Heading into the Christmas period, festive shoppers may notice an increasing number of retailers are offering receipts via email (e-receipts) rather than the traditional paper docket. Providing a receipt through email has a number of advantages for retailers and consumers. There is the obvious environmental benefit and it provides an easier means for customers to store and find receipts than an over-stuffed wallet.

However, new guidance from the Data Protection Commissioner (DPC) has stressed the need for retailers to ensure that when customers provide their details for the purpose of receiving e-receipts, they should be fully informed and consent to how that data may be used. Of central concern is the retailers’ use of email addresses for subsequent direct marketing.Continue Reading DPC publishes guidance on e-receipts

The new Consumer Protection Cooperation Regulation (CPC) was passed on 14 November 2017, with the goal of providing enforcement authorities with additional powers to combat unlawful online practices. The CPC will also help harmonise consumer protection law across the EU. While the CPC is sure to aid compliance, it remains to be seen how far-reaching some of the powers will become, in particular, the website-blocking power referred to below.
Continue Reading Consumer Protection Cooperation Regulation introduced to combat unlawful online practices

We have updated our GDPR Guide for Businesses to take account of new EU regulatory guidance. The guide is a ‘living document‘, which we will expand as more regulatory guidance is published.

The EU Article 29 Working Party has published guidance on a number of key changes introduced by the GDPR, including: administrative fines, mandatory breach notification, data protection officers, lead supervisory authority, data portability, profiling, and data protection impact assessments.

More regulatory guidance is expected shortly, as well as publication of the new Irish Data Protection Bill, which will give effect to, and provide for derogations from, the
Continue Reading Whats New? – A&L Goodbody GDPR Guide For Businesses

At its plenary meeting this month, the WP29 adopted the final version of its Data Protection Impact Assessment (DPIA) guidelines.

It also adopted draft guidelines on data breach notification and profiling, and administrative fines, which will be open for public consultation for 6 weeks before their final adoption. The guidelines are expected to be published shortly on the European Commission’s WP29 webpage.

Each WP29 subgroup provided a state of play of its work on the WP29’s priorities on the GDPR, including guidelines on consent, transparency, and update of data transfer tools which are to be adopted
Continue Reading WP29 adopts draft guidelines on breach notification, profiling and administrative fines

The Government has published its legislation programme for Autumn 2017.  The programme lists priority legislation, legislation due to undergo pre-legislative scrutiny, and all other legislation it is working on. Listed below are the data protection, cyber-security and IP-related Bills coming down the track.

Priority legislation

  • Data Protection Bill – This Bill will give effect to and provide for derogations from the GDPR, and transpose the Law Enforcement Directive (2016/680). The Heads of Bill were published in May 2017, and pre-legislative scrutiny was completed on July 2017.  The legislation programme lists the Bill as “priority legislation for publication” this Autumn, but there is no indication as to when exactly the Bill is expected to be finalised and start its passage through the Oireachtas. See our blog post on the Heads of Bill here.

Continue Reading Data Protection, Cyber-Security & IP legislation coming down the track

The UK Information Commissioner’s Office (ICO) is consulting on draft GDPR guidance on contracts and liabilities between controllers and processors. The guidance seeks to help organisations understand what must be included in contracts under the GDPR, and the new responsibilities and liabilities of processors.
Continue Reading ICO opens consultation on draft guidance on controller/processor contracts and liabilities

The Data Protection Commissioner (DPC) has called for submissions on issues of Transparency and International Data Transfers under the GDPR. The submissions received by the DPC from its consultation will be shared with the Article 29 Working Party (WP29), at its third Fablab in Brussels on 18 October 2017 to inform the preparation of new guidelines on transparency under the GDPR and the updating of existing guidelines on international data transfers.
Continue Reading DPC consultation on international transfers & transparency under the GDPR

The EU Council has proposed amendments to the draft ePrivacy Regulation (the Regulation). The Presidency points out that work on the text will be incremental and this is only its first redraft.

Proposed amendments include:

Scope – The Presidency clarifies the precise material and territorial scope of the Regulation, as including:

  • the processing of electronic communications content in transmission, and of electronic communications metadata carried out in connection with the provision of electronic communications services to end-users in the EU;
  • information related to, processed by, or stored in the terminal equipment of end users located in the EU;
  • the placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the internet;
  • the offering of a publicly available directory of end-users of electronic communications services located in the EU, and
  • the sending or presenting of direct marketing communications to end users located in the EU.

Continue Reading EU Council proposes revisions to the draft ePrivacy Regulation

The U.S. Federal Trade Commission (FTC) announced on 8 September that three U.S. companies have agreed to settle FTC charges that they misled consumers, by falsely claiming they were certified to participate in the Privacy Shield. In separate complaints, the FTC alleges, all three companies failed to complete the certification process for the Shield.  As part of their settlements with the FTC, the three companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, and must comply with FTC reporting requirements. The actions against the three companies are the first cases the FTC has brought to enforce the Shield, which was adopted last July 2016.
Continue Reading Three U.S. companies charged for falsely claiming compliance with Privacy Shield