The Irish Data Protection Commission (DPC) released its 148-page annual report on 29 May 2024 (the Annual Report), highlighting the scope of work and enforcement activities undertaken by the DPC throughout 2023. A full copy of the report is available here.

In this series of articles we decode the report – providing an insight into the key points of focus, emerging themes and potential areas of future regulatory developments. 

This Article will aim to provide an overview of what we have learned in respect of data breach notifications from this year’s Annual Report, and what future

Continue Reading Decoding the Data Protection Commission’s 2023 Annual Report – Part 1: Data Breaches

On 13 March 2024, the European Parliament and the Council adopted Regulation (EU) 2024/900 on the transparency and targeting of political advertising (the Regulation). The Regulation is now in force, however, the majority of its provisions will not take effect until October 2025.

This article aims to provide a summary of the key provisions of the Regulation under the following headings:

  1. Scope of the Regulation
  2. Transparency and due diligence obligations 
  3. Targeting and ad delivery of online political advertising
  4. Supervision and enforcement
  1. Scope of the Regulation

The Regulation is intended to provide harmonised rules on transparency and related due diligence

Continue Reading Political Advertising Regulation

On 27 November, the final text of the EU’s Data Act (the Act) was formally approved by the European Parliament and the European Council. 

It will enter into force 20 days after its publication in the EU’s official journal, which is expected in the coming days. However, the majority of its provisions will only apply 20 months after it enters into force.

Scope of the Act

The Act, which takes the form of a directly applicable EU regulation, has three central focuses:

  1. remove obstacles to the process of switching between providers of “data processing services”  and the
Continue Reading Final text of the EU’s Data Act approved

This is Part 1 in our series focused on tracking the development of the EU’s AI Act. The series will provide updates and commentary as the AI Act moves through the EU’s legislative process.

To set the scene, the EU Commission first adopted its Proposal for a Regulation laying down harmonised rules on artificial intelligence (the Proposed Act) back in April 2021. In ways a ground breaking piece of draft legislation, it was one of the first attempts to implement a regulatory framework which was specific to the use of artificial intelligence (AI) technology. This article aims

Continue Reading Tracking the AI Act: Part 1 – How the EU is thinking about regulating the AI sector

Following the first designation of Very Large Online Platforms (“VLOPS“) and Very Large Online Search Engines (“VLOSEs”) under the Digital Services Act Regulation (“DSA“) on 25 April 2023, the European Commission has now announced a call for evidence from stakeholders to inform proposed delegated acts on data access mechanisms.Continue Reading Commission Calls for Stakeholder Views on Data Access Mechanism under DSA

In a recent significant judgment1 from the Irish Circuit Court, the judge concluded that “justice is best served” by granting a stay of a data subject’s damages claim pending determination of certain preliminary references currently before the CJEU. The court expressed a view that damages in the case, if awarded, were likely to be small and a stay would not impact the procedural efficiency of the proceedings, but a delay in granting a stay could substantially and unnecessarily increase legal costs for the defendant.Continue Reading “Justice Best Served” – Data Subject Claims Stayed

The Digital Services Act (DSA), a major EU regulation for online content, was signed into law yesterday.

The DSA together with the Digital Markets Act (the DMA) form part of an EU legislative strategy that seeks to create a level playing field for both big and small businesses in the digital world, create a harmonized approach to doing business online and to create a safer environment for users online.

What ‘s new

More particularly, the DSA aims to achieve the following objectives:

  1. Establish a powerful transparency and accountability framework for internet intermediaries:

The DSA will hold intermediaries

Continue Reading Digital Services Act Update

The DPC recently fined WhatsApp €225m for failing to discharge its transparency obligations under the GDPR. The decision will have implications for all businesses, particularly regarding their privacy notices and transparency obligations. The decision sets out the DPC’s high expectations in regard to businesses’ transparency obligations. It also clarifies the relevance of the consolidated turnover of the entire group of companies when calculating both the maximum fining cap, and the appropriate fine to impose.

This publication provides a deep dive into the DPC’s findings and considers their impact on businesses.
Continue Reading WhatsApp decision considers scope of transparency obligations under the GDPR

The European Data Protection Board (EDPB) published its finalised Guidelines on the concepts of controller and processor in the GDPR (07/2020) (Guidelines) in July. These concepts play a crucial role in the application of the GDPR as they determine who is responsible for compliance with GDPR obligations and how data subjects can exercise their data protection rights in practice. In Part I, we outlined some of the key highlights of the Guidelines in respect of the controller and processor concepts. This Part II addresses the key highlights in respect of the joint controller concept and the implications of the joint controller relationship.
Continue Reading EDPB provides guidance on the concepts of controller and processor in the GDPR (Part II)