Photo of Cynthia O’Donoghue

Cynthia O’Donoghue

Subscribe to Cynthia O’Donoghue's Posts
Contact: Read more about Cynthia O’Donoghue

The European Union’s Second Network and Information Systems Directive (“NIS2”) entered into force on 16 January 2023, and replaces the NIS 1 Directive.  NIS2 aims to “improve the resilience and incident response capacities of both the public and private sector and the EU as a whole”. In addition to the EU’s NIS2 update, the UK has also recently expanded its Network and Information Systems Regulations, and further details can be found in our blog here.  The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.

Continue Reading NIS2 toughens up EU’s cyber security obligations

The Court of Justice of the European Union (“CJEU”) issued a judgment on the 9th of February 2023 (docket no. C-453/21), which addresses the question of the dismissal of a Data Protection Officer (“DPO”) and the interpretation of Article 38 of the EU GDPR.

Continue Reading CJEU rules on DPO conflicts of interest under the GDPR

On the 18th of January, the EDPB published the adopted report of the work undertaken by the Cookie Banner Taskforce. The Cookie Banner Taskforce was established in September 2021 in accordance with article 70(1) (u) GDPR to coordinate the response to complaints concerning cookie banners filed with several supervisory authorities by the non-profit organization, NOYB, run by Max Schrems. The aim of this Taskforce was to promote cooperation, information sharing, and best practices between the supervisory authorities.

Continue Reading EU-Cookie banner taskforce report: what you need to know

On 17 November 2022, the UK Information Commissioner’s Office issued updated guidance on international personal data transfers.  The guidance is to be used for transfers of personal data from the UK to third countries. The ICO added a template transfer risk assessment (TRA) to the guidance, which is required when organisations rely on a  transfer tool under Article 46 of the UK GDPR, e.g. the ICO’s International Data Transfer Agreement (the UK version of the EU SCCs); the Addendum to the EU SCCs, or the Binding Corporate Rules. The requirement to carry out transfer impact assessments stems from Article 46(1) of the UK GDPR, which states that the transfer mechanisms can be used “on condition that enforceable data subject rights and effective legal remedies for data subjects are available” confirmed by the CJEU’s Schrems II judgement.

The ICO’s TRA offers an alternative approach to the  EDPB’s transfer impact assessments (TIA),  to assist data exporters with carrying out their analysis to check that that protections under the transfer tool are not undermined by the laws and practices of the recipient third country.

Continue Reading ICO provides an alternative to the EDPB transfer impact assessment

On 6 October 2022, the Advocate General (Campos Sánchez-Bordona) issued his opinion in UI v Österreichische Post AG on the interpretation of the rules on civil liability under the GDPR .

He concluded that a data subject must have suffered harm in order to claim compensation, and that breach of the GDPR alone was not sufficient.  There is also a distinction to be drawn between mere upset (which does not give rise to a right for compensation) and non-material damage (which does).

Continue Reading ‘Mere upset’ insufficient for compensation under the GDPR

The Competition & Markets Authority (‘CMA’) published its response to the Department for Digital, Culture, Media & Sport (‘DCMS’) policy paper on establishing a pro-innovation approach to regulating artificial intelligence (AI) on 29 September 2022. This is in parallel with the coming into force of the new National Security & Investment Act 2021, under which the UK government is scrutinising transactions that use AI to produce goods, services and technology with the potential to track individuals, objects and events.

In its response, the CMA commented on the need to (i) adopt a risk based approach to the regulation of AI, (ii) consider whether existing regulatory powers are appropriate, and (iii) encourage collaboration between regulators.

Continue Reading The CMA’s shares its thoughts on a ‘pro-innovation’ approach to regulating artificial intelligence

At a Glance:

On Oct. 7, 2022, U.S. President Joe Biden issued Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ (“Executive Order” or “EO”). It is described by the U.S. as “a durable and reliable legal foundation” and “that the new ’robust’ commitments contained in the executive order ’fully addresses’ the issues raised in the [EU] Court of Justice’s decision on Privacy Shield” (the “Schrems II ruling”). This Executive Order will form the basis for a new EU-U.S. Data Privacy Framework, aka Safe Harbor Framework v3 or Privacy Shield 2.0.

The issuance of the EO was a central part of the agreement in principle reached between the EU and the U.S. to address the issues raised in the Schrems II ruling.  While most of the world waited for this Executive Order, we now all wait for the EU’s response as to whether or not this EO, once its requirements are implemented, suffices to lift the U.S. to an adequate level of data protection within the meaning of Art. 45 GDPR. Even before full implementation of the procedural aspects of the EO, the Executive Order will have a positive impact on data transfers given that the surveillance must be conducted in a proportionate manner that takes into account the impact to privacy and civil liberties of all persons, assuming the EU will be designated as a “qualifying state” by the U.S. Attorney General under the EO.

Continue Reading Transatlantic Data Flows – Chapter 3: The EU-U.S. Data Protection Framework: A Summary of the U.S. Executive Order issued on Oct. 9 and its immediate and future effects

On October 3, 2022, the UK-U.S. agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (the UK-U.S. Agreement) came into force. The UK and the U.S. governments signed the UK-U.S. Agreement on October 3, 2019 under the U.S. Clarifying Lawful Overseas Use of Data Act 2018 (“CLOUD Act”). The U.S. government is negotiating similar agreements with the governments of Canada, Australia and New Zealand, but notably, not with the European Union.

Continue Reading Does the UK-U.S. agreement under the U.S. CLOUD Act affect UK’s adequacy under the GDPR?

On 26 September 2022, the UK Information Commissioner’s Office (“ICO”) issued a blog post addressing compliance with data subject access requests (“DSARs”).

A DSAR is a written request by an individual to an organisation asking for access to the personal information it holds on them. This is a legal right everyone in the UK has and can be exercised at any time for free (in most circumstances).

Continue Reading ICO issues guidance on responding to subject access requests

Meta-owned Instagram has been fined €405 million by the Irish Data Protection Commission (DPC) for violations of the EU General Data Protection Regulation (GDPR), following a two year investigation into how the social media platform handles children’s data. This is the largest fine imposed by the DPC to date. Below, we highlight some of the key issues arising in the case.

Continue Reading Irish DPC fines Instagram a record €405 million