On the 25 August 2013, the new rules setting out the circumstances in which Telcos and ISPs need to report personal data breaches, and the information they must share in those reports, came into effect. The Regulation sets out specific rules for the notification of data security breaches under the e-privacy Directive 2002/58/EC which was transposed into Irish law by Statutory Instrument No. 336/2011.  See my earlier blog for more information on the Regulation.

A secure online form is available, on the Data Protection Commissioner’s website, for Telcos and ISPs to make the data security breach notification.  Click here to …

Continue Reading Notification of Data Breaches by Telcos and ISPs

The Office of the Data Protection Commissioner has this week made informal contact with The National Maternity Hospital over a potential personal data security breach. An earlier media publication had reported that the hospital has carried out the first termination under the Protection of Life During Pregnancy Bill 2013.

The Data Protection Acts 1988 and 2003 impose obligations on all data controllers to process personal data entrusted to them in a manner that respects the rights of data subjects. Where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration, data controllers must give immediate consideration to inform those that have been affected.Continue Reading Respecting the Rights of Data Subjects

The Supreme Court, in EMI Records (Ireland) Ltd & Ors v Data Protection Commissioner and Eircom Ltd [2013] IESC 34, 3 July 2013, has confirmed that an Enforcement Notice issued by the Data Protection Commissioner (DPC) will be invalid if reasons are not given for same.  The decision also shows when judicial review, rather than statutory appeal, of a decision of the DPC may be permissible. 

The Facts

The applicants, music record companies, had brought earlier proceedings against Eircom (the notice party), arising out of alleged unauthorised and unlawful sharing of copyright material facilitated by internet services provided by Eircom. Those proceedings were settled, but the DPC claimed that implementation of the settlement agreement might breach data protection law. The parties to the settlement applied to the court for a ruling on the consistency of the settlement with data protection law, which the DPC declined to participate in. The High Court ruled that implementation of the settlement would not be in breach of any relevant law.Continue Reading Enforcement Notice invalid due to absence of reasons

On 26 June 2013, a new Commission Regulation on what precisely telecommunications operators (telcos) and Internet Service Providers (ISPs) should do if their customers’ personal data is lost, stolen or otherwise compromised was published in the Official Journal of the EU. The purpose of the new rules is to ensure businesses, operating in more than one EU country, can take a pan-EU approach in the event of a data breach. 

Since 2011, telecos and ISPs have had a mandatory obligation under the e-Privacy Regulations 2011 (S.I. 336/2011) to notify national data protection authorities, and any individuals adversely affected, about breaches of personal data. However the 2011 Regulations do not prescribe specific timeframes for breach notification.Continue Reading New Rules on Breach Notification by Telcos and ISPs