Category Archives: Ireland

Office of the Information Commissioner

Update on litigation involving Facebook and Maximilian Schrems: Explanatory memo

Press release welcoming the increased budget for 2017 for the OIC, which is a 59% increase in the budget. In the press release, this increased budget is directly linked by the Commissioner to both the GDPR and the expanding role of the Irish DPA under that regime, where it becomes responsible for” protecting the fundamental privacy rights of EU citizens, a core part of which is the regulation of a large number of leading internet multi-nationals that have located European operations in Ireland.”

Office of the Information Commissioner

Update on litigation involving Facebook and Maximilian Schrems: Explanatory memo

On 31 May 2016, the Data Protection Commissioner (DPC) commenced proceedings in the Irish High Court. The purpose of the proceedings is to seek a reference to the Court of Justice of the European Union (CJEU) in relation to the “standard contractual clauses” mechanism under which, at present, personal data can be transferred from the EU to the US.

While the DPC does not seek any specific relief against Mr Schrems or Facebook Ireland Limited (FB), both of those parties were joined to the proceedings because the outcome of the case will impact on the DPC’s consideration of Mr Schrems’ complaint against Facebook (see further below). By joining Mr Schrems and FB to the proceedings, the DPC also ensured that those parties would have an opportunity (but not an obligation) to participate in the proceedings.

The purpose of this note is to explain the background to the case, the reasons why the DPC has taken the case and the current position in the High Court as of September 2016.

Data Protection Commissioner

Data Protection Office issues Guidance on Location Data

The Office of the Data Protection Commissioner has today, 9 August 2016, published detailed guidance on location data.

Location data is any information which links an individual to a particular place including information about where a person currently is, or where they were at some point in the past.  Technology such as smart phones has made it easier than ever before for individuals to be located. Organisations use this data to offer personalised services, such as navigation apps or location-specific news content on websites.

 Aimed at both individuals and organisations, our guidance will assist individuals in understanding how information relating to their location is collected and processed, and provides clarity to organisations on their obligations regarding such data. The overriding principle of the guidance centres on the protection of the individual’s right to data privacy.

 Publishing the guidance, the Office of the Data Protection Commissioner advised users of smart phone apps, in particular, to familiarise themselves with the terms attaching to the downloading and use of apps and where location data is collected to be aware of the purposes for which it is being used. As the rate of technological innovation continues apace, more and more location data is being collected and transmitted and individuals should be vigilant of how this information is collected, processed and re-used.

Data Protection Commissioner

Annual Report of the Data Protection Commissioner Ireland 2015

The annual report for 2015 from the DPC features several elements related to international cooperation between EU (and other) data protection authorities. It presents the perspective of the authority on the GDPR reforms, the CJEU ruling on the the case of Maximilian Schrems versus the Irish Data Protection Commissioner; the resulting collapse of the Safe Harbour agreement, and the start of the Privacy Shield negotiations. On the GDPR, the report’s introduction states:

“Importantly, as it is a harmonised law with direct effect in each EU member state, it will require Europe’s independent data protection authorities to cooperate and work with each other in new ways in order to ensure its effective and consistent implementation to the benefit of data subjects and organisations alike.”

On the CJEU decisions. The report states:

“The CJEU ruling was of major significance on a number of levels as it set out a new test based on German constitutional law in relation to the essence of the fundamental right; it reiterated its test for proportionality and necessity from the Digital Rights Ireland case on the Data Retention Directive; it clarified the role of data protection authorities in examining complaints even where the matter complained of is a binding EU instrument, and, of course, it struck down the Safe Harbour agreement itself. The issue of EU–US transfers and, indeed, transfers of personal data from the EU to other global jurisdictions has occupied the Article 29 Working Party in particular since that ruling last October. The working party called for political intervention to create the necessary political and legal solutions to allow personal-data free-flows to continue in a way that also safeguarded the fundamental rights of European individuals. As of today, it remains to be seen whether the proposed Privacy Shield for EU–US transfers will represent the start of a solution.”

Data Protection Commissioner

Statement by the Office of the Data Protection Commissioner in respect of application for Declaratory Relief in the Irish High Court and Referral to the CJEU

The Office of the Data Protection Commissioner issued a press release announcing that:

“We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”

Data Protection Commissioner

Statement by the Office of the Data Protection Commissioner in respect of application for Declaratory Relief in the Irish High Court and Referral to the CJEU

The Office of the Data Protection Commissioner issued a press release announcing that:

“We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”

Data Protection Commissioner (Ireland)

GPEN Sweep – Internet of Things

“A Sweep of how Internet of Things (IoT) devices use personal data, and how users are kept informed, is being undertaken this week by 29 data protection authorities around the world.

In Ireland, the review will involve an in-depth look at IoT devices available to users in this jurisdiction such as smart electricity meters, fitness trackers and telematics, and consider how well companies communicate privacy matters to their customers.

The combined results of the Sweep will be published in September. Authorities will also consider action against any devices or services that are found to be breaking data protection laws.

The work is coordinated by the Global Privacy Enforcement Network (GPEN) and follows previous reports on online services for children, website privacy policies and mobile phone apps. GPEN is an informal network of data protection agencies from around the globe. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. For more about the Global Privacy Enforcement Network, please click on the following link: https://www.privacyenforcement.net/

Data Protection Commissioner

Lack of regulation on the new “Privacy Shield” framework in Ireland

On February 2016, the European Commission (EC) and the United States (US) agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield. The new legal text replaces the Safe Harbour framework which declared invalid by the Court of Justice (CJEU) last October.

This new framework includes not only commitments in the commercial sector, but also access to personal data by public authorities for national security purposes. Furthermore, the draft “adequacy decision” has been included for all US companies providing services on the EU market.

The Data Protection Commissioner (DPC) has inadvertently found itself in the position of chief data regulator for the EU. According to Germany and other EU member states, Ireland’s data protection regime is too lenient, despite efforts made by the data protection commissioner.

Most of Europe’s largest technology organisations have a base in Ireland. Thus, any impediment to their ability to do business in Europe would affect Ireland most since companies are worried about personal data transfers to US.

Therefore, the DPC is taking a cautious stance on the new data protection framework. A blizzard of tech rulings is expected to be given in the following weeks.

Data Protection Commissioner

Guidance on Data Sharing in the Public Sector

The Office of the Data Protection Commissioner (“ODPC”) welcomes the decision of the European Court of Justice in the case of Bara & Oths C-201/2014 and notes the strong trend emanating from recent judgments whereby the Court has interpreted the Data Protection Directive so as to extend and to re-enforce the protection of the rights of individuals. The Bara judgment which focused upon a public sector data sharing arrangement re-iterates the importance of informing the data subject about the processing of their personal data as it affects the exercise by the data subjects of their right of access to their personal data, their right to rectify their data being processed and their right to object to the processing of data.

An individual may expect public sector bodies to share their personal data where it is essential and necessary to provide him/her with the services sought and the ODPC fully support the aim of developing more efficient and customer centric public services in this regard. However, this must also be balanced with the fact that individuals need to be informed as to how their personal information is used and for what purpose, who has access to it and how the sharing of that information will impact upon them. Therefore, whilst data sharing can bring benefits in terms of efficient delivery of public services it must be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason.

As such the ODPC recommends that all data sharing arrangements in the public sector should:

  • Have a basis in primary legislation;
  • Be made clear to individuals that their data may be shared and for what purpose;
  • Be proportionate in terms of their application and the objective to be achieved;
  • Have a clear justification for individual data sharing arrangements;
  • Share the minimum amount of data to achieve the stated public service objective;
  • Have strict access and security controls; and
  • Ensure secure disposal of shared data.

It is important to restate from the outset that, subject to the exceptions permitted under the Data Protection Acts 1988 – 2003 (the DPA), all processing of personal data must comply with the principles of data quality as set out in Section 2 and with one of the criteria for making data processing legitimate in Section 2(2A) (and Section 2(2B) if sensitive personal data is involved). In undertaking a review of all current and future data sharing arrangements, public sector bodies should ensure that the following best practice guidelines are considered and applied as appropriate.