Cyber Risk & Data Privacy

Subscribe to Cyber Risk & Data Privacy via RSS

The European Commission has today adopted the Privacy Shield.  The Privacy Shield is intended to provide a framework for EU-US data transfers.

What is the Privacy Shield?

European data protection law restricts the transfer of personal data outside the European Economic Area (EEA) unless the country to which the data is transferred ensures an adequate level of data protection. The Privacy Shield is a mechanism for overcoming this restriction and legitimising the transfer of personal data to some US companies.

Why do we need the Privacy Shield?

Until 6 October 2015, over 4,000 US companies relied on the Safe Harbour regime to legitimise the transfer of personal data to the US.  The Safe Harbour regime was declared invalid by the Court of Justice of the EU (CJEU) on 6 October 2015.  The Privacy Shield will replace the Safe Harbour regime.

After the CJEU’s ruling many US companies turned to the Model Contractual Clauses to legitimise their transatlantic data transfers.  The approval of the Privacy Shield will be welcomed by multinational companies, particularly as the Irish Data Protection Commissioner recently sought a referral to the CJEU to determine the legal status of data transfers under Model Contractual Clauses. However, Model Contractual Clauses remain a valid method of transatlantic transfer unless declared invalid by the CJEU, which may not be determined for up to another two years.Continue Reading European Commission Adopts Privacy Shield

On 8 July 2016, Member State representatives (the Article 31 Committee) approved the final version of the EU-U.S. Privacy Shield, to permit transatlantic transfers of personal data from the EU to the U.S.  The Privacy Shield will replace the invalid Safe Harbour Agreement, to ensure high standards of data protection for transatlantic transfers of data for commercial purposes. Continue Reading Member States approve Privacy Shield

Under Section 26 of the Data Protection Acts 1988 and 2003, an appeal before the courts is provided for against a decision of the Data Protection Commissioner in relation to a complaint under Section 10(1)(a) of the Acts. The scope and applicable review standard for such an appeal was one of two key issues which came before the Supreme Court in the recent case of Nowak v. The Data Protection Commissioner (Judgment of O’Donnell J delivered on 28th April 2016).Continue Reading Nowak v. The Data Protection Commissioner: Data subjects’ right of appeal and testing the boundaries of “personal data”

The European Commission has launched a public consultation on the current text of the ePrivacy Directive 2002/58/EC as well as the possible changes to the existing legal framework to make sure it is up to date with the new challenges of the digital age. The e-Privacy Directive sets out specific data protection rules for the electronic communications sector.


Interested parties, who wish to participate in the consultation process, have until 5 July 2016 to submit responses to the Commission’s online questionnaire.  The Commission will use the feedback from the consultation to prepare a new legislative proposal on ePrivacy, which is expected by the end of 2016. The type of legal instrument to be used in case of a revision may well follow the GDPR approach, taking the form of Regulation rather than a Directive, to avoid inconsistent application of the new rules at national level.Continue Reading Review of e-Privacy Directive

After four years of negotiation, the EU General Data Protection Regulation (GDPR) has finally been agreed.  It was given final approval by the European Parliament this morning, Thursday 14 April 2016.  The GDPR will replace existing EU and national data protection legislation.  Companies have a two year transitionary period to comply with the GDPR, which come into force in Spring 2018.

The Law Enforcement Data Protection Directive (LEPD Directive), which allows for smoother exchange of information between Member States’ police and judicial authorities, has also been approved.  It is aimed at improving co-operation in the fight against terrorism and other serious crime across the EU.  Continue Reading EU GDPR is finally agreed

The Article 29 Working Party (WP29) held a Press Conference today, Wednesday 13 April 2016, welcoming the improvements brought by the Privacy Shield compared to the Safe Harbour decision, but calling for further improvements to ensure the protection offered by the Shield is essentially equivalent to that offered in the EU. 

The WP29 has strong concerns, in particular, with regard to the possibility of bulk collection of personal data originating from the EU, and insufficient guarantees concerning the independence of the Ombudsperson.Continue Reading Article 29 Working Party demands improvements to Privacy Shield

The Office of the Data Protection Commissioner (ODPC) has contacted Dublin City Council in relation to its data protection concerns surrounding the City Council’s new anti-litter poster initiative. As part of the initiative the City Council had erected a billboard in the north inner city featuring CCTV images of 12 people who appear to be engaging in illegal dumping around the Amiens Street-Five Lamps area. Although the faces were slightly blurred due to the quality of the CCTV footage, the City Council stated that the people would be able to identify themselves from the images, as most likely
Continue Reading ODPC contacts Dublin City Council regarding anti-litter posters

The new EU General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LEDP Directive) are expected to be finalised by the European Parliament tomorrow, Thursday 14 April 2016.

The new data protection laws were approved by the European Council on 8 April 2016.  Earlier this week, the LIBE committee also voted to approve the laws. The European Parliament is expected to formally adopt the GDPR and LEPD Directive on Thursday 14 April 2016.  Once adopted, the texts will be published in the Official Journal.  Businesses will then have a two year transitionary period to comply

Continue Reading Finalisation of EU GDPR imminent

The Administrative Court of Hamburg recently overturned an order of the Hamburg Data Protection Authority (DPA) against Facebook.  The Court held that Irish, not German, data protection law was applicable, despite the existence of an office of Facebook in Germany.


The background

A woman complained to the Hamburg DPA after Facebook blocked her account for using a pseudonym, requested a copy of some identification and unilaterally changed her username to her real name. The Hamburg DPA found that Facebook could not unilaterally change users’ chosen usernames to their real names, nor ask them for official identification, as German data protection law provides a right to a pseudonymous online profile.  

Overturning the DPA’s decision, the Hamburg Court found that the business operations of Facebook Ireland and Facebook Germany constitute an "establishment" within the meaning of Article 4 (1)(a) of the Data Protection Directive 95/46/EC (the Directive).  However, it held that if several national data protection laws might apply due to the fact that the data controller is established in several Member States, then it is the law of the EU member state which the disputed data processing is most closely associated with which is to be applied.  According to the Hamburg Court, that was Facebook Ireland in this case, where Facebook has its European Headquarters. The Hamburg Court refused to apply a broad interpretation of the "establishment" test in Article 4(1)(a) of the Directive.  It distinguished the CJEU’s judgment in Google Spain on the basis that the controller (Facebook) was established in an EU Member State, so that there was no risk that natural persons affected by the contested data processing operation would be deprived of the protection offered by the Directive.Continue Reading Territorial scope of Data Protection Directive under the microscope again