Recent high profile security incidents illustrate that no institution or business is immune from cyber attack. A cyber attack on the White House in 2014 resulted in a partial shutdown of its email system. In a reported attempt to extort money from the ECB, email addresses and other user contact information were stolen in 2014. Confidential movie scripts and emails about staff and movie stars were released as part of the 2014 Sony hack. Already this year, the Carphone Warehouse security breach in early August and the more recent Ashley Madison hack have received extensive media coverage.
Cyber Risk & Data Privacy
Cyber Security – The Next Big Financial Shock
By John Whelan on
Posted in Cyber Risk & Data Privacy
“The next big financial shock will arise from a succession of cyber-attacks on financial services firms.”
This is the case according to the Chairman of the International Organisation of Securities Commission as cited by the Central Bank of Ireland’s Deputy Governor, Cyril Roux, during a recent address to the Society of Actuaries.
Continue Reading Cyber Security – The Next Big Financial Shock
Transfer Tools Post Schrems: EU Data Protection Authorities’ Common Position on Model Contacts
By John Whelan on
Posted in Cyber Risk & Data Privacy
Model Contracts are standard contractual clauses for the transfer of personal data outside the EU/EEA which have been approved by the European Commission. They have been approved on the basis that they provide sufficient safeguards for privacy, fundamental rights and the exercise of those rights. To date two sets of standard contractual clauses for the transfer of personal data outside the EU/EEA from data controllers to data controllers and one set for transfers from data controllers to data processors have been approved by the Commission.Continue Reading Transfer Tools Post Schrems: EU Data Protection Authorities’ Common Position on Model Contacts
Government announces €1.2m increase in funding for the Office of the Data Protection Commissioner
By Aoibheann Duffy on
Posted in Cyber Risk & Data Privacy
The Office of the Data Protection Commissioner is to get a €1.2m increase in funding for 2016. Minister for European Affairs and Data Protection, Dara Murphy announced the measure, under Budget 2016, and said that the increased resources are bring provided to "ensure that Ireland continues to have an excellent regulatory and enforcement regime for data protection, and that we are fully equipped to adapt to the ever-increasing pace of change in the digital economy".Continue Reading Government announces €1.2m increase in funding for the Office of the Data Protection Commissioner
Data in Disarray: The Aftermath of the Safe Harbour Decision
By John Cahir on
Posted in Cyber Risk & Data Privacy
As has been reported widely in the world media, the Court of Justice of the European Union (CJEU) this week declared the EU-US Safe Harbour regime to be invalid. The decision has understandably given rise to a lot of concern among European businesses that transfer data to the US.
In this blog post, we seek to answer the main questions that are being asked following the CJEU ruling. Continue Reading Data in Disarray: The Aftermath of the Safe Harbour Decision
CJEU declares Safe Harbour invalid
By Davinia Brennan on
Posted in Cyber Risk & Data Privacy
The Court of Justice of the European Union (CJEU) has today declared that the Commission Decision 2000/520/EC (the Safe Harbour Decision) is invalid. This means that companies can no longer rely on Safe Harbour certification in order to legitimise the transfer of personal data from the EU to the US. Impacted companies will need to put alternative arrangements in place immediately to legitimise their transfers of personal data to the US, such as the Model Contractual Clauses or Binding Corporate Rules (BCRs).
The decision also means that the Data Protection Commissioner (the DPC) must now examine Mr Schrems’ complaint and decide whether, pursuant to the Data Protection Directive 95/46/EC, transfer of the data of Facebook’s European subscribers to the US should be suspended on the ground that that country does not afford an adequate level of protection of personal data. Continue Reading CJEU declares Safe Harbour invalid
Safe Harbour in Danger?
By John Cahir on
Posted in Cyber Risk & Data Privacy
The Advocate General, Yves Bot, of the Court of Justice of the European Union (CJEU) last week delivered his opinion in the Maximillian Schrems v Data Protection Commissioner Case, C‑362/14 (the Opinion). The Opinion, which is advisory in nature, recommends that the Safe Harbour programme be invalidated and that the Irish Data Protection Commissioner (the DPC) be empowered to carry out a full investigation as to the adequacy of protection afforded to the personal data of Facebook’s EU users. Continue Reading Safe Harbour in Danger?
GPEN Privacy Sweep 2015 raises Concerns over Children’s Apps
By Aoibheann Duffy on
Posted in Cyber Risk & Data Privacy
The Office of the Data Protection Commissioner (ODPC) participated in the third Global Privacy Enforcement Network (GPEN) Privacy “Sweep” (the Sweep) which took place between 11th and 15th May 2015. The aim of the Sweep was to examine the data privacy practices of websites and apps aimed at or popular among children.Continue Reading GPEN Privacy Sweep 2015 raises Concerns over Children’s Apps
EU-US Umbrella Agreement finalised
By Davinia Brennan on
Posted in Cyber Risk & Data Privacy
European Union negotiations with the US government for an international data protection framework agreement in the law enforcement area have been finalised. The "Umbrella Agreement" provides that personal data transferred between EU and US law enforcement authorities, such as names, addresses, and criminal records, can only be shared for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. It must not be used for further incompatible purposes. In cases where a US authority intends to transfer the data further, to a third country or international organisation, it will first have to obtain the consent of the law enforcement authority in the EU which originally transferred the data to the US.Continue Reading EU-US Umbrella Agreement finalised
Court refuses to grant declaration as to identity of the data controller
By Davinia Brennan on
Posted in Cyber Risk & Data Privacy
The High Court, in In the Matter for Mount Carmel Medical Group (South Dublin) Ltd (In Liquidation) [2015] IEHC 450 considered the issue of who is a data controller under data protection law in respect of data held by a company in liquidation.
The Court refused to grant the declarations sought by the liquidators of Mount Carmel Hospital, that the statutory role of data controller was transferred to St. James Hospital (SJH) along with transfer of the patient’s records to SJH, and that the liquidators could have access to the patient data insofar as necessary for the purposes of the liquidation.
Keane J. held that there was "a clear danger of overlapping and unworkable jurisdictions" if he granted the declarations sought, as it would deprive data subjects of any meaningful right in the future to complain to the Data Protection Commissioner (the DPC) about any data processing activities carried out by Mount Carmel Hospital.
The decision shows that in the event of a dispute arising as to who is the data controller of records under a contract, the courts will give limited weight to any contractual provisions designing a particular party as data controller, and will instead focus on who, in fact, exercises control over the personal data concerned. Continue Reading Court refuses to grant declaration as to identity of the data controller