Cyber Risk & Data Privacy

Subscribe to Cyber Risk & Data Privacy via RSS

The Article 29 Working Party (WP29), an independent European advisory on data protection and privacy, has published a statement in which it welcomes the ruling of the CJEU, of 8 April 2014, which invalidates the Data Retention Directive (2006/24/EC).  The CJEU found that the Directive entails a wide-ranging and particularly serious interference with the fundamental rights to privacy and to the protection of personal data, and fails to sufficiently circumscribe such interference to ensure that it is limited to what is strictly necessary for the purpose of fighting serious crime, thereby leaving it too open for Member States

Continue Reading Working Party publishes statement on CJEU ruling which invalidates Data Retention Directive

The CJEU in Joined Cases C-141/12 and C-372/12 has clarified the scope of a data subject’s right of access to a copy of their personal data. The CJEU’s ruling may serve to lighten the burden of access requests on organisations. It confirms that the Data Protection Directive 1995 (the Directive) does not establish a right of access to any specific document or file in which personal data are listed or used, nor does it specify the material form in which personal data must be made accessible. Member States enjoy a margin of discretion to determine the form in which to make personal data accessible, so long as it is intelligible. Accordingly, the CJEU found that the Dutch authorities, in this case, had met their legal obligations under data protection law by extracting from the relevant documents the personal data relating to the data subject.Continue Reading CJEU clarifies scope of right of access to personal data

The High Court, in Schrems v Data Protection Commissioner, 18 June 2014, has referred questions arising to the Court of Justice of the European Union (the CJEU). Judge Hogan has adjourned the High Court proceedings pending the reference to the CJEU. 

The Judge is asking the CJEU to examine two questions:

(1) Whether, as a matter of EU law, the Data Protection Commissioner (the DPC) is absolutely bound by the finding of the European Commission as manifested in Decision 2000/250/EC (i.e. that the Safe Harbour regime provides adequate protection for personal data), having regard to the subsequent entry into force of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (which provide, respectively, for the right to respect for private and family life, and to protection of personal data) notwithstanding the provisions of Article 25(6) of the Data Protection Directive?


(2) Or alternatively, whether the DPC may conduct his own investigation of the matter in light of the factual developments since that Commission Decision was first published (i.e. the Snowden revelations that data and communications were being intercepted by the NSA on a global scale).


The case is due to be mentioned in the High Court in two weeks before the matter is sent to the CJEU.Continue Reading Irish High Court refers Facebook Privacy case to European Court

Domino’s Pizza has suffered a security breach by a group of online professional hackers who accessed the online databases and servers of Domino’s Pizza customers in France and Belgium. The hackers claim to have downloaded over 600,000 customer’s records (592,000 relating to French customers and 58,000 relating to Belgian customers) which include names, addresses, phone numbers, passwords, delivery instructions and even favourite toppings.

In an unusual twist the hackers demanded a payment of €30,000 to be paid directly to them in exchange for the stolen information failing which they would publish the personal data online. The hackers posted further information and threats on a Twitter account that has since been suspended. Domino’s France released a statement on Twitter saying that although its data is encrypted, it has fallen victim to "professionals" who were able to "decode the cryptographic system for the passwords".Continue Reading Domino’s Pizza Data Exposure

Following the recent Court of Justice decision in the Costeja case, Google launched a service last Friday that will allow European data subjects to request the removal of search results for queries that include their name where those results are "inadequate, irrelevant, or no longer relevant, or excessive in relation to the purpose for which they were processed". The request form is available online.Continue Reading Google launches new European privacy removal tool

The EU’s Article 29 Working Party has adopted an Opinion on Anonymisation Techniques (Opinion 05/2014).  The Opinion analyses the effectiveness and limits of existing anonymisation techniques, and provides recommendations for use of these techniques in light of the residual risk of identification inherent in each of them.Continue Reading Working party publishes Opinion on Data Anonymisation Techniques

The Court of Justice of the European Union (CJEU) has ruled that the Data Retention Directive 2006/24/EC (Directive) is invalid.

The Irish High Court (in Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Ors C-293/12) and the Austrian Constitutional Court (in Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and others, C 594/12), asked the CJEU to examine the validity of the Directive.Continue Reading CJEU rules that the Data Retention Directive is invalid

Election candidates in the upcoming May local and European Parliament Elections have all recently received correspondence from the Data Protection Commissioner reminding them of their obligations with regards to communicating with the electorate.  Candidates were made aware that should any complaints be received by the office of the Data Protection Commissioner they will be investigated, with appropriate action taken.

Candidates and political parties must adhere to the clear statutory guidelines as set out the in the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, particularly in relation to the use of SMS, phone and e-mail in sending electoral messages. Continue Reading Restrictions on electronic direct marketing- politically correct?

The European Parliament has passed a resolution in response to the U.S. National Security Agency (NSA) surveillance scandal.  The resolution calls for the suspension of the U.S. – EU Safe Harbour Framework immediately, unless the U.S. satisfies the concerns of the EU Parliament.  

However, the Parliament’s resolution does not affect the validity of the Safe Harbour Framework. Only the Commission can renegotiate the Safe Harbour Framework. Last year, the Commission issued 13 recommendations to improve the functioning of the Safe Harbour scheme, and called upon U.S. authorities to remedy these issues by summer 2014 (see

Continue Reading Calls for Suspension of Safe Harbour