The EDPB has published its first review of the implementation of the GDPR, in particular the functioning of the cooperation and consistency mechanism. The GDPR requires EU Data Protection Supervisory Authorities (SAs) to cooperate in order to provide a consistent application of the GDPR. The EDPB concludes that nine months after the entry into force of the GDPR, the cooperation and consistency mechanism is working well. All one-stop-shop cases have so far been resolved smoothly, with no cross-border case being escalated to the EDPB for dispute resolution purposes.

To support the cooperation and consistency mechanism, the EDPB have customised an existing IT system, the Internal Market Information System (IMI), in order to provide a structured and confidential way for SAs to share information.

Some of the highlights of the review are set out below.Continue Reading EDPB publishes review of GDPR cooperation and consistency mechanism

The European Parliament voted on 26 March 2019 in favour of the controversial EU Copyright Directive, which will implement sweeping changes to regulation around online copyright. MEPs voted in favour of the compromise text as agreed on 13 February 2019 (previously discussed here). The Directive was approved by 348 votes to 274, concluding one of the most contested and intensely lobbied law proposals in recent years. A last minute vote on debating amendments to the reforms (in relation to Articles 11 and 13) was also rejected by just five votes. The text approved by Parliament can be accessed here
Continue Reading EU Approves Controversial New Copyright Rules

The European Data Protection Board (EDPB) has adopted an Opinion on the interplay of the e-Privacy Directive 2002/58 with the GDPR. The Opinion was adopted in response to a request made by the Belgian Data Protection Authority (DPA) to clarify: (i) the material scope of the e-Privacy Directive and the GDPR; (ii) the interplay of each set of rules and extent to which processing can be governed by both; (iii) the competence, tasks and powers of EU DPAs, and (iv) the applicability of the cooperation and consistency mechanism by DPAs in relation to processing that triggers both sets of rules.  The EDPB’s Opinion is without prejudice to the outcome of the current negotiations concerning the proposed e-Privacy Regulation. We have set out below some of the highlights of the Opinion.
Continue Reading EDPB issues Opinion on interplay of e-Privacy Directive and the GDPR

The Advocate General of the Court of Justice of the EU (CJEU) has delivered an Opinion in the Planet49 case (Case C-673/17), finding that a pre-ticked checkbox giving consent for cookies does not constitute valid consent under the e-Privacy Directive 2002/58 read in conjunction with the Data Protection Directive 95/46 or the GDPR.
Continue Reading Advocate General finds a pre-ticked checkbox does not constitute valid consent for cookies

The Data Protection Commission (DPC) has published its Annual Report for 25 May-31 December 2018. As always, the Report reveals some interesting statistics and case studies. In the coming months, the DPC expects to conclude a number of statutory inquiries, which it launched in 2018, into multinational technology companies with EU headquarters situated in Ireland. The DPC anticipates that the conclusion of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services. This briefing note sets out some of the highlights of the Report.
Continue Reading DPC publishes Annual Report for May-December 2018

On 4 March 2019, Minister Richard Bruton TD announced that he will introduce an Online Safety Act to regulate harmful content online and ensure children are safe online.  The Act will also implement the revised Audiovisual Media Services (AVMS) Directive (which Member States are required to implement by 19 September 2020).  The Minister stated that the era of self-regulation in regard to online safety is over.  It is proposed that an Online Safety Commissioner would oversee the new system. The Department of Communications, Climate Action and Environment is seeking views on the proposed legislation, and has launched a six-week consultation period which is open until 15 April 2019.
Continue Reading Government consults on new Online Safety Act

The Data Protection Commission (DPC) has published the results of the annual Global Privacy Sweep for 2018, which examined how well organisations are implementing the concept of accountability.  The Global Privacy Enforcement Network members made contact with 356 organisations in 18 countries during the Sweep. It found that while there were examples of good practice reported, a number of organisations had no processes in place to deal with complaints and queries raised by data subjects, and were not equipped to handle data security incidents appropriately.
Continue Reading DPC publishes results of Global Privacy Sweep for 2018

By any measure, 2018 was a historic year for data protection law with the coming into effect of the GDPR on 25 May 2018.  Ireland plays an important role in the regulation and enforcement of data protection law and decisions of the Irish courts have had a disproportionate impact on European data protection jurisprudence. With the introduction of the one-stop-shop mechanism under the GDPR it is to be expected that this trend will continue in the years ahead.  This briefing note highlights the key data protection legislative developments and Irish court decisions over the past year.

Go to Publication
Continue Reading Irish Data Protection Law – 2018 in Review

On 13 February 2019, the European Parliament, Council and Commission reached a compromise on the text of the new Copyright Directive (previously discussed here).  The proposed Directive targets digital use of press publications by information society service providers, such as news aggregators and media monitoring services. As discussed below, the two most controversial provisions are Articles 11 and 13, known respectively as the “link tax” and “upload filtering” provisions.
Continue Reading EU reaches compromise on new Copyright Directive

The EDPB has published information notes on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority to help organisations prepare for a no-deal Brexit. The information notes build on guidance already issued by the UK ICO and Irish Data Protection Commission (discussed here).

The Information Note on Data Transfers warns that, in the event of a no-deal Brexit, the UK will be a ‘third country’ from 30 March 2019. As a result, personal data cannot be transferred from the EEA to the UK unless organisations implement a data transfer mechanism under the GDPR, such as standard contractual clauses; ad hoc contractual clauses; binding corporate rules (BCRs); codes of conduct and certification mechanisms, or a derogation. In regard to data transfers from the UK to the EEA, the UK Government have confirmed the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit.Continue Reading EDPB publishes information notes on data transfers in the event of a no-deal Brexit and on BCRs