Privacy & Information Security Law Blog

On October 27, 2023, the European Data Protection Board (“EDPB”) adopted an urgent binding decision instructing the Irish Data Protection Commissioner (the “Irish DPC”) to take final measures against Meta Ireland Limited (“Meta”) within two weeks and impose a ban on Meta’s processing of personal data for behavioral advertising based on the contractual necessity and legitimate interests legal bases. The ban would apply across the European Economic Area (“EEA”).

On September 15, 2023, the Irish Data Protection Commission (the “DPC”) announced a fine of 345 million Euros against TikTok Technology Limited (“TikTok”) for non-compliance with GDPR rules regarding the processing of personal data of child users. This decision by the DPC reflects the binding decision of the European Data Protection Board (the “EDPB”) pursuant to Article 65 of the GDPR.

On May 22, 2023, the Irish Data Protection Commission (the “DPC”) announced a €1.2 billion fine against Meta Ireland for unlawfully transferring personal data to the U.S.

On March 7, 2023, the Irish Data Protection Commission (“DPC”) published its Annual Report for 2022 (the “Report”). The Report contains details on several areas of the DPC’s work, including complaints from data subjects received by the DPC, personal data breach notifications received by the DPC and statutory inquiries conducted by the DPC.

On January 4, 2023, the Irish Data Protection Commission (“DPC”) announced the conclusion of two inquiries into the data processing practices of Meta Platforms, Inc. (“Meta”) with respect to the company’s Instagram and Facebook platforms. As a result of the investigations, the DPC fined Meta a combined €390 million for breaches of the EU General Data Protection Regulation (“GDPR”) and, following consultation with the European Data Protection Board (“EDPB”), notably held that Meta can no longer rely on the GDPR’s “performance of a contract” legal basis for processing personal data in the behavioral advertising context, a decision that has broad implications for publishers engaged in behavioral advertising in the EU.

On November 25, 2022, Ireland’s Data Protection Commission (“DPC”) released a decision fining Meta Platforms, Inc. (“Meta”) €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide.

On November 15, 2022, the Italian Supreme Court held that an Italian court or competent data protection authority has jurisdiction to issue a global delisting order. A delisting order requires a search engine to remove certain search results about individuals if the data subject’s privacy interests prevail over the general right to expression and information, and the economic interest of the search engine. The case was brought by an Italian individual, who requested a worldwide delisting order, concerning all versions of the search engine, due to potential damage to the applicant's professional interests outside of the European Union.

On September 5, 2022, the Irish Data Protection Commissioner (the “DPC”) imposed a €405,000,000 fine on Instagram (a Meta-owned social media platform) for violations of the EU General Data Protection Regulation’s (“GDPR’s”) rules on the processing of children’s personal data.

On July 7, 2022, the Irish Data Protection Commission (the “DPC”) sent a draft decision to other EU data protection authorities, proposing to block Meta’s transfers of personal data from the EU to the United States.

In a letter addressed to certain members of the European Parliament (“MEPs”), European Commissioner for Justice Reynders refuted some of the criticism that has been raised against the Irish Data Protection Commissioner (“DPC”).

The Irish Data Protection Commissioner (“DPC”) has submitted a draft decision on Facebook Ireland Limited’s (“Facebook”) data protection compliance to other European regulators under the cooperation mechanism of the EU General Data Protection Regulation (“GDPR”) (the “Draft Decision”). The DPC proposes a fine between €28 and €36 million (i.e., up to $42 million) for infringements of the transparency obligations under the GDPR, specifically with respect to the legal basis upon which Facebook relied. In addition, the Draft Decision proposes imposing an order on Facebook to bring its terms of service and Data Policy into compliance within three months. However, the DPC indicates in its Draft Decision that Facebook is permitted to rely on contractual necessity as a legal basis for its personalized advertising, taking the view that this constitutes a core element of Facebook’s service.

On September 2, 2021, Ireland’s Data Protection Commission (“DPC”) announced a fine of €225 million ($266 million) against WhatsApp Ireland Ltd (“WhatsApp”) for failure to meet the transparency requirements of Articles 12-14 of the EU General Data Protection Regulation (“GDPR”). This fine represents a more than four-fold increase in the €30-50 million fine that was proposed in a draft decision issued by the DPC in December 2020. Due to the cross-border nature of WhatsApp’s data processing activities, the DPC’s draft decision was reviewed by other relevant supervisory authorities, as required by the cooperation and consistency mechanism under Chapter VII of the GDPR. Eight other EU regulators objected to the DPC’s draft decision. Their objections were referred to the European Data Protection Board (“EDPB”), in accordance with the dispute resolution procedure under Article 65(1)(a) of the GDPR, after the DPC failed to reach a consensus with the objecting regulators.

On June 30, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) consultation on its Draft Regulatory Strategy for 2021-2026, in which the DPC sets out its vision for the next five years.

On May 14, 2021, the Irish High Court dismissed Facebook Ireland’s (“Facebook”) challenge to the Irish Data Protection Commissioner’s (“DPC”) investigation into Facebook’s international transfers of personal data.

On March 26, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) draft guidance on safeguarding the personal data of children when providing online services, “Children Front and Centre—Fundamentals for a Child-Oriented Approach to Data Processing” (the “Draft Guidance”).

On December 15, 2020, the Irish Data Protection Commission (“DPC”) announced its fine of €450,000 against Twitter International Company (“Twitter”), following its investigation into a breach resulting from a bug in Twitter’s design. The fine is the largest issued by the Irish DPC under the EU General Data Protection Regulation (“GDPR”) to date and is also its first against a U.S.-based organization.

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.

In one of the most important cases on global data transfers, the Court of Justice of the European Union (“CJEU”) will rule on the validity of the Standard Contractual Clauses (“SCCs”) in the Schrems II case (case C-311/18) on July 16, 2020. Invalidation of the SCCs would leave businesses scrambling to find an alternative data transfer mechanism. But there may be significant practical challenges for businesses even if the SCCs survive.

In a case that has garnered widespread interest, the Court of Justice of the European Union (“CJEU”) will deliver its judgment in the Schrems II case (case C-311/18) on July 16, 2020, determining the validity of the controller–to-processor Standard Contractual Clauses (“SCCs”) as a cross-border data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). If the SCCs are invalidated, the judgment would deliver a significant blow to the numerous businesses that rely on them, leaving many scrambling to find a suitable alternative transfer mechanism. Even if the SCCs survive, they may become more cumbersome to use.

On June 19, 2020, France’s Highest Administrative Court (“Conseil d’Etat”) upheld the decision of the French Data Protection Authority (the “CNIL”) to impose a €50 million fine on Google LLC (“Google”) under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. Google had appealed this decision before the Conseil d’Etat. Because the Conseil d’Etat hears cases on appeal from the CNIL in both the first and last instances, the CNIL’s fine is now final. This fine against Google was the first fine imposed by the CNIL under the GDPR and is the highest fine imposed by an EU supervisory authority under the GDPR to date.

On April 6, 2020, the Irish Data Protection Commission (the “DPC”) published a report summarizing the DPC’s findings following a cookie sweep of select websites across a range of sectors, as well as a new guidance note on the use of cookies and other tracking technologies.

On March 19, 2020, the Irish Data Protection Authority (the “DPC”) published guidance to assist organizations in understanding their data security obligations and to mitigate their risks of a personal data breach when using cloud-based services (the “Guidance”).

On March 17, 2020, the Executive Committee of the Global Privacy Assembly (“GPA”) issued a statement giving their support to the sharing of personal data by organizations and governments for the purposes of fighting the spread of the COVID-19 pandemic. The GPA brings together data protection regulators from over 80 countries and its membership currently consists of more than 130 data protection regulators around the world, including the UK Information Commissioner’s Office, the U.S. Federal Trade Commission, and the data protection regulators for all EU Member States.

On December 19, 2019, the Advocate General of the Court of Justice of the European Union (the “CJEU”) handed down his opinion in the so-called “Schrems II” case (case C-311/18). He recommended that the CJEU uphold the validity of the Standard Contractual Clauses (“SCCs”) as a mechanism for transferring personal data outside of the EU. Given that SCCs are the key data transfer mechanism used by many organizations to transfer personal data outside of the EU, the opinion has far-reaching repercussions and will be welcomed by businesses across the globe.

On July 9, 2019, the hearing in the so-called Schrems II case (case C-311/18) took place at the Court of Justice of the European Union (“CJEU”) in Luxembourg. The main parties involved in the proceedings, the Irish Data Protection Commissioner (“Irish DPA”), Facebook Ireland Ltd. and the Austrian activist Max Schrems, presented their arguments to the court. In addition, a number of other stakeholders intervened during the hearing, including representatives of the European Parliament, the European Commission, the European Data Protection Board, several EU Member States (including Austria, France, Germany, Ireland, the Netherlands and the UK) and the U.S. government, as well as a number of industry lobby groups and the Electronic Privacy Information Center.

On May 27, 2019, the Irish government announced that Helen Dixon, who currently serves as Irish Data Protection Commissioner, was appointed to a second five-year term in her position. Her reappointment was approved by a May 27 Cabinet vote.

On March 5, 2019, the Global Privacy Enforcement Network (“GPEN”), a global network of more than 60 data protection authorities (“DPAs”) around the world, published the results of its 2018 intelligence gathering operation on organizations’ data privacy accountability practices (the “Sweep”). On the same date, some participating DPAs released the results of the Sweep exercise carried out in their respective jurisdiction.

On December 21, 2018, the Irish Data Protection Commission (the “DPC”) published preliminary guidance on data transfers to and from the UK in the event of a “no deal” Brexit (the “Guidance”). The Guidance is relevant for any Irish entities that transfer personal data to the UK, including Northern Ireland.

On July 31, 2018, the Supreme Court of Ireland granted Facebook, Inc.’s (“Facebook”) leave to appeal a lower court’s ruling sending a privacy case to the Court of Justice of the European Union (the “CJEU”). Austrian privacy activist Max Schrems challenged Facebook’s data transfer practices, arguing that Facebook’s use of standard contractual clauses failed to adequately protect EU citizens’ data. Schrems, supported by Irish Data Protection Commissioner Helen Dixon, argued that the case belonged in the CJEU, the EU’s highest judicial body. The High Court agreed. Facebook’s request to appeal followed.

On May 16, 2018, the Irish Data Protection Bill 2018 (the “Bill”) entered the final committee stage in Dáil Éireann (the lower house and principal chamber of the Irish legislature). The Bill was passed by the Seanad (the upper house of the legislature) at the end of March 2018. In the current stage, final statements on the Bill will be made before it is signed into law by the President.

On October 24, 2017, an opinion issued by the EU’s Advocate General Bot (“Bot”) rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The non-binding opinion was issued in relation to the CJEU case C-210/16, under which the German courts sought to clarify whether the data protection authority (“DPA”) in the German state of Schleswig-Holstein could take action against Facebook with respect to its use of web tracking technologies on a German education provider’s fan page without first providing notice.

The Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”) recently submitted responses to the Irish Data Protection Commissioner (IDPC Response) and the CNIL (CNIL Response) on their public consultations, seeking views on transparency and international data transfers under the EU General Data Protection Regulation (“GDPR”).

The responses address a variety of questions posed by both data protection authorities (“DPAs”) and aim to provide insight on and highlight issues surrounding transparency and international transfers.

On September 19, 2017, the French Data Protection Authority (“CNIL”) launched an online public consultation on two topics identified by the Article 29 Working Party (“Working Party”) in its 2017 action plan for the implementation of the EU General Data Protection Regulation (“GDPR”). These two topics are transparency and international data transfers.

A recent update on the Court of Justice of the European Union’s (the “CJEU’s”) website has revealed that Digital Rights Ireland, an Irish privacy advocacy group, has filed an action for annulment against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield (the “Privacy Shield”).

This post has been updated. 

On July 14, 2016, the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation (“Microsoft”) cannot be compelled to turn over customer emails stored abroad to U.S. law enforcement authorities.

On June 13, 2016, the U.S. government expressed its wish to join the legal proceedings brought by Max Schrems concerning the validity of international data transfers under EU Standard Contractual Clauses.

Along with the U.S. government, the Irish Business and Employers Confederation and the Business Software Alliance, an industry trade group, also informed Ireland’s High Court of their desire to be added to the case as amici curiae, or "friends of the court."

On May 25, 2016, Max Schrems stated that the Irish Data Protection Commissioner (the “DPC”) is expected to bring legal proceedings before the Irish courts concerning international data transfers under EU Standard Contractual Clauses.

In an unofficial statement to the Irish press, a representative of the DPC confirmed the DPC’s intention to seek declaratory relief in the Irish High Court and to recommend that the case be referred to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling.

Read our previous entry on the Schrems ruling of the CJEU.

Hunton ...

On October 20, 2015, at a hearing in the Irish High Court, Irish Data Protection Commissioner Helen Dixon confirmed that she will investigate allegations made by privacy activist Max Schrems concerning Facebook’s transfer of personal data to the U.S. in reliance on Safe Harbor. Dixon welcomed the ruling of the High Court and noted that she would proceed to “investigate the substance of the complaint with all due diligence."

On March 9, 2015, the Federal Trade Commission announced that it has entered into a Memorandum of Understanding (the “Memorandum”) with the Dutch Data Protection Authority (the “Dutch DPA”).

In December 2014, we reported that various technology companies, academics and trade associations filed amicus briefs in support of Microsoft’s attempts to resist a U.S. government search warrant seeking to compel it to disclose the contents of customer emails that are stored on servers in Ireland. On December 23, 2014, the Irish government also filed an amicus brief in the 2nd Circuit Court of Appeals.

On December 15, 2014, Microsoft reported the filing of 10 amicus briefs in the 2nd Circuit Court of Appeals signed by 28 leading technology and media companies, 35 leading computer scientists, and 23 trade associations and advocacy organizations, in support of Microsoft’s litigation to resist a U.S. Government’s search warrant purporting to compel the production of Microsoft customer emails that are stored in Ireland. In opposing the Government’s assertion of extraterritorial jurisdiction in this case, Microsoft and its supporters have argued that their stance seeks to promote privacy and trust in cross-border commerce and advance a “broad policy issue” that is “fundamental to the future of global technology.”

On October 6, 2014, the Irish Office of the Data Protection Commissioner (“ODPC”) announced its success in bringing prosecution proceedings against M.C.K Rentals Limited (“MCK”), a firm of private investigators, and its two directors, for breaches of the Irish Data Protection Acts 1998 and 2003. Specifically MCK and its directors were found to have (1) obtained personal data without the prior authority of the data controller who was responsible for the data and (2) disclosed the personal data obtained to various third parties.

On April 25, 2014, a judge in the U.S. District Court for the Southern District of New York ruled that Microsoft must release user data to U.S. law enforcement when issued a search warrant, even if the data is stored outside of the U.S.

On April 8, 2014, the European Court of Justice ruled that the EU Data Retention Directive is invalid because it disproportionally interferes with the European citizens’ rights to private life and protection of personal data. The Court’s ruling applies retroactively to the day the Directive entered into force.

The Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) has stated that it will not investigate complaints relating to the alleged involvement of Microsoft Luxembourg (“Microsoft”) and Skype Software S.a.r.l. and Skype Communications S.a.r.l. (collectively, “Skype”) in the PRISM surveillance program. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”).

As reported by Bloomberg BNA, the Irish Office of the Data Protection Commissioner (“ODPC”) has stated that it will not investigate complaints relating to the alleged involvement of Facebook Ireland Inc. (“Facebook”) and Apple Distribution International (“Apple”) in the PRISM surveillance program.

On May 31, 2013, the Council of the European Union’s Justice and Home Affairs released a draft compromise text in response to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This compromise text narrows the scope of the Proposed Regulation and seeks to move from a detailed, prescriptive approach toward a risk-based framework.

On May 20, 2013, the Irish Office of the Data Protection Commissioner (“ODPC”) published its annual report for 2012 (the “Report”). The Report summarizes the activities of the ODPC during 2012, including its investigations and audits, policy matters, and European and international activities.

On April 22, 2013, the higher administrative court of Schleswig issued two decisions rejecting an appeal by the data protection authority of Schleswig-Holstein (“Schleswig DPA”) that sought to challenge a lower court’s earlier rulings in Facebook’s favor.

On March 1, 2013, the Irish Presidency published a note to the European Council of Ministers regarding its progress on the European Commission’s proposed General Data Protection Regulation (“Proposed Regulation”). The Note details the Irish Presidency’s work to bring a more risk-based approach to the Proposed Regulation.

On December 19, 2012, the Irish Data Protection Commissioner (“DPC”) wrote to 80 website operators requesting details regarding how they are complying with recent changes to Irish law governing the use of cookies and other similar technologies (SI 336/ 2011, the “Regulations”). The letter expects website operators, which include government departments as well as companies, to comply fully with the Regulations, which took effect 18 months ago and require user consent before deploying or accessing cookies or other information stored on users’ computer equipment. If the relevant organizations have not yet achieved compliance, they are expected to provide an explanation to the DPC explaining “why it has not been possible to comply by now, a clear timescale for when compliance will be achieved, and details of specifically what work is being done to make that happen.”

On December 12, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released an accountability self-assessment tool designed to help organizations evaluate their internal privacy programs and practices. The tool is the product of the Global Accountability Project for which the Centre serves as Secretariat.

On October 26, 2012, following the Justice Council’s meeting, Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, delivered a speech highlighting that the Commission’s proposed data protection law reform package is currently at a crucial stage in the negotiation process. Commissioner Reding stated that “[a] high level of data protection will turn the European Union into an international standard setter” and that “[o]nly a high level of data protection will generate trust between citizens and private enterprises.” Commissioner Reding conceded, however, that “[w]e do not want rules that place an excessive burden on business,” and that the Commission is prepared to make certain concessions relating to the draft proposals in order to “strike the right balance.”

• Mending Fences after a Breach Thursday, March 8, 12:15 p.m. Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, Hunton & Williams LLP; Susan Grant, Director of Consumer Protection, Consumer Federation of America; and Joanne B. McNabb, Chief, California Office of Privacy Protection.

On December 28, 2011, UK Information Commissioner Christopher Graham outlined the ICO’s agenda for 2012 in a post on the ICO blog, highlighting the European Commission’s proposals for reviewing the EU data protection framework, the post-legislative scrutiny process with respect to the UK Freedom of Information Act (“FOIA”) and the ICO’s Information Rights Strategy. The Commissioner cautioned against allowing data protection compliance to fall by the wayside in the current, tough economic climate, especially given the inevitable reputational damage caused by big data breaches and the ICO’s power to impose fines.

On November 2-3, 2011, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, is the chairman of the Conference’s advisory panel and principal advisor to Conference organizers on program content. Hunton & Williams is a proud sponsor of the event which will feature Hunton representatives as speakers or moderators on multiple panels and plenary sessions, including the following:

On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).

Currently, there is wide debate throughout the EU regarding data breach notification requirements.  The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011.  The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.

The 32nd International Conference of Data Protection and Privacy Commissioners held in Jerusalem this October continued the trend from past conferences by enacting a resolution, this time with respect to the adoption of global privacy standards.  The Jerusalem Declaration calls for an intergovernmental conference in 2011 or 2012 to negotiate a binding international agreement guaranteeing respect for data protection and privacy, and facilitating cross-border coordination of enforcement efforts.  The basis for the binding international agreement would be the Madrid ...

On November 10, 2010, the American Bar Association’s Section of Antitrust Law’s International Committee and Corporate Counseling Committee hosted a webinar on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference?”.  A panel of senior officials and private sector experts provided insights on emerging cross-border data privacy and security issues.  Hunton & Williams partner Lisa Sotto was tapped to moderate an outstanding panel which included Billy Hawkes, Commissioner, Office of the Data Protection Commissioner ...

On July 6, 2010, the Irish government formally objected to the adequacy procedure initiated by the European Commission that would have allowed the free flow of European personal data to Israel, over concerns of the possible use of the information by Israeli officials.  This political move follows recent revelations regarding forgery of European passports, including several from Ireland, and their alleged use by Israel’s intelligence services.

On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt.  The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

In 1980, the Organization for Economic Cooperation and Development (“OECD”) first published privacy guidelines that included an accountability principle.  Since that time, little work has been done to define accountability or to describe what it means for organizations to be accountable for the responsible use and protection of data.  In an effort to fill that gap, The Centre for Information Policy Leadership has authored “Data Protection Accountability: The Essential Elements” which articulates the conditions organizations would have to meet to be accountable.  The Accountability paper is the result of the Galway Accountability Project, an initiative facilitated by Ireland’s Office of the Data Protection Commissioner and co-sponsored by the OECD.  As the project’s secretariat, the Centre served as principal drafter of the Accountability paper, which considers the concept of accountability as it applies in the current data environment where data collection and use is ubiquitous, data flows are difficult or impossible to track, and jurisdictional issues abound as data crosses national borders.  The Galway Project enlisted specialists from twelve countries, and the participation of privacy protection agencies from Europe, Asia and North America.  Consumer advocates and business representatives also took part.  The Accountability paper will bring a critical international perspective to the dialogue on changing privacy law in Europe, the United States and Canada.