On 1 October, the Court of Justice of the European Union (CJEU) handed down its judgement in the Weltimmo case (Case C‑230/14), a decision which could have important ramifications for the data protection obligations of companies operating across multiple EU member states. The CJEU effectively held that where a company has a representative in a country and operates services directed at that country, the company can be held accountable by that country’s data protection authority despite not being formally established in that country.Continue Reading CJEU publish important decision on territorial application of data protection law

Recent high profile security incidents illustrate that no institution or business is immune from cyber attack. A cyber attack on the White House in 2014 resulted in a partial shutdown of its email system. In a reported attempt to extort money from the ECB, email addresses and other user contact information were stolen in 2014. Confidential movie scripts and emails about staff and movie stars were released as part of the 2014 Sony hack. Already this year, the Carphone Warehouse security breach in early August and the more recent Ashley Madison hack have received extensive media coverage.

Continue Reading Cyber risk – the legal landscape

“The next big financial shock will arise from a succession of cyber-attacks on financial services firms.” 

This is the case according to the Chairman of the International Organisation of Securities Commission as cited by the Central Bank of Ireland’s Deputy Governor, Cyril Roux, during a recent address to the Society of Actuaries.

Continue Reading Cyber Security – The Next Big Financial Shock

Model Contracts are standard contractual clauses for the transfer of personal data outside the EU/EEA which have been approved by the European Commission.  They have been approved on the basis that they provide sufficient safeguards for privacy, fundamental rights and the exercise of those rights.  To date two sets of standard contractual clauses for the transfer of personal data outside the EU/EEA from data controllers to data controllers and one set for transfers from data controllers to data processors have been approved by the Commission.Continue Reading Transfer Tools Post Schrems: EU Data Protection Authorities’ Common Position on Model Contacts

The Office of the Data Protection Commissioner is to get a €1.2m increase in funding for 2016. Minister for European Affairs and Data Protection, Dara Murphy announced the measure, under Budget 2016, and said that the increased resources are bring provided to "ensure that Ireland continues to have an excellent regulatory and enforcement regime for data protection, and that we are fully equipped to adapt to the ever-increasing pace of change in the digital economy".Continue Reading Government announces €1.2m increase in funding for the Office of the Data Protection Commissioner

As has been reported widely in the world media, the Court of Justice of the European Union (CJEU) this week declared the EU-US Safe Harbour regime to be invalid. The decision has understandably given rise to a lot of concern among European businesses that transfer data to the US.

In this blog post, we seek to answer the main questions that are being asked following the CJEU ruling. Continue Reading Data in Disarray: The Aftermath of the Safe Harbour Decision

The Court of Justice of the European Union (CJEU) has today declared that the Commission Decision 2000/520/EC (the Safe Harbour Decision) is invalid. This means that companies can no longer rely on Safe Harbour certification in order to legitimise the transfer of personal data from the EU to the US. Impacted companies will need to put alternative arrangements in place immediately to legitimise their transfers of personal data to the US, such as the Model Contractual Clauses or Binding Corporate Rules (BCRs).

The decision also means that the Data Protection Commissioner (the DPC) must now examine Mr Schrems’ complaint and decide whether, pursuant to the Data Protection Directive 95/46/EC, transfer of the data of Facebook’s European subscribers to the US should be suspended on the ground that that country does not afford an adequate level of protection of personal data. Continue Reading CJEU declares Safe Harbour invalid

The Advocate General, Yves Bot, of the Court of Justice of the European Union (CJEU) last week delivered his opinion in the Maximillian Schrems v Data Protection Commissioner Case, C362/14 (the Opinion). The Opinion, which is advisory in nature, recommends that the Safe Harbour programme be invalidated and that the Irish Data Protection Commissioner (the DPC) be empowered to carry out a full investigation as to the adequacy of protection afforded to the personal data of Facebook’s EU users. Continue Reading Safe Harbour in Danger?

The Office of the Data Protection Commissioner (ODPC) participated in the third Global Privacy Enforcement Network (GPEN) Privacy “Sweep” (the Sweep) which took place between 11th and 15th May 2015. The aim of the Sweep was to examine the data privacy practices of websites and apps aimed at or popular among children.Continue Reading GPEN Privacy Sweep 2015 raises Concerns over Children’s Apps

On 14 September 2015, Minister of State for International Financial Services Simon Harris TD launched the FPAI, a new trade association founded to further the interests of stakeholders involved in the rapidly evolving Irish FinTech sector.  

FinTech (financial technology) is the term used to describe any technology applied to financial services. Across the broad spectrum of FinTech products available, everyday examples include mobile banking, peer to peer lending, digital currency (e.g. Bitcoin), crowdfunding (e.g. Kickstarter) and online payments systems (e.g. Stripe). Continue Reading Minister for International Financial Services launches FinTech and Payments Association of Ireland (FPAI)