The DPC has published guidance for drivers concerning their data protection responsibilities when using dash cams. Images and audio recordings captured by dash cams constitute ‘personal data‘ insofar as they relate to an identifiable individual and are therefore subject to the GDPR and Data Protection Act 2018.

Actions to take

In order to comply with the GDPR, in particular, the transparency, purpose limitation, data minimisation, storage limitation and security requirements, as well as individuals’ access rights, the DPC recommends that drivers take the following actions:

  • Ensure a clearly visible sign or sticker is place on vehicles indicating that filming is taking place;
  • Keep a policy sheet detailing your contact details, the basis on which you are collecting the images and audio of others (if applicable), the purposes for which the data is being used and how long you will retain it for etc. (in compliance with Articles 12 and 13 of the GDPR);
  • Provide a copy of the policy sheet on request to anyone who asks for further information about your dash cam, or provide the information verbally;
  • In the event of an accident, inform the other party that you have recorded footage of the accident;
  • Only retain footage for as long as necessary, in regard to the purpose for which it was obtained. Footage of an accident may be required for a claim or investigation and can be retained for that purpose, but other footage should be routinely deleted;
  • Store footage securely and limit access to it, and
  • Provide individuals with access to any footage/audio recording their image/voice.

Continue Reading DPC issues Guidance for Drivers on the use of Dash Cams

The Data Protection Commissioner (DPC) has published her final Annual Report covering the period of 1 January 2018 to 24 May 2018.  The Report includes some interesting case-studies, such as the prosecution of a company for sending marketing emails to work email addresses. It also discusses litigation to which the DPC was a party to this year, including the case of Nowak v DPC, where the High Court followed the CJEU’s decision in YS v Minister voor Immigratie & Ors, finding that a controller exercises some discretion in regard to how to respond to an access
Continue Reading Data Protection Commissioner publishes Annual Report for 2018

The European Data Protection Board (EDPB) has published the eagerly awaited draft Guidelines on the territorial scope of the GDPR. The 23-page Guidelines, which are open to public consultation until 18 January 2019, aim to help EU and non-EU established controllers and processors determine whether their processing operations fall within the scope of the GDPR, and ensure a consistent approach to the application of the GDPR. This note considers some of the EDPB’s key recommendations and examples of when the GDPR does or does not apply.

Go to publication
Continue Reading EDPB publishes draft Guidelines on Territorial Scope of the GDPR

Following the EDPB’s Opinion last month, the Irish Data Protection Commission (DPC) has published a non-exhaustive list of processing operations requiring a Data Protection Impact Assessment (DPIA) to be carried out. The list encompasses both national and cross-border data processing operations. It should be read in conjunction with Article 35 of the GDPR and the WP29 DPIA Guidelines.
Continue Reading Data Protection Commission confirms list of processing operations requiring a DPIA

The UK Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons is vicariously liable to 5,000 employees for misuse of their personal data by a rogue employee.

The decision is causing shockwaves amongst businesses, as it shows that a company may be held vicariously liable for a data breach caused by an employee, even if the employee’s motive in committing the breach was to harm the company (Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339).

The amount of compensation to be awarded has yet to be determined. The Court of Appeal 
Continue Reading Court of Appeal confirms Morrisons’ vicarious liability for deliberate data breach caused by employee

Earlier this year, the Irish Data Protection Commission (DPC) published a draft list of processing operations for which it considers it is mandatory to conduct a Data Protection Impact Assessment (DPIA). Following a public consultation, the DPC submitted its draft list to the European Data Protection Board (EDPB) for approval.  The EDPB has now published an opinion on the DPC’s draft list.  The DPC has two weeks to communicate to the EDPB whether it intends to amend its draft list or maintain it in its current form, and provide an explanation for its decision.
Continue Reading EDPB publishes opinion on processing operations requiring a DPIA

The Irish Government has published its legislation programme for Autumn 2018.  The programme lists priority legislation for publication this Autumn, as well as legislation expected to undergo pre-legislative scrutiny. Listed below are the data protection, cyber-security and IP-related Bills coming down the track.

Priority Legislation

  • Communications (Retention of Data) Bill – This Bill will revise and replace the Communications (Retention of Data) Act 2011. The Heads of this Bill were published last October 2017, following publication of Mr Justice Murray’s Review of the Law on the Retention of and Access to Communications Data.  That Review concluded that many features of the 2011 Act are precluded by EU law. The 2011 Act requires telephone companies and ISPs to store everyone’s metadata for up to two years which, in Mr Justice Murray words, constitutes “a form of mass surveillance of virtually the entire population of the State”. Mr Justice Murray said that Irish legislation should be consonant with the limitations as to the proper scope of a system of communications data retention and disclosure laid down by the EU Court of Justice in a number of recent cases, including the Tele2 case. The Heads of the Bill are available here.

Continue Reading Priority Data Protection, Cyber-Security and IP Legislation for Autumn 2018

On 12 September 2018, the UK Deputy Information Commissioner, James Dipple-Johnstone, made a speech to the CBI Cyber Security: Business Insight Conference   in which he discussed recent data breach reporting trends in the UK.

The Deputy Commissioner noted that since the GDPR came into effect on 25 May 2018, the ICO has received approximately 500 calls per week to its breach reporting line. After a discussion with the ICO’s officers, roughly one third of these organisations decide that their breach does not meet the reporting threshold.  The Irish Data Protection Commission has also been reported as having received a massive increase in breach notifications since the introduction of the GDPR.Continue Reading ICO receiving 500 breach notification calls a week

The European Parliament has adopted its position on the controversial proposed Copyright Directive, which includes a proposal for online content sharing service providers to remunerate artists (notably news publishers, journalists, musicians, performers and script authors) for their work when it is used by sharing platforms such as YouTube, Facebook or Twitter. The reform of EU copyright rules is part of the European Commission’s Digital Single Market Strategy. The Commission recognises that whilst online services provide ease of access to creative works and offer opportunities for creative industries to develop, it also generates challenges when copyright protected works are uploaded without prior authorisation from copyright holders.
Continue Reading European Parliament votes for tech giants to share revenue with artists and journalists

The Scottish Courts have given an interesting decision in relation to IT contracts, relating to the allocation of delivery risk between supplier and customer and the importance of doing what it says in the contract.

In David MacBrayne Limited v Atos IT Services (UK) Limited (2018), Atos, a supplier, had entered into an agreement with David MacBrayne Limited to supply a digital platform. The engagement was not successful and the parties claimed and counter-claimed against each other for material breach of the contract (amongst other things).

Customer Dependencies – Whose Responsibility is Delivery?

IT contracts will often include dependencies on
Continue Reading IT Contracts Case Law Update: Allocation of Delivery Risk