The Irish Data Protection Commission (“DPC”), having last month released its annual report (see our blog post here), has now also issued two additional reports detailing statistics on its handling of cross-border cases (see here) and a recently completed Resource Allocation Audit conducted by independent consultants (see here).  Each is important in its own right for the reputation and development of this regulator, the lead EU supervisory authority for many of the large technology companies.

Continue Reading Irish DPC Reports on Cross-Border Activity and Resources

One of every five people (20.5%) in Ireland are children under the age of 14.  This constitutes the highest proportion of children in the EU, where the average was 15.2% in 2019.  Ireland’s proportion of young people under the age of 30 is also the highest in the EU, at 39%.  It’s an influential figure for Irish policy makers and regulators, who have strengthened their approach to protection of children’s personal data in recent years.  This greater emphasis on children’s rights is due to a number of additional intersecting dynamics including EU law, child abuse scandals, a rise in cyberbullying, and a growing consensus that children face heightened digital risks.  These dynamics have also informed the planned establishment of an Online Safety Commissioner, currently advancing as part of the Online Safety and Media Regulation Bill just published and currently receiving strong media attention.

Together with the Irish DPC role as lead regulator for many leading technology and social media companies, these legal and cultural headwinds provide the context within which the DPC aims to develop strong child data protection standards.

Introduction

Following extensive public consultation, with experts as well as school children, the DPC has issued comprehensive guidance on the processing of children’s data.  Entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing,” the guidance sets out 14 principles (referred to as “the Fundamentals”) for organizations engaged in processing the personal data of children.

In addition to the usual GDPR expectations, the specific Fundamentals also include:

  • Zero interference with a child’s best interests, where organizations rely on legitimate interests as their legal basis for processing;
  • “Know your customer” requirements focusing on child-oriented transparency; and
  • Specific guidance around age verification and consent

The overall aim of the Fundamentals, in protecting the best interests of children, is to at least set a default floor of high standardised protection for all data subjects where children may form part of a mixed user audience.

Continue Reading Irish DPC Publishes Guidance On Processing Children’s Personal Data

On Jul 22, 2021, the Irish Joint Committee on Justice (“Committee“) published a report that included a series of recommendations on the work of the Irish Data Protection Commission (“DPC“).  The Committee, made up of 14 politicians from across the political spectrum and drawn from both the Dáil (the elected first house) and Seanad (the senate), issued this report following a public hearing held on April 27, 2021 (see our prior blog post here).  The recommendations in the report address, among other things, concerns raised about the Irish DPC’s oversight and enforcement of the EU General Data Protection Regulation (“GDPR“).

Continue Reading Ireland’s Joint Committee on Justice Publishes Recommendations to Reform the Irish Data Protection Commission

The new standard contractual clauses (“SCCs“) issued by the European Commission (see our prior blog post here) continue to prove controversial.  Among other things, the SCCs require that the law of the European Union (“EU“) Member State underpinning them provides third-party beneficiary rights.  Most EU Member States are civil law jurisdictions that already provide such rights.  Ireland, however, is a common law jurisdiction like the U.S. and the UK, and as such, depends largely on evolving case law to define the scope of various rights and obligations.
Continue Reading New Standard Contractual Clauses Raise Questions Under Irish Law

On May 20, 2021, there was a major ransomware attack on the Irish health system.  The centralized HSE (Health Service Executive), which provides and manages healthcare for the Irish population, was targeted on May 14 and has seen significant disruption since.  It has described the attack as a ‘zero-day threat with a brand new variant of the Conti ransomware.’


Continue Reading Major Cyber-attack on Irish Health System Causes Commercial Concern

Earlier this year, in the run-up to the General Data Protection Regulation’s (“GDPR”) May 25, 2018 date of application, a major question for stakeholders was how zealously the GDPR would be enforced.  Now, as the GDPR approaches its six-month birthday, an answer to that question is rapidly emerging.  Enforcement appears to be ramping up significantly. 

As we approach the May 2018 effective date of the EU General Data Protection Regulation (“GDPR”), there have been a number of global developments over the last few months with respect to the so-called “right to be forgotten,” which will be codified under Article 17 of the GDPR.

European Developments

In the EU, we previously reported on a Court of Justice of the EU (“CJEU”) decision that limits the right to be forgotten with respect to public records.  And in February, A French high administrative court raised several questions to the CJEU relating to the right to be forgotten in light of the Google v. Costeja Gonzalez decision.  The questions address whether and in what circumstances search engines must delist links to websites in response to requests from data subjects, and arose in the context of a pending dispute between Google and CNIL, the French data protection authority.

A decision by a Circuit Court in Ireland recognized the right of a former election candidate to request the removal of information posted about him on Reddit under the right to be forgotten.  And the UK recently solicited views on its own implementation of the GDPR, including input regarding the interplay between the right to be forgotten and freedom of expression in the media.
Continue Reading Developments in the Right to Be Forgotten

By Denitsa Marinova

On April 11, 2017, the Data Protection Commissioner of Ireland (DPC) published her annual report for 2016, highlighting key developments and activities for the past year and outlining priorities for 2017 and beyond.  The report will be of interest to Irish entities and multinational organizations with a base in Ireland, including companies active in the technology and healthcare sectors.

In 2016, the DPC investigated a record number of complaints (1,479 in total, the majority involving data access requests); received 2,224 notifications of valid data security breaches (a decrease from 2015); carried out over 50 privacy audits and inspections; acted as lead reviewer in seven Binding Corporate Rules (BCR) applications; and held over 100 face-to-face meetings with multinational companies.
Continue Reading Irish Data Protection Commissioner Releases 2016 Annual Report

The Data Protection Commissioner Billy Hawkes has signed a memorandum of understanding (MOU) with the Chairwoman of the U.S. Federal Trade Commission (FTC), Edith Ramirez.  The MOU is a statement of cooperation between the two agencies in their efforts to protect consumer privacy.  It includes provisions calling for cooperation in relation to enforcement of relevant