On May 20, 2021, there was a major ransomware attack on the Irish health system.  The centralized HSE (Health Service Executive), which provides and manages healthcare for the Irish population, was targeted on May 14 and has seen significant disruption since.  It has described the attack as a ‘zero-day threat with a brand new variant of the Conti ransomware.’


Continue Reading Major Cyber-attack on Irish Health System Causes Commercial Concern

On April 27, 2021, the Irish Oireachtas Committee on Justice met in Dublin to consider recent written submissions received criticising the Irish Data Protection Commission (DPC).  The meeting was divided into two hour-long meetings with the first meeting devoted to the criticisms of Max Schrems, the Austrian privacy campaigner, and Fred Logue, an Irish data protection lawyer.  The second meeting, the longer of the two, heard from Helen Dixon, the Data Protection Commissioner, and the Irish Council of Civil Liberties.

Ten politicians, including the Chair (a lawyer with data law experience), questioned each of the invitees on what was a limited agenda.  Each participant was limited to a five minute opening statement after which member politicians attending queried them.  Discussion of ongoing cases was not permitted.

The Committee scheduled Mr. Schrems and Ms. Dixon on separate panels, presumably to avoid a repeat of Ms. Dixon’s objection to the previous invitation from the European Parliament’s LIBE Committee proposing to hear from both together at the same hearing.  Each in turn were the key participants in their panel discussions.  Mr. Schrems repeated criticisms he has made previously and Ms. Dixon gave a strong defence of her office.
Continue Reading Irish Parliamentary Committee Hearing Discusses Criticism of the Irish DPC

On February 18, 2021, the District Court of Berlin overturned a €14.5 million fine that had been imposed on German real estate company Deutsche Wohnen SE.  The Court held that the fine – which was issued by the Berlin Supervisory Authority (“SA”) and had been the second highest fine in Germany so far under the EU General Data Protection Regulation (“GDPR”) – failed to satisfy certain rules under German law, and therefore was invalid.

This case raises important questions on the interplay between the GDPR and German law regarding the attribution of regulatory offenses to a company.  In this blog post, we consider this topic in greater depth and how it may eventually be resolved in court.


Continue Reading German Court Overturns GDPR Fine, Raises Legal Questions About Fines Against Companies

On February 19, 2021, the European Commission published two draft decisions finding that UK law provides an adequate level of protection for personal data.  The first would allow private companies in the EU to continue to transfer personal data to the UK without the need for any additional safeguards (e.g., the Commission’s standard contractual clauses), while the second would allow EU law enforcement agencies to transfers personal data subject to Directive 2016/680 — the Data Protection and Law Enforcement Directive (LED) — to their UK counterparts.

Continue Reading European Commission Publishes Draft UK Adequacy Decisions

In January 2021, the French Supervisory Authority (“CNIL”) published a summary report of contributions it received in response to a public consultation and survey on the digital rights of minors launched in April 2020 (see the press release here and a summary report here, both in French).  Stakeholders who responded to the consultation included companies, professionals dedicated to the legal and educational issues related to children, parents and minors.

Continue Reading French Supervisory Authority Publishes Results of Public Consultation on the Digital Rights of Minors

In February 2021, the European Commission (“Commission”) released a report on European Union (“EU”) Member States’ laws governing the processing of health data.  The report discusses three general types of health data uses:

  • primary use for health care services;
  • secondary use for public health purposes; and
  • secondary use for scientific research purposes.

For each of these general purposes, the report assesses real-world use cases.  For example, for health care services, the report considers e-health applications, among others.  For public health purposes, the report considers pharmacovigilance and product approvals.  The section on scientific research purposes, meanwhile, considers issues such as research by public bodies, sharing of data with third-party researchers, and the use of genetic data.


Continue Reading European Commission Publishes Report on EU Member States’ Rules in Relation to Health Data

The EU’s ePrivacy Regulation, like the EU GDPR, has been highly anticipated since it was first proposed in 2017. What are the current developments and next steps in the process to enactment? What are some of the complicating factors of the proposed Regulation? Are there major differences between the initial proposal and where the text

On February 3, 2021, the Conference of the Supervisory Authorities (“SAs”) of Germany (known as the Datenschutzkonferenz or “DSK”) published minutes from its meetings held in November 2020 (available here, in German).  The minutes include discussions about how the German SAs plan to enforce the recent Schrems II ruling of the Court of Justice of the European Union (“CJEU”).  Notably, the Berlin SA (coordinator of the DSK’s Schrems II task force) sought consensus to ensure a joint enforcement approach.

Continue Reading German Supervisory Authorities Plan to Circulate Questionnaires on Personal Data Transfers in Wake of Schrems II Decision

On February 2, 2021, the European Data Protection Board (“Board”) responded to questions submitted by the European Commission (“Commission”) on the application of the General Data Protection Regulation (“GDPR”) to health research.  The Board also announced that it is currently working on guidelines on the processing of personal data for scientific research purposes, which it aims to publish in the course of 2021.

Continue Reading European Data Protection Board Answers Commission’s Questions on Health Research

On February 11, 2021, the European Commission launched a public consultation on its initiative to fight child sexual abuse online (the “Initiative”), which aims to impose obligations on online service providers to detect child sexual abuse online and to report it to public authorities. The consultation is part of the data collection activities announced in the Initiative’s inception impact assessment issued in December last year. The consultation runs until April 15, 2021, and the Commission intends to propose the necessary legislation by the end of the second quarter of 2021.

Continue Reading European Commission Launches Consultation on Initiative to Fight Child Sexual Abuse