The High Court, in a 197-page judgment, has dismissed a legal challenge against a decision by the Data Protection Commission (DPC) to commence an “own volition” inquiry into the applicant’s data transfers to its parent company in the US, and to issue a preliminary draft decision (PDD) proposing to suspend such transfers.

The applicant brought judicial review proceedings against the DPC, alleging that the inquiry and PDD were unlawful on a number of procedural grounds. In particular, the applicant claimed that the DPC had breached its legitimate expectation that the DPC would follow the statutory inquiry procedure set out in its Annual Report for 2018, on its website, and that it had adopted in other inquiries. The applicant also claimed the DPC had breached its right to fair procedures by failing to conduct an investigation/inquiry before reaching a decision. The High Court rejected all of the applicant’s grounds of challenge, finding that the DPC’s decision to commence an inquiry and issue the PDD, along with the associated procedural steps, were lawful.

The proceedings concerned the procedural rights and obligations of the parties in the context of the DPC’s inquiry following Schrems II, rather than the merits of the DPC’s preliminary views in the PDD.Continue Reading High Court rejects procedural challenge against DPC’s inquiry into EU-US data transfers

The Government has published its legislation programme for Summer 2021. We have set out below the status of key Bills of relevance to the data protection, commercial and technology sector.

Bills expected to undergo pre-legislative scrutiny this Summer Session 

  • Online Safety and Media Regulation (OSMR) Bill – This Bill will provide for the establishment of a multi-person Media Commission (including an Online Safety Commissioner), the dissolution of the Broadcasting Authority of Ireland, a regulatory framework to tackle the spread of harmful online content, and implementation of the revised Audiovisual Media Services (AVMS) Directive 2018/1808. The Heads of Bill were published on 9 January 2020, with additional provisions approved on 8 December 2020. The government also recently approved the integration of the Broadcasting (Amendment) Bill into the OSMR Bill. Member States were due to implement the revised AVMS Directive in national law by 19 September 2020, so Ireland has missed this deadline. Pre-legislative scrutiny is currently underway.

Continue Reading Government publishes Summer Legislation Programme

Last Friday 21 May 2021, MEPs passed a resolution asking the EU Commission to modify its draft UK adequacy decisions, to bring them into line with recent EU court rulings and to address concerns raised by the European Data Protection Board (EDPB) in its recent opinions. The EDPB stated that UK law and practice relating to bulk data collection, onward transfers and its international agreements in the field of intelligence sharing, need to be further assessed by the EU Commission.
Continue Reading MEPs ask European Commission to amend draft UK adequacy decisions

The Data Protection Commission (DPC) is accepting feedback on its Draft Regulatory Strategy for 2021–2026 until 30 June 2021. We have set out the key highlights of the Strategy below.

The DPC’s strategic goals are to: (i) regulate consistently and effectively; (ii) safeguard individuals and promote data protection awareness; (iii) prioritise the protection of children and other vulnerable groups; (iv) bring clarity to stakeholders; and (v) support organisations and drive compliance.Continue Reading DPC seeks feedback on Draft Regulatory Strategy for 2021-2026

The Portuguese Data Protection Authority (known as the CNPD) has ordered the National Institute of Statistics (NIS) in Portugal to stop sending census data to the U.S. or other third countries, that do not provide an adequate level of data protection.

NIS used Cloudfare Inc. (a U.S. based company) to assist it with the collection of personal data from Portuguese citizens in 2021 Census Surveys. Following receipt of complaints about the collection of census data via the internet, the CNPD carried out an investigation into NIS. The CNPD found that NIS had a contract in place with Cloudfare Inc ., which provided for the transfer of the census data to the U.S., using the Standard Contractual Clauses (SCCs).  It noted that Cloudfare Inc., as a U.S. company, is directly subject to U.S. surveillance legislation for national security purposes, which provides U.S. public authorities with unrestricted access to personal data in its possession, without informing data subjects.Continue Reading Portuguese Data Protection Authority suspends data transfers to the U.S.

The Conseil d’État, France’s highest administrative court, recently ruled that personal data collected via a platform managed by Doctolib, and hosted by an EU subsidiary of a US-based company (subject to US surveillance laws), was compatible with the GDPR. The ruling is an important follow-up to Schrems II.
Continue Reading French court considers lawfulness of using EU subsidiary of US cloud service provider post-Schrems II

The European Data Protection Board (EDPB) recently responded to questions submitted by the EU Commission seeking clarification on the consistent application of the GDPR to health research. The responses cover 21 questions and provide clarity on issues such as: the legal basis for processing health data; processing of special categories of data on a large scale; and further processing of previously collected health data. While it is clear that many questions remain unanswered, further responses are expected in forthcoming guidance currently being prepared by the EDPB.
Continue Reading EDPB responds to questions on processing health data

The Data Protection Commission (DPC) has published its Annual Report for 2020. The Report looks back on the span of regulatory work completed by the DPC over the past year, and reveals some interesting trends and statistics. It discusses the complaints and breach notifications received; case-studies; the 83 domestic and cross-border inquiries it has open; and the fines, reprimands, and compliance orders it has issued for infringements of the GDPR and Law Enforcement Directive (LED). This briefing note considers some of the key highlights of the Report.
Continue Reading DPC publishes Annual Report for 2020

The EU Commission looks set to adopt two adequacy decisions in favour of the UK, which will allow businesses to continue to freely transfer personal data from the EU/EEA to the UK.  On 19 February 2021, the EU Commission published two draft adequacy decisions permitting transfers of personal data to the UK under the GDPR, and under the Law Enforcement Directive (LED).

Once adopted, the decisions will replace the interim solution agreed under the EU-UK Trade and Cooperation Agreement (previously discussed here). That agreement allows businesses to transfer personal data from the EU/EEA to the UK, without
Continue Reading EU Commission publishes draft UK adequacy decisions

On 10 February 2021, the EU Member States agreed on the EU Council’s negotiating mandate for the draft ePrivacy Regulation. The new Regulation will repeal and replace the existing ePrivacy Directive 2002/58/EC. The text approved by the EU Member States allows the EU Council to start negotiations with the European Parliament on the final text of the ePrivacy Regulation.

Key Highlights

The EU Council’s Press Release sets out the key highlights of the draft ePrivacy Regulation, which include:

  • The rules will apply when end-users are in the EU. This also covers cases where the processing takes place outside the EU or the service provider is established or located outside the EU.
  • The Regulation will cover electronic communications content and metadata (such as information on location, time and recipient of a communication).

Continue Reading EU Council agrees its position on draft ePrivacy Regulation