On 28 June 2023, Coimisiún na Meán (CnaM) launched a consultation on the designation of video-sharing platform services (VSPSs) under the Online Safety and Media Regulation Act 2022 (the OSMR), amending the Broadcasting Act 2009. The OSMR transposes the revised Audio-Visual Media Services Directive into Irish law, which requires Member States to ensure that VSPSs take appropriate measures to protect young people from harmful content and protect the general public from illegal content. It also requires Member States to ensure that VSPSs comply with advertising standards.

A VSPS is a service where:

  • the principal purpose
Continue Reading Consultation launched on the designation of video-sharing platform services under the OSMR

The Online Safety and Media Regulation Bill 2022 was signed into law on Saturday, 10 December 2022.

Online safety is one of the headline items covered by the new legislation, and it will be overseen by the newly-established Media Commission (Coimisiún na Meán). The legislation also seeks to implement a number of other key legislative reforms including the transposition of the revised Audiovisual Media Services Directive and the alignment of the regulation of video on-demand services with traditional broadcasting (please see here for an overview of the OSMR Bill published earlier this year).

The Media Commission will have broad investigative
Continue Reading Online Safety & Media Regulation Bill 2022 signed into law

The Digital Services Act (DSA) was published in the Official Journal of the European Union today. It will enter into force on 16 November 2022, i.e. 20 days from the date of publication in the Official Journal.

Who will be affected?

The DSA will apply to a range of providers of digital “intermediary services” (which will include mere conduit services, caching services and hosting services), where such services are offered to natural or legal person recipients that are established or located in the EU. Broadly, the obligations set out in the DSA are proportionate to the scale
Continue Reading Digital Services Act published in EU’s Official Journal

On 25 May the Grand Chamber of the European Court of Human Rights, (ECtHR) ruled that the UK’s surveillance regime of bulk interception of online communications violated the European Convention on Human Rights (Convention) in the case of Big Brother Watch v United Kingdom.  According to the ECtHR this regime breached the rights to privacy and freedom of expression enshrined within Article 8 and 10 of the Convention, a ruling that will have significant implications for state surveillance across Europe.
Continue Reading Big Brother was watching: ECHR Grand Chamber rules that UK bulk interception surveillance regime violates human rights

The Bavarian Data Protection Authority (DPA) recently ruled that a German publisher should cease using a US-based email marketing platform to send newsletters to its subscribers. The Bavarian DPA found that transfers of email addresses of EU subscribers by the German publisher to the US-based platform to be unlawful.  When using the platform, the German publisher relied on the Standard Contractual Clauses (SCCs) for its data transfers from Germany to the US.
Continue Reading Bavarian DPA finds data transfers to US-based email marketing platform unlawful

The Irish Data Protection Commission (DPC) has imposed a €70,000 fine on University College Dublin (UCD) for failure to implement appropriate security measures; storing data longer than necessary, and delaying in notifying the DPC of a data breach. This is the sixth GDPR fine imposed by the DPC.  Previous GDPR fines included 3 fines on Tusla (the Child and Family Agency) amounting to a total of €200,000; a €450,000 fine on Twitter, and a €65,000 fine on the HSE. These fines similarly concerned failure to implement appropriate security measures to prevent the unauthorised disclosure of personal data; delaying in notifying the  DPC of the data breach; and failing to adequately document the breach.
Continue Reading DPC fines UCD €70,000 for GDPR breach

On 24 December 2020, the EU and UK reached a consensus on the Trade and Cooperation Agreement (the Agreement). The agreement allows personal data to continue to flow freely from the EU/EEA to the UK for up to 6 months after 1 January 2021, or until an adequacy decision is adopted (whichever is earlier). This provides the European Commission with some further time to make an adequacy decision in relation to the UK.
Continue Reading Trade Agreement keeps EU-UK personal data flowing for 6 months

The European Commission recently published its new draft Standard Contractual Clauses (SCCs) for international transfers of personal data to third parties located outside of the EEA.

The new SCCs have been expected for some time in light of the coming into force of the GDPR. The existing set of SCCs were implemented under the former Data Protection Directive 95/46/EC and still referenced that regime. The delay was due to the European Commission reconciling the new SCCs with the decision of the European Court of Justice in Schrems II.

Whilst the new SCCs align with the GDPR, address the Schrems II decision, and directly incorporate some of the European Data Protection Board (EDPB) Recommendations on Supplementary Measures (01/2020), they are not a catch-all solution for international data transfers. Parties will still be required to undertake a risk assessment, and adopt supplementary measures (where necessary), to ensure the effectiveness of the new SCCs in the third country concerned.  Where the new SCCs and supplementary measures do not provide an adequate level of protection in the third country, then companies will be obliged to suspend and/or terminate the transfer.Continue Reading European Commission publishes draft new SCCs

​The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.
Continue Reading EDPB’s register of one-stop-shop decisions now live