On March 7, 2023, the Irish Data Protection Commission (“DPC”) published its annual report for 2022. The report reflects the DPC’s reputation as both an active enforcer of the General Data Protection Regulation (“GDPR”) and a contributor to policy development at national and EU levels. The level of interaction between the DPC and the European Data Protection Board (“EDPB”) is particularly significant with more than 300 meetings reported for 2022 (averaging at more than 25 per month), many of which involved participation in the EDPB’s expert subgroups.
Marie Daly brings a broad range of commercial and regulatory expertise across a variety of business sectors. She is recognised as being a practical, straightforward, and commercially focussed lawyer; with a proven capacity to influence at all levels within business and to contribute to policy and legislative development.
With a background as a litigator, employment lawyer, and lobbyist, Marie served as the general counsel of Ibec, the largest Irish lobby and business representative group, for over 16 years before joining the firm. She was responsible for ensuring competition compliance for 38 trade associations and also developed a data protection compliance regime in recent years.
Marie has significant corporate governance experience in the private and public sector having also served as a Board member of two Irish regulators.
Marie is a member of the Irish Company Law Review Group appointed by the Minister of Business Enterprise and Innovation, and was deeply involved in the drafting of the comprehensive new Companies Act 2014.
The leadership of Ireland’s Data Protection Commission (“DPC”) is to be expanded to a three-person Commission, with the current Commissioner taking the lead role as Chair. The Irish Minister for Justice announced the decision on July 27, 2022, along with the Government’s decision to undertake a review of its governance structures, staffing arrangements and processes for the newly modeled Commission.…
On May 25, 2022, the Irish Data Protection Commission (“DPC”) issued 3 short guides for children, with the objective of raising awareness among adolescents about data protection and their privacy rights, as well as serving as a resource “for parents, educators and anyone [else] interested in children’s safety and wellbeing online”. The 3 guides…
Nine million texts are sent daily in Ireland, a huge increase on when the first text was sent in 1992. All are subject to the data retention and access regime currently in place under the Communications (Retention of Data) Act 2011. That regime has now been given the kiss of death by the Court of Justice of the European Union (“CJEU”) in its recent decision on a referral by the Irish Supreme Court dealing with the validity of electronic communications evidence collected under it.
The legislation, brought in to transpose EU Directive 2006/24, regulates the retention of data by electronic communications providers and access to that data by state authorities.…
The Irish Data Protection Commission (“DPC”), having last month released its annual report (see our blog post here), has now also issued two additional reports detailing statistics on its handling of cross-border cases (see here) and a recently completed Resource Allocation Audit conducted by independent consultants (see here). Each is important in its own right for the reputation and development of this regulator, the lead EU supervisory authority for many of the large technology companies.
Continue Reading Irish DPC Reports on Cross-Border Activity and Resources
On February 24, 2022, the Irish Data Protection Commission (“DPC”) published its 2021 annual report setting out its activities and outcomes for last year (see press release here and the full report here). At 120 pages long, it is detailed and specific, and in places, comes with a targeted and reflective commentary. Overall, it provides readers with useful insights into the work of a supervisory authority at the forefront of Europe’s data protection whirlwinds.
Continue Reading Irish Data Protection Commission Publishes 2021 Annual Report
The Irish Data Protection Commission has announced its Strategy for 2022-2027, highlighting 5 strategic goals:
- (1) “consistent and effective” regulation;
- (2) promoting data protection awareness;
- (3) protecting children;
- (4) providing clarity for stakeholders; and
- (5) supporting organisational compliance.
The strategy is based on a risk based approach to regulation which, according to the DPC, “resonated with the majority of commentators” to the public consultation the Commission conducted as it developed its new 5 year strategy.
Continue Reading New 5 Year Irish Data Protection Commission’s Strategy
One of every five people (20.5%) in Ireland are children under the age of 14. This constitutes the highest proportion of children in the EU, where the average was 15.2% in 2019. Ireland’s proportion of young people under the age of 30 is also the highest in the EU, at 39%. It’s an influential figure for Irish policy makers and regulators, who have strengthened their approach to protection of children’s personal data in recent years. This greater emphasis on children’s rights is due to a number of additional intersecting dynamics including EU law, child abuse scandals, a rise in cyberbullying, and a growing consensus that children face heightened digital risks. These dynamics have also informed the planned establishment of an Online Safety Commissioner, currently advancing as part of the Online Safety and Media Regulation Bill just published and currently receiving strong media attention.
Together with the Irish DPC role as lead regulator for many leading technology and social media companies, these legal and cultural headwinds provide the context within which the DPC aims to develop strong child data protection standards.
Following extensive public consultation, with experts as well as school children, the DPC has issued comprehensive guidance on the processing of children’s data. Entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing,” the guidance sets out 14 principles (referred to as “the Fundamentals”) for organizations engaged in processing the personal data of children.
In addition to the usual GDPR expectations, the specific Fundamentals also include:
- Zero interference with a child’s best interests, where organizations rely on legitimate interests as their legal basis for processing;
- “Know your customer” requirements focusing on child-oriented transparency; and
- Specific guidance around age verification and consent
The overall aim of the Fundamentals, in protecting the best interests of children, is to at least set a default floor of high standardised protection for all data subjects where children may form part of a mixed user audience.…
On November 18, 2021, the Advocate General of the Court of Justice of the European Union (“CJEU”) issued an opinion on several data retention cases before by the Court, following a long line of CJEU jurisprudence on this topic.
To give context to the issues considered in these cases, Europe’s experience of totalitarian regimes in the last century has shaped its approach to privacy rights. This is evident in the GDPR and in the decisions of the CJEU to date. But there remain tensions that are complex and difficult to deal with in this area — notably, the tension between individual rights to privacy and data protection on one hand, and the duty of the State to protect its population against security threats and crime on the other. These tensions do not marry easily, as surveillance of personal electronic communications is increasingly demanded to detect and deal with crime and terrorism.…
On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here). The draft guidelines are currently subject to a public consultation period that ends on January 31, 2022; interested stakeholders can submit their feedback here.
In this blog post, we provide a brief background on the issues addressed in the draft guidelines, and summarize the key takeaways.…