Cyber Risk & Data Privacy

Subscribe to Cyber Risk & Data Privacy via RSS

On 12 March 2014, the European Parliament voted in favour of the revised draft EU Data Protection Regulation.  To become law the proposed Regulation must be adopted by the EU Council using the "ordinary legislative procedure".  The EU Council is due to meet in June 2014.

Background

The proposed Regulation was originally presented by the European Commission on 25 January 2012.  It has been the subject of voracious debate both in Brussels and across the EU, and has been subject to much re-drafting.   
 Continue Reading European Parliament Approves Draft EU Data Protection Regulation

The Advocate General of the Court of Justice of the European Union (CJEU) has delivered an Opinion that the Data Retention Directive 2006/24/EC (Directive) is incompatible with the Charter of Fundamental Rights. However, the Advocate General proposed that the effects of the finding of invalidity should be suspended in order to enable the EU legislature to adopt, within a reasonable period, the measure necessary to remedy the invalidity found to exist.Continue Reading Data Retention Directive is incompatible with the Charter of Fundamental Rights

The European Commission has published Communications on Rebuilding Trust in EU-US Data Flows and on the Functioning of Safe Harbor. The Communications were released as a result of deepening concerns following the allegations of widespread access by U.S. intelligence agencies to personal data.

 The European Commission has called for action in six areas, including:-  

  1. Adoption of the EU’s draft Data Protection Regulation by Spring 2013;
  2. Improvement of the functioning of the Safe Harbour scheme (which provides a legal basis for the transfers of personal data from the EU to companies in the U.S. for commercial purposes);
  3. Swift conclusion of the current negotiations on the "umbrella agreement" for transfers and processing of data in the context of police and judicial co-operation;
  4. Use by the U.S. administration of the existing Mutual Legal Assistance and Sectoral agreements, whenever transfers of data are required for law enforcement purposes;
  5. Extension of the legal safeguards available to U.S. citizens to EU citizens, not resident in the U.S; and
  6. Accession by the U.S. to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (as it acceded to the 2001 Convention on Cybercrime).

Continue Reading European Commission calls for restoration of trust in EU-U.S. data flows

The Office of the Data Protection Commissioner (the DPC) recently volunteered to participate in the Global Privacy Enforcement Network’s (GPEN) internet privacy sweep along with other privacy enforcement authorities in Australia, Canada, Estonia, Finland, France, Germany, Hong Kong, Macao, New Zealand, Norway, UK, & USA.

The privacy sweep carried out by the DPC entailed an audit of 79 organisations in an effort to assess their privacy practices, as outlined in the privacy policies on their websites or within their mobile applications. Continue Reading Data Protection Commissioner carries out Privacy Sweep

On the 25 August 2013, the new rules setting out the circumstances in which Telcos and ISPs need to report personal data breaches, and the information they must share in those reports, came into effect. The Regulation sets out specific rules for the notification of data security breaches under the e-privacy Directive 2002/58/EC which was transposed into Irish law by Statutory Instrument No. 336/2011.  See my earlier blog for more information on the Regulation.

A secure online form is available, on the Data Protection Commissioner’s website, for Telcos and ISPs to make the data security breach notification.  Click here to

Continue Reading Notification of Data Breaches by Telcos and ISPs

The Office of the Data Protection Commissioner has this week made informal contact with The National Maternity Hospital over a potential personal data security breach. An earlier media publication had reported that the hospital has carried out the first termination under the Protection of Life During Pregnancy Bill 2013.

The Data Protection Acts 1988 and 2003 impose obligations on all data controllers to process personal data entrusted to them in a manner that respects the rights of data subjects. Where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration, data controllers must give immediate consideration to inform those that have been affected.Continue Reading Respecting the Rights of Data Subjects

The Supreme Court, in EMI Records (Ireland) Ltd & Ors v Data Protection Commissioner and Eircom Ltd [2013] IESC 34, 3 July 2013, has confirmed that an Enforcement Notice issued by the Data Protection Commissioner (DPC) will be invalid if reasons are not given for same.  The decision also shows when judicial review, rather than statutory appeal, of a decision of the DPC may be permissible. 

The Facts

The applicants, music record companies, had brought earlier proceedings against Eircom (the notice party), arising out of alleged unauthorised and unlawful sharing of copyright material facilitated by internet services provided by Eircom. Those proceedings were settled, but the DPC claimed that implementation of the settlement agreement might breach data protection law. The parties to the settlement applied to the court for a ruling on the consistency of the settlement with data protection law, which the DPC declined to participate in. The High Court ruled that implementation of the settlement would not be in breach of any relevant law.Continue Reading Enforcement Notice invalid due to absence of reasons

On 26 June 2013, a new Commission Regulation on what precisely telecommunications operators (telcos) and Internet Service Providers (ISPs) should do if their customers’ personal data is lost, stolen or otherwise compromised was published in the Official Journal of the EU. The purpose of the new rules is to ensure businesses, operating in more than one EU country, can take a pan-EU approach in the event of a data breach. 

Since 2011, telecos and ISPs have had a mandatory obligation under the e-Privacy Regulations 2011 (S.I. 336/2011) to notify national data protection authorities, and any individuals adversely affected, about breaches of personal data. However the 2011 Regulations do not prescribe specific timeframes for breach notification.Continue Reading New Rules on Breach Notification by Telcos and ISPs

The Data Protection Commissioner (the DPC) has published his Annual Report for 2012. On launching his report the DPC highlighted, in particular, his concerns over the issue of sharing personal data in the public sector.  

Whilst the DPC accepted the benefits of such data sharing in terms of efficient delivery of public services, he stated that such data sharing must be done in a manner that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason. The Report includes a special report on an investigation of data sharing through the INFOSYS system provided by the Department of Social Protection, which revealed significant failures to comply with the Data Protection Acts 1988 and 2003 (the Acts).Continue Reading Data Protection Commissioner publishes Annual Report for 2012