 29 Working Party (WP29), at its third Fablab in Brussels on 18 October 2017 to inform the preparation of new guidelines on transparency under the GDPR and the updating of existing guidelines on international data transfers.
Continue Reading DPC consultation on international transfers & transparency under the GDPR

The EU Council has proposed amendments to the draft ePrivacy Regulation (the Regulation). The Presidency points out that work on the text will be incremental and this is only its first redraft.

Proposed amendments include:

Scope – The Presidency clarifies the precise material and territorial scope of the Regulation, as including:

  • the processing of electronic communications content in transmission, and of electronic communications metadata carried out in connection with the provision of electronic communications services to end-users in the EU;
  • information related to, processed by, or stored in the terminal equipment of end users located in the EU;
  • the placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the internet;
  • the offering of a publicly available directory of end-users of electronic communications services located in the EU, and
  • the sending or presenting of direct marketing communications to end users located in the EU.

Continue Reading EU Council proposes revisions to the draft ePrivacy Regulation

The U.S. Federal Trade Commission (FTC) announced on 8 September that three U.S. companies have agreed to settle FTC charges that they misled consumers, by falsely claiming they were certified to participate in the Privacy Shield. In separate complaints, the FTC alleges, all three companies failed to complete the certification process for the Shield.  As part of their settlements with the FTC, the three companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, and must comply with FTC reporting requirements. The actions against the three companies are the first cases the FTC has brought to enforce the Shield, which was adopted last July 2016.
Continue Reading Three U.S. companies charged for falsely claiming compliance with Privacy Shield

Employee monitoring versus privacy rights is back in the spotlight due to today’s decision by the Grand Chamber of the European Court of Human Rights (ECHR) in Bărbulescu v. Romania.  The Grand Chamber held there had been a violation of Article 8 of the European Convention on Human Rights, where an employer monitored and accessed personal emails sent by an employee during work hours from his Yahoo Messenger account, using a company computer, without notifying the employee in advance of such monitoring.
Continue Reading ECHR rules employees must receive prior notice of email monitoring