On 6 February, the EU’s Advocate General Spielmann provided his opinion (the Opinion) in the case of EDPS v SRB (Case C‑413/23 P), advising that the previous judgment of the General Court be set aside and referred for judgment back to it. The Opinion offers some interesting views on how we should consider the effect of pseudonymising personal data. 

Key Takeaways

  • The Opinion concerns the scope of “personal data” under Regulation 2018/1725 (which is the EU institutions’ equivalent to the GDPR and which mirrors much of the same language and principles as the GDPR). It proposes a broader conceptualisation
Continue Reading One man’s pseudonymisation is another man’s anonymisation: The AG Opinion in SRB v EDPS and the scope of “personal data”

Today marks the effective date of the Digital Operational Resilience Act (DORA) and with it, additional incident reporting obligations for in-scope financial entities. 

With the aim of standardising the incident reporting process for financial entities throughout the EU, from today, in-scope financial entities must report any ‘major ICT-related incidents’ to their relevant competent authority. 1For the majority of financial entities within the scope of DORA in Ireland, this will be the Central Bank of Ireland while for others (such as pensions trustees) it will be the Pensions Authority. These new incident reporting obligations apply in addition to

Continue Reading Navigating the DORA ICT Incident Reporting Obligations

The Irish Data Protection Commission (DPC) released its 148-page annual report on 29 May 2024 (the Annual Report), highlighting the scope of work and enforcement activities undertaken by the DPC throughout 2023. A full copy of the report is available here.

In this series of articles we decode the report – providing an insight into the key points of focus, emerging themes and potential areas of future regulatory developments. 

This Article will aim to provide an overview of what we have learned in respect of data breach notifications from this year’s Annual Report, and what future

Continue Reading Decoding the Data Protection Commission’s 2023 Annual Report – Part 1: Data Breaches

On 13 March 2024, the European Parliament and the Council adopted Regulation (EU) 2024/900 on the transparency and targeting of political advertising (the Regulation). The Regulation is now in force, however, the majority of its provisions will not take effect until October 2025.

This article aims to provide a summary of the key provisions of the Regulation under the following headings:

  1. Scope of the Regulation
  2. Transparency and due diligence obligations 
  3. Targeting and ad delivery of online political advertising
  4. Supervision and enforcement
  1. Scope of the Regulation

The Regulation is intended to provide harmonised rules on transparency and related due diligence

Continue Reading Political Advertising Regulation

On 27 November, the final text of the EU’s Data Act (the Act) was formally approved by the European Parliament and the European Council. 

It will enter into force 20 days after its publication in the EU’s official journal, which is expected in the coming days. However, the majority of its provisions will only apply 20 months after it enters into force.

Scope of the Act

The Act, which takes the form of a directly applicable EU regulation, has three central focuses:

  1. remove obstacles to the process of switching between providers of “data processing services”  and the
Continue Reading Final text of the EU’s Data Act approved

This is Part 1 in our series focused on tracking the development of the EU’s AI Act. The series will provide updates and commentary as the AI Act moves through the EU’s legislative process.

To set the scene, the EU Commission first adopted its Proposal for a Regulation laying down harmonised rules on artificial intelligence (the Proposed Act) back in April 2021. In ways a ground breaking piece of draft legislation, it was one of the first attempts to implement a regulatory framework which was specific to the use of artificial intelligence (AI) technology. This article aims

Continue Reading Tracking the AI Act: Part 1 – How the EU is thinking about regulating the AI sector

Following the first designation of Very Large Online Platforms (“VLOPS“) and Very Large Online Search Engines (“VLOSEs”) under the Digital Services Act Regulation (“DSA“) on 25 April 2023, the European Commission has now announced a call for evidence from stakeholders to inform proposed delegated acts on data access mechanisms.Continue Reading Commission Calls for Stakeholder Views on Data Access Mechanism under DSA

In a recent significant judgment1 from the Irish Circuit Court, the judge concluded that “justice is best served” by granting a stay of a data subject’s damages claim pending determination of certain preliminary references currently before the CJEU. The court expressed a view that damages in the case, if awarded, were likely to be small and a stay would not impact the procedural efficiency of the proceedings, but a delay in granting a stay could substantially and unnecessarily increase legal costs for the defendant.Continue Reading “Justice Best Served” – Data Subject Claims Stayed

The Digital Services Act (DSA), a major EU regulation for online content, was signed into law yesterday.

The DSA together with the Digital Markets Act (the DMA) form part of an EU legislative strategy that seeks to create a level playing field for both big and small businesses in the digital world, create a harmonized approach to doing business online and to create a safer environment for users online.

What ‘s new

More particularly, the DSA aims to achieve the following objectives:

  1. Establish a powerful transparency and accountability framework for internet intermediaries:

The DSA will hold intermediaries

Continue Reading Digital Services Act Update