Ireland

By Denitsa Marinova

On April 11, 2017, the Data Protection Commissioner of Ireland (DPC) published her annual report for 2016, highlighting key developments and activities for the past year and outlining priorities for 2017 and beyond.  The report will be of interest to Irish entities and multinational organizations with a base in Ireland, including companies active in the technology and healthcare sectors.

In 2016, the DPC investigated a record number of complaints (1,479 in total, the majority involving data access requests); received 2,224 notifications of valid data security breaches (a decrease from 2015); carried out over 50 privacy audits and inspections; acted as lead reviewer in seven Binding Corporate Rules (BCR) applications; and held over 100 face-to-face meetings with multinational companies.
Continue Reading Irish Data Protection Commissioner Releases 2016 Annual Report

The Data Protection Commissioner Billy Hawkes has signed a memorandum of understanding (MOU) with the Chairwoman of the U.S. Federal Trade Commission (FTC), Edith Ramirez.  The MOU is a statement of cooperation between the two agencies in their efforts to protect consumer privacy.  It includes provisions calling for cooperation in relation to enforcement of relevant

According to recent press reports, the Irish Presidency has prepared a note to report to the Council of the EU on the progress achieved on the European Commission’s legislative proposal for a General Data Protection Regulation. Ireland holds the Presidency of the Council of the EU in the first half of 2013 and has already devoted ten working days to this file in the first six weeks of its term. The Council of the EU is the EU institution representing the 27 EU Member States’ government representatives. Both the European Parliament and the Council must endorse the proposal for it to be adopted.

The risk-based approach

The Council has finalised its first examination of the entire proposal and, following instructions by the Council at the end of last year, the Irish Presidency has now commenced to inject a more risk-based approach into the draft Regulation by proposing amendments to particular provisions, in particular the provisions concerning the obligations on controllers and processors but also some provisions concerning the rights of data subjects. By doing so, the Irish Presidency has tried to address concerns raised by several Member States regarding the level of prescriptiveness of a number of the proposed obligations in the draft Regulation. Under the approach proposed by the Irish Presidency, the risk inherent in certain data processing operations should be a main criterion for balancing the data protection obligations. In other words, the lower the risks the less prescriptive the obligations, and the higher the risk the more detailed the obligations should be. The Irish Presidency’s note is also critical of certain provisions that empower the European Commission to adopt delegated and implementing acts, much in line with the criticism raised by the European Parliament and the Article 29 Working Party, the EU advisory body on data protection.Continue Reading The Battle Lines are Clearing Up: The Irish Presidency Note on the Proposed General Data Protection Regulation

Last July, the Irish Data Protection Commissioner formalized and approved a Code of Practice for organizations suffering information security breaches:  the Personal Data Security Breach Code of Practice. The Code specifies that all data security incidents should be reported to the Data Protection Commissioner, except in very limited cases, and sets out additional risk minimization measures.