ARTICLE
24 January 2025

October To December 2024 - Data Protection

AC
Arthur Cox

Contributor

Arthur Cox is one of Ireland’s leading law firms. For almost 100 years, we have been at the forefront of developments in the legal profession in Ireland. Our practice encompasses all aspects of corporate and business law. The firm has offices in Dublin, Belfast, London, New York and Silicon Valley.
DPC - Data Protection Toolkit for Schools
Ireland Privacy

DPC - Data Protection Toolkit for Schools

DATE OF UPDATE: 19 December 2024

LINKS

CURRENT STATUS

The DPC has created a Data Protection Toolkit for Schools to further assist in meeting their data protection obligations when processing the personal data of children.

DPC publishes "Data Protection Toolkit for Schools" | 19/12/2024 | Data Protection Commission

EDPB Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models

DATE OF UPDATE: 17 December 2024

LINKS

Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models | European Data Protection Board

CURRENT STATUS

The EDPB has adopted an opinion on the use of personal data for the development and deployment of AI models. This opinion looks at 1) when and how AI models can be considered anonymous, 2) whether and how legitimate interest can be used as a legal basis for developing or using AI models, and 3) what happens if an AI model is developed using personal data that was processed unlawfully. It also considers the use of first and third party data.

WHY IS THIS APPLICABLE TO CLIENTS?

The Opinion was sought by the DPC and reflects its role as lead supervisory authority for many companies developing AI models.

DPC Enforcement – Meta Platforms Ireland Limited ("MPIL")

DATE OF UPDATE: 17 December 2024

LINKS

Irish Data Protection Commission fines Meta €251 Million | 17/12/2024 | Data Protection Commission

CURRENT STATUS

The DPC concluded two own-volition inquiries following a personal data breach, which was reported by MPIL. This data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The decisions included a number of reprimands and an order to pay administrative fines totalling €251 million. No objections to the DPC's draft decision were raised under the GDPR cooperation mechanism (Article 60 GDPR).

DPC Enforcement – Maynooth University

DATE OF UPDATE: 6 December 2024

CURRENT STATUS

The DPC announced its decision in an own-volition inquiry into a personal data breach notified by Maynooth University in November 2018. The breach affected the email accounts of university employees, and allowed unauthorised persons to gain control of up to six accounts. The unauthorised persons used control of one account to assist in the commission of a fraud, leading to a financial loss by one of the persons affected. The DPC found that the university infringed Articles 5(1)(f) and 32 GDPR by failing to ensure appropriate security personal data that it processed, and to implement appropriate technical and organisational measures to ensure such security, and infringed Article 33(1) GDPR by failing to notify the DPC of the data breach within 72 hours. The DPC reprimanded Maynooth University, imposed administrative fines totalling €40,000 and ordered Maynooth University to bring its processing into compliance with the security requirements of the GDPR.

WHY IS THIS APPLICABLE TO CLIENTS?

The decision illustrates the importance of assessing whether technical and organizational measures taken by organisations to secure personal data are appropriate, and improving these where faults are identified.

NEXT STEPS

Watch out for the full decision which, as of writing, has not yet been published.

EDPB Statement 6/2024 on the Second Report on the Application of the General Data Protection Regulation - Fostering Cross-Regulatory Consistency and Cooperation

DATE OF UPDATE: 3 December 2024

LINKS

Statement 6/2024 on the Second Report on the Application of the General Data Protection Regulation - Fostering Cross-Regulatory Consistency and Cooperation

Communication from the Commission to the European Parliament and the Council: Second Report on the application of the General Data Protection Regulation

CURRENT STATUS

The European Data Protection Board ("EDPB") welcomes the European Commission's second report on the application of the General Data Protection Regulation (GDPR) addressed to the European Parliament and to the Council. The EDPB calls out the need to clarify the substantive and regulatory enforcement interplay between the application of the GDPR and other EU digital legislation, particularly the EU Artificial Intelligence Act or those derived from the EU Data Strategy and the Digital Services Package.

EDPB Guidelines 02/2024 on Article 48 GDPR

DATE OF UPDATE: 2 December 2024

LINKS

Guidelines 02/2024 on Article 48 GDPR

CURRENT STATUS

These guidelines aim to clarify the rationale and objective of Article 48 GDPR, including its interaction with the other provisions of Chapter V of the GDPR, and to provide practical recommendations for controllers and processors in the EU that may receive requests from third country authorities to disclose or transfer personal data.

CJEU Decision - Case C 169/23 Másdi - Article 14(1) and (5)(c), Article 32 and Article 77(1) GDPR

DATE OF UPDATE: 28 November 2024

LINKS

CJEU Decision: Case C 169/23 Másdi

CURIA - Dokumente

See also, our analysis of the Uber decision: SCCs in the Driving Seat: The Uber Decision - Arthur Cox LLP

CURRENT STATUS

The exception to the controller's obligation to provide information to the data subject, laid down in Art.14(5)(c), concerns all personal data, without distinction, that have not been collected by the controller directly from the data subject, whether those data have been obtained by the controller from a person other than the data subject or whether they have been generated by the controller itself, in the performance of its tasks.

If this exception is invoked, the supervisory authority is competent to verify whether the Member State law provides appropriate measures to protect the data subject's legitimate interests.

WHY IS THIS APPLICABLE TO CLIENTS?

This decision explores the exception to the controller's information obligation laid down in Article 14(5)(c) GDPR and will be of interest to data controllers where this exception comes into play.

DPC Enforcement – ePrivacy

DATE OF UPDATE: 20 and 27 November 2024

LINKS

Data Protection Commission welcomes outcome of prosecution of marketing offences | 21/11/2024 | Data Protection Commission

S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. ("ePrivacy Regulations")

CURRENT STATUS

Prosecution proceedings were taken by the DPC against Sempiternal Aesthetics Limited t/a SISU Clinic on 20 November and against Valterous Limited T/A Therapie Clinic on 27 November in relation to marketing offences under the ePrivacy Regulations.

In the case of SISU Clinic, the Court applied the Probation Act to all twelve counts based on the fact the company had engaged with the DPC and rectified its systems to ensure that this issue will not happen in the future. It ordered the company to pay €500 towards the legal fees of the DPC.

Therapie Clinic was ordered to pay a charitable donation of €325 to local charity Little Flower Penny Dinners and €675 towards the legal fees of the DPC.

WHY IS THIS APPLICABLE TO CLIENTS?

In recent months the DPC has taken a number of prosecution cases against organisations that fail to fully comply with the ePrivacy Regulations. Organisations should review their procedures for conducting direct marketing to ensure they comply with the Regulations.

DPC Enforcement - Sligo County Council

DATE OF UPDATE: 13 November 2024

LINKS

Inquiry into Sligo County Council | Data Protection Commission

CURRENT STATUS

The DPC conducted an own-volition inquiry to assess whether Sligo County Council was processing personal data in compliance with the GDPR and the Data Protection Act 2018, including in its use of CCTV cameras in public places for the purposes of prosecuting crime or other purposes.

In its Decision, it ordered a temporary ban on the processing of personal data through CCTV cameras and ANPR cameras at a number of locations until a valid legal basis can be identified. Sligo County Council must bring its processing of personal data into compliance taking certain actions specified in the decision. The Council is subject to a reprimand in respect of infringement of section 79 of the Data Protection Act 2018 and an administrative fine of €29,500.

WHY IS THIS APPLICABLE TO CLIENTS?

The decision will be of interest to data controllers who have already or are considering installing CCTV cameras.

Data Protection – Amendment of Section 60 Data Protection Act 2018

DATE OF UPDATE: 8 November 2024

LINKS

S.I. No. 610/2024 - European Union (Data Protection Act 2018) (Amendment of section 60) Regulations 2024

CURRENT STATUS

S.I. No. 610/2024 - European Union (Data Protection Act 2018) (Amendment of section 60) Regulations 2024 was published in Iris Oifigiúil.

Section 60 concerns restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest.

Data Protection – DPC Enforcement – ePrivacy

DATE OF UPDATE: 25 October 2024

LINKS

Data Protection Commission welcomes outcome of latest round of prosecutions of marketing offences | 25/10/2024 | Data Protection Commission

S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. ("ePrivacy Regulations")

CURRENT STATUS

Three prosecution proceedings were taken by the DPC in the Dublin Metropolitan District Court. In each case, the DPC had issued previous warnings following investigations carried out on foot of previous complaints made to the office. The companies involved are Sky Ireland Limited, Google Ireland Limited, Stella Novus Limited. The Court directed the companies to each make a contribution of €1,500 to the Little Flower Penny Dinners charity and to discharge the DPC's legal costs, in lieu of a conviction and fine.

WHY IS THIS APPLICABLE TO CLIENTS?

Organisations should ensure that their procedures for conducting direct marketing activities comply with the ePrivacy Regulations.

Data Protection – DPC Decision - LinkedIn

DATE OF UPDATE: 24 October 2024

LINKS

Irish Data Protection Commission fines LinkedIn Ireland €310 million | 24/10/2024 | Data Protection Commission

CURRENT STATUS

The DPC issued a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million, following an inquiry into LinkedIn's processing of personal data for the purposes of behavioural analysis and targeted advertising of users who have created LinkedIn profiles.

WHY IS THIS APPLICABLE TO CLIENTS?

The decision will be of interest to organisations involved in processing personal data for the purposes of targeted advertising.

Data Protection and AI – EDPB

DATE OF UPDATE: 15 October 2024

LINKS

Stakeholder event on 'AI models': express your interest to participate | European Data Protection Board

CURRENT STATUS

The EDPB arranged a remote stakeholder event aimed at collecting input from stakeholders in the context of a request for an Art. 64(2) GDPR opinion relating to artificial intelligence models submitted to the EDPB by the DPC.

WHY IS THIS APPLICABLE TO CLIENTS?

The request illustrates the interplay between AI and data protection. The DPC has been at the forefront of regulation in this area. Most recently, in September, it announced a cross-border statutory inquiry into Google Ireland Limited concerning the use of personal data in the development of its foundational AI model.

Collective Litigation

DATE OF UPDATE: 11 October 2024

LINKS

Collective Litigation in Ireland: A Guide to the new Representative Actions Mechanism - Arthur Cox LLP

CURRENT STATUS

NOYB - European Center for Digital Rights has registered as a qualified entity for the purposes of the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 (the "Act"). NOYB joins the Irish Council for Civil Liberties on the Register.

Under the Act which commenced on 30 April 2024, a qualified entity may bring a representative action for the protection of the collective interests of consumers to seek injunctive relief and/or redress in respect of infringements by traders under the relevant enactments listed in the Schedule to the Act.

WHY IS THIS APPLICABLE TO CLIENTS?

The scope of the Act is broad and extends to alleged infringements under the Data Protection Act 2018.

Data Protection – Enforcement - EDPB

DATE OF UPDATE: 10 October 2024

LINKS

Data Protection Commission launches inquiry into Ryanair's Customer Verification Process | 04/10/2024 | Data Protection Commission

CURRENT STATUS

During its October 2024 plenary, the EDPB selected the topic for its fourth Coordinated Enforcement Action (CEF), which will concern the implementation of the right to erasure ('right to be forgotten') by controllers.

WHY IS THIS APPLICABLE TO CLIENTS?

We do not know as yet if the DPC will participate in the CEF in 2025. In any event, the results of the CEF are expected to be analysed to allow for targeted follow up actions, which may impact data controllers whose supervisory authority is the DPC.

NEXT STEPS

Controllers should review their data protection policies to ensure they appropriately cater for the right of erasure when exercised by the data subject.

Data Protection – Review of Adequacy Decision - concerning EU U.S. Data Privacy Framework ("DPF")

DATE OF UPDATE: 9 October 2024

LINKS

Report on the first periodic review of the functioning of the adequacy decision on the EU-US Data Privacy Framework | European Commission

CURRENT STATUS

The European Commission published a report following the first review of the adequacy decision for the DPF for personal data transferred from the EU to organisations in the US. Based on the information gathered during the review, the Commission has concluded that the US authorities have the necessary structures and procedures to ensure that the DPF functions effectively.

WHY IS THIS APPLICABLE TO CLIENTS?

This report will be of interest to data controllers transferring personal data to the U.S.

Data Protection - EDPB Work Programme 2024 - 2025

DATE OF UPDATE: 8 October 2024

LINKS

EDPB Work Programme 2024 - 2025 (PDF, 1,048 KB)

CURRENT STATUS

The EDPB published its work programme for 2024 – 2025. The programme covers a wide range to include proposed guidelines on; children's data; "consent or pay" models; Age verification criteria; generative AI – data scraping, as well as guidelines on the interplay between EU data protection law and other EU laws, including separate guidelines for each of the AI Act, the Digital Services Act, the Digital Markets Act.

Data Protection – Enforcement - DPC

DATE OF UPDATE: 4 October 2024

LINKS

Data Protection Commission launches inquiry into Ryanair's Customer Verification Process | 04/10/2024 | Data Protection Commission

CURRENT STATUS

The DPC announced that it has launched an inquiry under Section 110 of the Data Protection Act 2018 into Ryanair's Customer Verification Processes. These processes require additional verification of identity from customers who purchase flights on a third-party website rather than buying directly from Ryanair. Additional verification measures include facial recognition technology based on biometric data.

WHY IS THIS APPLICABLE TO CLIENTS?

The findings as regards the use of facial recognition technology based on biometric data will be of interest to data controllers using or planning to use facial recognition technology based on biometric data.

Data Protection – CJEU Decision - Case C-446/21: Schrems (Communication of data to the general public) - Article 5(1)(b) and (c), Article 6(1)(a) and (b) and Article 9(1) and (2)(e) GDPR

DATE OF UPDATE: 10 October 2024

LINKS

Summary of 2024's Key CJEU Data Protection Judgments - Arthur Cox LLP

An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data

CURRENT STATUS

The CJEU finds that an online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More