The Office of the Data Protection Commissioner is to get a €1.2m increase in funding for 2016. Minister for European Affairs and Data Protection, Dara Murphy announced the measure, under Budget 2016, and said that the increased resources are bring provided to "ensure that Ireland continues to have an excellent regulatory and enforcement regime for data protection, and that we are fully equipped to adapt to the ever-increasing pace of change in the digital economy".Continue Reading Government announces €1.2m increase in funding for the Office of the Data Protection Commissioner

As has been reported widely in the world media, the Court of Justice of the European Union (CJEU) this week declared the EU-US Safe Harbour regime to be invalid. The decision has understandably given rise to a lot of concern among European businesses that transfer data to the US.

In this blog post, we seek to answer the main questions that are being asked following the CJEU ruling. Continue Reading Data in Disarray: The Aftermath of the Safe Harbour Decision

The Court of Justice of the European Union (CJEU) has today declared that the Commission Decision 2000/520/EC (the Safe Harbour Decision) is invalid. This means that companies can no longer rely on Safe Harbour certification in order to legitimise the transfer of personal data from the EU to the US. Impacted companies will need to put alternative arrangements in place immediately to legitimise their transfers of personal data to the US, such as the Model Contractual Clauses or Binding Corporate Rules (BCRs).

The decision also means that the Data Protection Commissioner (the DPC) must now examine Mr Schrems’ complaint and decide whether, pursuant to the Data Protection Directive 95/46/EC, transfer of the data of Facebook’s European subscribers to the US should be suspended on the ground that that country does not afford an adequate level of protection of personal data. Continue Reading CJEU declares Safe Harbour invalid

The Advocate General, Yves Bot, of the Court of Justice of the European Union (CJEU) last week delivered his opinion in the Maximillian Schrems v Data Protection Commissioner Case, C362/14 (the Opinion). The Opinion, which is advisory in nature, recommends that the Safe Harbour programme be invalidated and that the Irish Data Protection Commissioner (the DPC) be empowered to carry out a full investigation as to the adequacy of protection afforded to the personal data of Facebook’s EU users. Continue Reading Safe Harbour in Danger?

The Office of the Data Protection Commissioner (ODPC) participated in the third Global Privacy Enforcement Network (GPEN) Privacy “Sweep” (the Sweep) which took place between 11th and 15th May 2015. The aim of the Sweep was to examine the data privacy practices of websites and apps aimed at or popular among children.Continue Reading GPEN Privacy Sweep 2015 raises Concerns over Children’s Apps

On 14 September 2015, Minister of State for International Financial Services Simon Harris TD launched the FPAI, a new trade association founded to further the interests of stakeholders involved in the rapidly evolving Irish FinTech sector.  

FinTech (financial technology) is the term used to describe any technology applied to financial services. Across the broad spectrum of FinTech products available, everyday examples include mobile banking, peer to peer lending, digital currency (e.g. Bitcoin), crowdfunding (e.g. Kickstarter) and online payments systems (e.g. Stripe). Continue Reading Minister for International Financial Services launches FinTech and Payments Association of Ireland (FPAI)

European Union negotiations with the US government for an international data protection framework agreement in the law enforcement area have been finalised. The "Umbrella Agreement" provides that personal data transferred between EU and US law enforcement authorities, such as names, addresses, and criminal records, can only be shared for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. It must not be used for further incompatible purposes. In cases where a US authority intends to transfer the data further, to a third country or international organisation, it will first have to obtain the consent of the law enforcement authority in the EU which originally transferred the data to the US.Continue Reading EU-US Umbrella Agreement finalised

The Irish High Court has issued a significant decision in Aldi Stores (Ireland) Limited & anor v- Dunnes Stores (No.2) [2015] IEHC 551holding that a plaintiff is entitled as of right to an injunction where a trade mark is infringed in the course of a comparative advertising campaign even where the advertising campaign in question has ended. The defendant has indicated that it will be appealing the finding of liability made by the court. Continue Reading High Court grants injunction prohibiting further trade mark infringement in relation to advertising campaign which has ended.

The Irish Patents Office has recently published its Annual Report for 2014 setting out trends, objectivities, activities throughout 2014 and what can be expected in 2015. The Annual Report sets out how the Irish Patent Office has discharged of its statutory functions under the Patents Act 1992 (as amended), the Trade Marks Acts 1996 (as amended), the Industrial Designs Act 2001 and the various statutory rules and regulations made under these Acts. A summary of the key findings are set out below.Continue Reading Irish Patents Office Annual Report 2014

The High Court, in In the Matter for Mount Carmel Medical Group (South Dublin) Ltd (In Liquidation) [2015] IEHC 450 considered the issue of who is a data controller under data protection law in respect of data held by a company in liquidation. 

The Court refused to grant the declarations sought by the liquidators of Mount Carmel Hospital, that the statutory role of data controller was transferred to St. James Hospital (SJH) along with transfer of the patient’s records to SJH, and that the liquidators could have access to the patient data insofar as necessary for the purposes of the liquidation. 

Keane J. held that there was "a clear danger of overlapping and unworkable jurisdictions" if he granted the declarations sought, as it would deprive data subjects of any meaningful right in the future to complain to the Data Protection Commissioner (the DPC) about any data processing activities carried out by Mount Carmel Hospital. 

The decision shows that in the event of a dispute arising as to who is the data controller of records under a contract,  the courts will give limited weight to any contractual provisions designing a particular party as data controller, and will instead focus on who, in fact, exercises control over the personal data concerned.  Continue Reading Court refuses to grant declaration as to identity of the data controller