After four years of negotiation, the EU General Data Protection Regulation (GDPR) has finally been agreed.  It was given final approval by the European Parliament this morning, Thursday 14 April 2016.  The GDPR will replace existing EU and national data protection legislation.  Companies have a two year transitionary period to comply with the GDPR, which come into force in Spring 2018.

The Law Enforcement Data Protection Directive (LEPD Directive), which allows for smoother exchange of information between Member States’ police and judicial authorities, has also been approved.  It is aimed at improving co-operation in the fight against terrorism and other serious crime across the EU.  Continue Reading EU GDPR is finally agreed

The Article 29 Working Party (WP29) held a Press Conference today, Wednesday 13 April 2016, welcoming the improvements brought by the Privacy Shield compared to the Safe Harbour decision, but calling for further improvements to ensure the protection offered by the Shield is essentially equivalent to that offered in the EU. 

The WP29 has strong concerns, in particular, with regard to the possibility of bulk collection of personal data originating from the EU, and insufficient guarantees concerning the independence of the Ombudsperson.Continue Reading Article 29 Working Party demands improvements to Privacy Shield

The Office of the Data Protection Commissioner (ODPC) has contacted Dublin City Council in relation to its data protection concerns surrounding the City Council’s new anti-litter poster initiative. As part of the initiative the City Council had erected a billboard in the north inner city featuring CCTV images of 12 people who appear to be engaging in illegal dumping around the Amiens Street-Five Lamps area. Although the faces were slightly blurred due to the quality of the CCTV footage, the City Council stated that the people would be able to identify themselves from the images, as most likely
Continue Reading ODPC contacts Dublin City Council regarding anti-litter posters

The new EU General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LEDP Directive) are expected to be finalised by the European Parliament tomorrow, Thursday 14 April 2016.

The new data protection laws were approved by the European Council on 8 April 2016.  Earlier this week, the LIBE committee also voted to approve the laws. The European Parliament is expected to formally adopt the GDPR and LEPD Directive on Thursday 14 April 2016.  Once adopted, the texts will be published in the Official Journal.  Businesses will then have a two year transitionary period to comply

Continue Reading Finalisation of EU GDPR imminent

On 16 March 2016, the Advocate General (AG) delivered an Opinion, in McFadden v Sony Music Entertainment Germany GmbH Case-484/14, that a business offering free WiFi access to the public cannot be held liable for copyright infringement committed by a user of that WiFI. The decision confirms the applicability of the E-Commerce Directive, and the “mere conduit” defence, to free WiFi providers.Continue Reading WiFi providers not liable for copyright infringement by users

The Administrative Court of Hamburg recently overturned an order of the Hamburg Data Protection Authority (DPA) against Facebook.  The Court held that Irish, not German, data protection law was applicable, despite the existence of an office of Facebook in Germany.


The background

A woman complained to the Hamburg DPA after Facebook blocked her account for using a pseudonym, requested a copy of some identification and unilaterally changed her username to her real name. The Hamburg DPA found that Facebook could not unilaterally change users’ chosen usernames to their real names, nor ask them for official identification, as German data protection law provides a right to a pseudonymous online profile.  

Overturning the DPA’s decision, the Hamburg Court found that the business operations of Facebook Ireland and Facebook Germany constitute an "establishment" within the meaning of Article 4 (1)(a) of the Data Protection Directive 95/46/EC (the Directive).  However, it held that if several national data protection laws might apply due to the fact that the data controller is established in several Member States, then it is the law of the EU member state which the disputed data processing is most closely associated with which is to be applied.  According to the Hamburg Court, that was Facebook Ireland in this case, where Facebook has its European Headquarters. The Hamburg Court refused to apply a broad interpretation of the "establishment" test in Article 4(1)(a) of the Directive.  It distinguished the CJEU’s judgment in Google Spain on the basis that the controller (Facebook) was established in an EU Member State, so that there was no risk that natural persons affected by the contested data processing operation would be deprived of the protection offered by the Directive.Continue Reading Territorial scope of Data Protection Directive under the microscope again

The European Commission has released the legal texts that will constitute the EU-US Privacy Shield which will replace the Safe Harbour framework, which was declared invalid by the Court of Justice (CJEU) last October.  Unlike its predecessor, the Privacy Shield includes not only commitments in the commercial sector, but also access to personal data by public authorities for national security purposes.

The documents released include the draft “adequacy decision”, the Privacy Shield Principles which will apply to all US companies providing services on the EU market, as well as written commitments by the US Government on the enforcement of the Privacy Shield, including safeguards and limitations concerning access to data by US national intelligence agencies. 

The Privacy Shield aims to provide European citizens with more transparency about transfers of their personal data to the US and stronger obligations on US companies to protect their data. It requires stronger monitoring and enforcement by the US Department of Commerce (DoC) and the Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities (DPAs).  It also provides several redress possibilities for individuals in case of complaints either directly with companies, or with the help of their local DPA.Continue Reading The European Commission releases EU-US Privacy Shield

The Information Commissioner’s Office (ICO) in the UK has published guidance for organisations providing WiFi services to their staff and customers.  The guidance considers how WiFi operators can use location and other analytics information in a manner that complies with data protection laws. As the core data protection principles in the UK and Irish Data Protections Acts are the same, the guidance is also of interest to Irish businesses.

The guidance highlights that it is possible for WiFi operators to collect data from devices covertly, and therefore it is vital that individuals are warned that their data may be collected.  This can be done by installing clear signage at the entrance to and throughout WiFi zones, on websites and in WiFi sign-up or registration pages, notifying device users of the potential processing of their data.Continue Reading WiFi operators urged to install WiFi signage

On 24 February 2016, the European Commissioner, Věra Jourová, announced the signing of the Judicial Redress Act by President Obama. The Act aims to: (i) address the concerns expressed by the Court of Justice of the European Union (CJEU) when it overturned the Safe Harbor Agreement last October 2015 regarding the lack of judicial redress by EU citizens in the US and (ii) facilitate data exchange between the US and EU.

The Act purports to give EU citizens the same rights to judicial redress under the US Privacy Act of 1974 that US citizens have, by allowing them to bring civil actions in U.S. courts against US law enforcement agencies which misuse their personal data.

Whilst the Act gives the US Department of Justice authority to determine which US agencies are within its scope, potentially limiting the reach of the Act, it nonetheless represents a welcome step forward by the US government. Continue Reading Commissioner Věra Jourová announces signing of Judicial Redress Act by President Obama

The Data Protection Commissioner (DPC) has published new guidance on ‘Data sharing in the public sector’ following the decision of the CJEU in Bara (C-201/14) (see our previous blog on the Bara judgment).

The Bara judgment serves as a reminder that any decision by public bodies to share personal data bodies should not be taken lightly, and only the minimum amount of personal data should be shared. It shows the importance of public bodies informing individuals as to how their personal data is used, for what purpose, and who has access to it.Continue Reading DPC publishes guidance on data sharing in the public sector