Data Protection
Jump straight to...
DPC - Data Protection Toolkit for Schools
DATE OF UPDATE: 19 December 2024
CURRENT STATUS
The DPC has created a Data Protection Toolkit for Schools to further assist in meeting their data protection obligations when processing the personal data of children.
EDPB Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models
CURRENT STATUS
The EDPB has adopted an opinion on the use of personal data for the development and deployment of AI models. This opinion looks at 1) when and how AI models can be considered anonymous, 2) whether and how legitimate interest can be used as a legal basis for developing or using AI models, and 3) what happens if an AI model is developed using personal data that was processed unlawfully. It also considers the use of first and third party data.
WHY IS THIS APPLICABLE TO CLIENTS?
The Opinion was sought by the DPC and reflects its role as lead supervisory authority for many companies developing AI models.
DPC Enforcement – Meta Platforms Ireland Limited (“MPIL”)
DATE OF UPDATE: 17 December 2024
CURRENT STATUS
The DPC concluded two own-volition inquiries following a personal data breach, which was reported by MPIL. This data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The decisions included a number of reprimands and an order to pay administrative fines totalling €251 million. No objections to the DPC’s draft decision were raised under the GDPR cooperation mechanism (Article 60 GDPR).
DPC Enforcement – Maynooth University
DATE OF UPDATE: 6 December 2024
CURRENT STATUS
The DPC announced its decision in an own-volition inquiry into a personal data breach notified by Maynooth University in November 2018. The breach affected the email accounts of university employees, and allowed unauthorised persons to gain control of up to six accounts. The unauthorised persons used control of one account to assist in the commission of a fraud, leading to a financial loss by one of the persons affected. The DPC found that the university infringed Articles 5(1)(f) and 32 GDPR by failing to ensure appropriate security personal data that it processed, and to implement appropriate technical and organisational measures to ensure such security, and infringed Article 33(1) GDPR by failing to notify the DPC of the data breach within 72 hours. The DPC reprimanded Maynooth University, imposed administrative fines totalling €40,000 and ordered Maynooth University to bring its processing into compliance with the security requirements of the GDPR.
WHY IS THIS APPLICABLE TO CLIENTS?
The decision illustrates the importance of assessing whether technical and organizational measures taken by organisations to secure personal data are appropriate, and improving these where faults are identified.
NEXT STEPS
Watch out for the full decision which, as of writing, has not yet been published.
EDPB Statement 6/2024 on the Second Report on the Application of the General Data Protection Regulation - Fostering Cross-Regulatory Consistency and Cooperation
DATE OF UPDATE: 3 December 2024
LINKS
CURRENT STATUS
The European Data Protection Board (“EDPB”) welcomes the European Commission’s second report on the application of the General Data Protection Regulation (GDPR) addressed to the European Parliament and to the Council. The EDPB calls out the need to clarify the substantive and regulatory enforcement interplay between the application of the GDPR and other EU digital legislation, particularly the EU Artificial Intelligence Act or those derived from the EU Data Strategy and the Digital Services Package.
EDPB Guidelines 02/2024 on Article 48 GDPR
DATE OF UPDATE: 2 December 2024
CURRENT STATUS
These guidelines aim to clarify the rationale and objective of Article 48 GDPR, including its interaction with the other provisions of Chapter V of the GDPR, and to provide practical recommendations for controllers and processors in the EU that may receive requests from third country authorities to disclose or transfer personal data.
CJEU Decision - Case C 169/23 Másdi - Article 14(1) and (5)(c), Article 32 and Article 77(1) GDPR
DATE OF UPDATE: 28 November 2024
LINKS
CJEU Decision: Case C 169/23 Másdi
See also, our analysis of the Uber decision: SCCs in the Driving Seat: The Uber Decision - Arthur Cox LLP
CURRENT STATUS
The exception to the controller’s obligation to provide information to the data subject, laid down in Art.14(5)(c), concerns all personal data, without distinction, that have not been collected by the controller directly from the data subject, whether those data have been obtained by the controller from a person other than the data subject or whether they have been generated by the controller itself, in the performance of its tasks.
If this exception is invoked, the supervisory authority is competent to verify whether the Member State law provides appropriate measures to protect the data subject’s legitimate interests.
WHY IS THIS APPLICABLE TO CLIENTS?
This decision explores the exception to the controller’s information obligation laid down in Article 14(5)(c) GDPR and will be of interest to data controllers where this exception comes into play.
DPC Enforcement – ePrivacy
DATE OF UPDATE: 20 and 27 November 2024
CURRENT STATUS
Prosecution proceedings were taken by the DPC against Sempiternal Aesthetics Limited t/a SISU Clinic on 20 November and against Valterous Limited T/A Therapie Clinic on 27 November in relation to marketing offences under the ePrivacy Regulations.
In the case of SISU Clinic, the Court applied the Probation Act to all twelve counts based on the fact the company had engaged with the DPC and rectified its systems to ensure that this issue will not happen in the future. It ordered the company to pay €500 towards the legal fees of the DPC.
Therapie Clinic was ordered to pay a charitable donation of €325 to local charity Little Flower Penny Dinners and €675 towards the legal fees of the DPC.
WHY IS THIS APPLICABLE TO CLIENTS?
In recent months the DPC has taken a number of prosecution cases against organisations that fail to fully comply with the ePrivacy Regulations. Organisations should review their procedures for conducting direct marketing to ensure they comply with the Regulations.
DPC Enforcement - Sligo County Council
DATE OF UPDATE: 13 November 2024
CURRENT STATUS
The DPC conducted an own-volition inquiry to assess whether Sligo County Council was processing personal data in compliance with the GDPR and the Data Protection Act 2018, including in its use of CCTV cameras in public places for the purposes of prosecuting crime or other purposes.
In its Decision, it ordered a temporary ban on the processing of personal data through CCTV cameras and ANPR cameras at a number of locations until a valid legal basis can be identified. Sligo County Council must bring its processing of personal data into compliance taking certain actions specified in the decision. The Council is subject to a reprimand in respect of infringement of section 79 of the Data Protection Act 2018 and an administrative fine of €29,500.
WHY IS THIS APPLICABLE TO CLIENTS?
The decision will be of interest to data controllers who have already or are considering installing CCTV cameras.
Data Protection – Amendment of Section 60 Data Protection Act 2018
DATE OF UPDATE: 8 November 2024
CURRENT STATUS
S.I. No. 610/2024 - European Union (Data Protection Act 2018) (Amendment of section 60) Regulations 2024 was published in Iris Oifigiúil.
Section 60 concerns restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest.
Data Protection – DPC Enforcement – ePrivacy
DATE OF UPDATE: 25 October 2024
CURRENT STATUS
Three prosecution proceedings were taken by the DPC in the Dublin Metropolitan District Court. In each case, the DPC had issued previous warnings following investigations carried out on foot of previous complaints made to the office. The companies involved are Sky Ireland Limited, Google Ireland Limited, Stella Novus Limited. The Court directed the companies to each make a contribution of €1,500 to the Little Flower Penny Dinners charity and to discharge the DPC’s legal costs, in lieu of a conviction and fine.
WHY IS THIS APPLICABLE TO CLIENTS?
Organisations should ensure that their procedures for conducting direct marketing activities comply with the ePrivacy Regulations.
Data Protection – DPC Decision - LinkedIn
DATE OF UPDATE: 24 October 2024
CURRENT STATUS
The DPC issued a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million, following an inquiry into LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising of users who have created LinkedIn profiles.
WHY IS THIS APPLICABLE TO CLIENTS?
The decision will be of interest to organisations involved in processing personal data for the purposes of targeted advertising.
Data Protection and AI – EDPB
DATE OF UPDATE: 15 October 2024
CURRENT STATUS
The EDPB arranged a remote stakeholder event aimed at collecting input from stakeholders in the context of a request for an Art. 64(2) GDPR opinion relating to artificial intelligence models submitted to the EDPB by the DPC.
WHY IS THIS APPLICABLE TO CLIENTS?
The request illustrates the interplay between AI and data protection. The DPC has been at the forefront of regulation in this area. Most recently, in September, it announced a cross-border statutory inquiry into Google Ireland Limited concerning the use of personal data in the development of its foundational AI model.
Collective Litigation
DATE OF UPDATE: 11 October 2024
CURRENT STATUS
NOYB - European Center for Digital Rights has registered as a qualified entity for the purposes of the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 (the “Act”). NOYB joins the Irish Council for Civil Liberties on the Register.
Under the Act which commenced on 30 April 2024, a qualified entity may bring a representative action for the protection of the collective interests of consumers to seek injunctive relief and/or redress in respect of infringements by traders under the relevant enactments listed in the Schedule to the Act.
WHY IS THIS APPLICABLE TO CLIENTS?
The scope of the Act is broad and extends to alleged infringements under the Data Protection Act 2018.
Data Protection – Enforcement - EDPB
DATE OF UPDATE: 10 October 2024
CURRENT STATUS
During its October 2024 plenary, the EDPB selected the topic for its fourth Coordinated Enforcement Action (CEF), which will concern the implementation of the right to erasure (‘right to be forgotten’) by controllers.
WHY IS THIS APPLICABLE TO CLIENTS?
We do not know as yet if the DPC will participate in the CEF in 2025. In any event, the results of the CEF are expected to be analysed to allow for targeted follow up actions, which may impact data controllers whose supervisory authority is the DPC.
NEXT STEPS
Controllers should review their data protection policies to ensure they appropriately cater for the right of erasure when exercised by the data subject.
Data Protection – Review of Adequacy Decision - concerning EU U.S. Data Privacy Framework (“DPF”)
DATE OF UPDATE: 9 October 2024
CURRENT STATUS
The European Commission published a report following the first review of the adequacy decision for the DPF for personal data transferred from the EU to organisations in the US. Based on the information gathered during the review, the Commission has concluded that the US authorities have the necessary structures and procedures to ensure that the DPF functions effectively.
WHY IS THIS APPLICABLE TO CLIENTS?
This report will be of interest to data controllers transferring personal data to the U.S.
Data Protection - EDPB Work Programme 2024 - 2025
DATE OF UPDATE: 8 October 2024
CURRENT STATUS
The EDPB published its work programme for 2024 – 2025. The programme covers a wide range to include proposed guidelines on; children’s data; “consent or pay” models; Age verification criteria; generative AI – data scraping, as well as guidelines on the interplay between EU data protection law and other EU laws, including separate guidelines for each of the AI Act, the Digital Services Act, the Digital Markets Act.
Data Protection – Enforcement - DPC
DATE OF UPDATE: 4 October 2024
CURRENT STATUS
The DPC announced that it has launched an inquiry under Section 110 of the Data Protection Act 2018 into Ryanair’s Customer Verification Processes. These processes require additional verification of identity from customers who purchase flights on a third-party website rather than buying directly from Ryanair. Additional verification measures include facial recognition technology based on biometric data.
WHY IS THIS APPLICABLE TO CLIENTS?
The findings as regards the use of facial recognition technology based on biometric data will be of interest to data controllers using or planning to use facial recognition technology based on biometric data.
Data Protection – CJEU Decision - Case C-446/21: Schrems (Communication of data to the general public) - Article 5(1)(b) and (c), Article 6(1)(a) and (b) and Article 9(1) and (2)(e) GDPR
DATE OF UPDATE: 10 October 2024
CURRENT STATUS
The CJEU finds that an online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data.
Find out more: