The European Data Protection Board (EDPB) has published its work program for the next two years. The program lists the guidelines, consistency opinions, and other types of activities the EDPB intends to carry out. The program is based on the needs identified by the EDPB as priority for individuals, stakeholders, as well as the EU legislator planned activities. The Guidelines due to be published over the coming two years include:

  • Guidelines on reliance on Art. 6(1) b in the context of online services (i.e. the contractual necessity legal basis)
  • Guidelines on concepts of controller and processor (Update of the WP29 Opinion)
  • Guidelines on the notion of legitimate interest of the data controller (Update of the WP29 Opinion)
  • Guidelines on the Territorial Scope of the GDPR (finalisation after the public consultation)

Continue Reading EDPB publishes Work Program for 2019/2020

The European Data Protection Board (EDPB) has adopted an Opinion (3/2019) on the interplay between the EU Clinical Trials Regulation (536/2014) (CTR) and the GDPR, following a request from the European Commission to review its Q&A on the topic. The CTR, which is expected to enter into force in 2020, aims to harmonise the rules for conducting clinical trials throughout the EU. It does not contain any derogations from the GDPR and will therefore apply simultaneously with the GDPR.

The EDPB’s Opinion focuses on: (1) the legal basis under the GDPR for processing personal data in the course of a clinical trial protocol (primary use), and (2) further use of clinical trial data for other scientific purposes (secondary use). Some highlights of the EDPB’s Opinion are set out below.Continue Reading EDPB adopts Opinion on the Clinical Trials Regulation and the GDPR

The European Commission has published an infographic on compliance with and enforcement of the GDPR since from May 2018 to January 2019. The infographic reveals some interesting statistics, including:

  • 95,180 complaints have been made to EU national data protection authorities (DPAs) by individuals who believe their rights under the GDPR have been violated. The majority of these complaints concerned telemarketing, promotional emails, and video surveillance/CCTV.

Continue Reading European Commission publishes statistics on GDPR enforcement activities

It looks unlikely that the draft e-Privacy Regulation will come into effect before 2021. European Council negotiations on the text of the draft Regulation are currently ongoing, and trilogue discussions by the Council, Parliament and Commission will then take place. However, the upcoming May 2019 European elections may lead to a delay in the Council adopting a common position and the trilogue discussions commencing. In addition, the latest draft text of the Regulation, published by the European Council, provides that it will apply 24 months from the date it is adopted, with the result that even if it is adopted imminently, it may not come into effect until 2021.
Continue Reading What’s the status of the draft e-Privacy Regulation?

The European Commission has adopted an adequacy decision on Japan, creating the world’s largest area of safe data flows. The decision means that EU organisations can transfer personal data to organisations in Japan, without having to put in place a transfer mechanism laid down in Chapter 5 of the GDPR (such as the Commission’s standard contractual clauses or Binding Corporate rules). Japan has adopted an equivalent decision, making it simpler for Japanese organisations to transfer personal data to the EU. The adequacy decision, as well as the equivalent decision on the Japanese side, came into force on 23 January 2019.
Continue Reading European Commission adopts adequacy decision on Japan

The Government has published its Legislation Programme for Spring 2019. Preparing for Brexit is the central feature of the Spring Legislation Programme (which covers the period January-March 2019). The Brexit omnibus bill, the Miscellaneous Provisions (Withdrawal of the United Kingdom from the European Union on 29 March 2019) Bill, is the primary item in the Spring Programme.

The Brexit omnibus bill comprises vital legislation across 17 elements that will need to be enacted prior to Brexit in the event of a no-deal Brexit. Part 17 of the proposed Bill will provide for amendments to the Data Protection Act 2018. While the possibility of introducing a number of Brexit-related bills was considered, the Government believes that a single, standalone bill, that contains a number of parts, is the most efficient and effective way of preparing for Brexit. In addition, the Government has stated that many of the provisions will be provided for through statutory instruments that will be ready for signing should they be required in the event of a no-deal Brexit.

While Brexit is the priority, the Government has indicated that work is continuing on other legislation across all Government departments and a number of bills that are at an advanced stage will be introduced in the coming weeks, and progressed alongside those currently on the Dáil Order Paper.Continue Reading Government publishes Legislation Programme for Spring 2019

The Data Protection Commission (DPC) has issued guidance in relation to the transfer of personal data to and from the UK in the event of a ‘no deal’ Brexit. The DPC’s guidance is in line with the ‘no deal’ Brexit guidance published on 13 December 2018 by the UK Government (supplementing its September 2018 Technical Note) and by the UK Information Commissioner’s Office (ICO).  Some highlights of the guidance issued by the Irish and UK regulators, and UK government, are set out below.
Continue Reading DPC issues guidance on data transfers in the event of a ‘no deal’ Brexit

The European Commission has published its Report and Staff Working Document on the second annual review of the Privacy Shield. The Report concludes that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to the 3850 participating companies in the U.S. It notes that the steps taken by the U.S. authorities to implement the recommendations made by the Commission in last year have improved the functioning of the framework.

However, the Commission expects the US authorities to nominate a permanent Ombudsperson by 28 February 2019 to replace the one that is currently acting. The Ombudsperson is an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed. If the Ombudsperson is not appointed by that date, the Commission will consider taking appropriate measures, in accordance with the GDPR.Continue Reading Second Annual Review of Privacy Shield shows improvements

The DPC has published guidance for drivers concerning their data protection responsibilities when using dash cams. Images and audio recordings captured by dash cams constitute ‘personal data‘ insofar as they relate to an identifiable individual and are therefore subject to the GDPR and Data Protection Act 2018.

Actions to take

In order to comply with the GDPR, in particular, the transparency, purpose limitation, data minimisation, storage limitation and security requirements, as well as individuals’ access rights, the DPC recommends that drivers take the following actions:

  • Ensure a clearly visible sign or sticker is place on vehicles indicating that filming is taking place;
  • Keep a policy sheet detailing your contact details, the basis on which you are collecting the images and audio of others (if applicable), the purposes for which the data is being used and how long you will retain it for etc. (in compliance with Articles 12 and 13 of the GDPR);
  • Provide a copy of the policy sheet on request to anyone who asks for further information about your dash cam, or provide the information verbally;
  • In the event of an accident, inform the other party that you have recorded footage of the accident;
  • Only retain footage for as long as necessary, in regard to the purpose for which it was obtained. Footage of an accident may be required for a claim or investigation and can be retained for that purpose, but other footage should be routinely deleted;
  • Store footage securely and limit access to it, and
  • Provide individuals with access to any footage/audio recording their image/voice.

Continue Reading DPC issues Guidance for Drivers on the use of Dash Cams

The Data Protection Commissioner (DPC) has published her final Annual Report covering the period of 1 January 2018 to 24 May 2018.  The Report includes some interesting case-studies, such as the prosecution of a company for sending marketing emails to work email addresses. It also discusses litigation to which the DPC was a party to this year, including the case of Nowak v DPC, where the High Court followed the CJEU’s decision in YS v Minister voor Immigratie & Ors, finding that a controller exercises some discretion in regard to how to respond to an access
Continue Reading Data Protection Commissioner publishes Annual Report for 2018