On March 7, 2023, the Irish Data Protection Commission (“DPC”) published its annual report for 2022. The report reflects the DPC’s reputation as both an active enforcer of the General Data Protection Regulation (“GDPR”) and a contributor to policy development at national and EU levels. The level of interaction between the DPC and the European Data Protection Board (“EDPB”) is particularly significant with more than 300 meetings reported for 2022 (averaging at more than 25 per month), many of which involved participation in the EDPB’s expert subgroups.
The Irish Data Protection Commission (“DPC”), having last month released its annual report (see our blog post here), has now also issued two additional reports detailing statistics on its handling of cross-border cases (see here) and a recently completed Resource Allocation Audit conducted by independent consultants (see here). Each is important in its own right for the reputation and development of this regulator, the lead EU supervisory authority for many of the large technology companies.
Continue Reading Irish DPC Reports on Cross-Border Activity and Resources
On February 24, 2022, the Irish Data Protection Commission (“DPC”) published its 2021 annual report setting out its activities and outcomes for last year (see press release here and the full report here). At 120 pages long, it is detailed and specific, and in places, comes with a targeted and reflective commentary. Overall, it provides readers with useful insights into the work of a supervisory authority at the forefront of Europe’s data protection whirlwinds.
Continue Reading Irish Data Protection Commission Publishes 2021 Annual Report
On Thursday, September 2, 2021, the Irish Data Protection Commission (“DPC”) published its decision in the long-awaited inquiry it initiated into the data processing of WhatsApp Ireland Limited (“WhatsApp”) in December 2018. It finds against WhatsApp, imposing a fine of €225 million.
Continue Reading Irish DPC Finds Against WhatsApp
On June 15, 2021, the Court of Justice of the European Union (“CJEU”) rendered a decision (press release here, full judgment here) addressing whether a European supervisory authority (“SA”) that is not the “Lead SA” (as defined in Article 56 GDPR) has competence to bring a case for an alleged violation of the General Data Protection Regulation (“GDPR“) before a national court in instances where the alleged violation involved the processing of personal data across multiple EU Member States. In such scenarios, a controller with a main establishment in Europe will typically seek to benefit from the so-called “one-stop-shop” principle under Article 56 GDPR, meaning the controller would need to answer to only one SA rather than be subject to enforcement actions brought by numerous SAs.
Continue Reading CJEU Decides on Competence of Supervisory Authorities to Bring Cases Before National Courts under the GDPR
On January 13, 2021, the Advocate General (“AG”), Michal Bobek, of the Court of Justice of the European Union (“CJEU”) issued his Opinion in Case C-645/19 Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”). The AG determined that the one-stop shop mechanism under the EU’s General Data Protection Regulation (“GDPR”) prevents supervisory authorities, who are not the lead supervisory authority (“LSA”) of a controller or processor, from bringing proceedings before their national court, except in limited and exceptional cases specifically provided for by the GDPR. The case will now move to the CJEU for a final judgment.
Continue Reading Supervisory Authorities Cannot Circumvent One-Stop-Shop According to CJEU Advocate General
The Article 29 Working Party (“WP29”) – the representatives of national data protection regulators in the EU – has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018.
This first salvo of GDPR-focused guidance concerns:
- the new “Right to Data Portability”, an obligation on companies and public authorities to build tools that allow users to download their data or transfer it directly to a competitor (the guidance is here, and an FAQ is here);
- the new obligation for organizations to appoint a “Data Protection Officer”, a quasi-independent role within companies that will be tasked with internal supervision and advice regarding GDPR compliance (guidance / FAQ); and
- the new “One Stop Shop” mechanism – helping companies identify which “lead” data protection authority will be their main point of contact for multi-country regulatory procedures (guidance / FAQ).
Despite the guidance having formally been “adopted”, the WP29 is nevertheless inviting stakeholder comments on the new guidance, until the end of January 2017. Indeed, the guidance takes a number of positions that could attract large volumes of comments ahead of the January 31 deadline.
Continue Reading New EU GDPR Guidance: Data Portability, Data Protection Officers, and the One Stop Shop