Category: Privacy

Compensation for non-material damage pursuant to Article 82 GDPR

| 6 Comments
| GDPR

Compensation Article 82 GDPRThe General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [the GDPR]) provides both for public enforcement by data protection authorities and for private enforcement by any person who has suffered damage as a result of an infringement of the Regulation (on this inter-connection, see Johanna Chamberlain & Jane Reichel “The Relationship Between Damages and Administrative Fines in the EU General Data Protection Regulation” 89 Mississippi Law Journal (forthcoming 2020; SSRN)). As to private enforcement by means of damages claims, Article 82(1) GDPR provides that “[a]ny person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. CMS legal are tracking fines levied by data protection authorities in the EU – they record that, so far, 186 fines have been levied, for a total of almost €460m (the EDPB gives different numbers (pdf, pp33-34), discussed here). However, there is as yet no equivalent tracker for compensation claims, in part because there have been very few. So far as I can find, there have been eight judgments considering substantive claims for damages pursuant to Article 82 (though there have been other cases in which such compensation was claimed but the substantive issue was not reached).…

Read More »

The sooner the government changes tack on the #psc, the better for Ireland’s international reputation – updated

| 1 Comment
| GDPR, Privacy

Sunday Business Post, 22 Sept 2019On Tuesday of this week, belatedly and with very bad grace, the Department of Employment Affairs and Social Protection published the Report of the Data Protection Commission (DPC) on the Public Services Card (#PSC), which concluded that the government’s implementation of the PSC infringed data protection legislation. The government has refused to accept or comply with the Commission’s findings, and has instead, for reasons beyond understanding, gone to war with the DPC on this issue.

In my view, the Government’s unjustified defiance of the DPC imperils Ireland’s tech reputation; and I argue in an OpEd in today’s Sunday Business Post (sub req’d) (update: you can download it from the links in update 3 below) that this unseemly standoff must be resolved as quickly as possible, before irreversible damage is done to our international standing as a good location in which international tech companies can establish their European headquarters:

Dealing from bottom of the deck on the Public Services Card

The government is clinging to its legal advice on the PSC data fiasco. It needs to admit it was wrong and change course immediately

… The DPC’s report is very clear; its fundamental conclusions will undoubtedly survive legal challenge; and the government will eventually be as surely taken to task in the courts in Dublin and Luxembourg as it has been his week in the court of public opinion.

Read More »

The legal basis of the US$170m fine on Google for YouTube’s infringement of children’s privacy

| No Comments
| GDPR, Privacy

FTC NYAG Google YouTube logos

At the end of last week, the media was full of stories that Google had been “Fined $170 Million for Violating Children’s Privacy on YouTube” (that’s a headline from the New York Times; see also, for example, NPR | BBC | RTÉ | Silicon Republic). In this post, I want to sketch the legal background to, and consequences of, this fine; and, at the end, I will say a few words about the equivalent position in Europe.

In the US, the Children’s Online Privacy Protection Act of 1998 (15 USC §§ 6501–6506; hereafter: COPPA), and the Children’s Online Privacy Protection Rule (16 CFR § 312; hereafter: the COPPA Rule) made under it, regulate unfair and deceptive acts and practices in connection with the collection and use of personal information from and about children on the internet. In particular, 15 USC §§ 6502(b)(A) COPPA, and 16 CFR § 312.3 COPPA Rule, require the operator of any website or online service directed to children that collects personal information from children, or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child,

(i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and
(ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children; …

Giving further effect to the second paragraph here, 16 CFR § 312.5(b)(1)

Read More »

The Great Hack and the dysaguria of Cambridge Analytica

| 3 Comments
| Digital Rights, Dysaguria, Media and Communications, Privacy

Great Hack poster via IMDBThe Great Hack has just dropped on Netflix (IMDB | Rotten Tomatoes | wikipedia | poster left). It is a documentary that explores “how a data company named Cambridge Analytica came to symbolize the dark side of social media in the wake of the 2016 US presidential election”. Much has already been written about the Cambridge Analytica scandal (eg ICO here and here (pdfs) | Carole Cadwalladr in The Guardian), and a great deal more will be written as the movie is reviewed in the coming days. I don’t propose to add to those torrents here. Rather, I simply want to observe that there is a word for a company that symbolizes the dark side of social media.

Reacting to Thomas More’s coinage of “utopia” as the “perfect state”, from the Greek “eu” meaning “good”, and “topos” meaning “place”, John Stuart Mill coined “dystopia” as the “frightening state”, from the Greek “dys” meaning “bad”, and (again) “topos” meaning “place”. But, whilst “dystopia” is perfect to describe a “frightening state” and its frightened society, it is not particularly apt to describe a “frightening company” and its frightened society. Indeed, we don’t really have the words for when a corporate society goes bad; “dystopia” and “dystopian” have been pressed into service (even in the context of reviewing The Great Hack: “Watching this film, you literally start to wonder if history has been warped towards a sickening dystopia”); but the warped society in that movie is very different to the warped society in classic dystopian fiction (such as, to take the obvious example, Orwell’s 1984).…

Read More »

Not archiving the .ie domain, and the death of new politics

| No Comments
| Copyright, GDPR, Privacy

Internet Archive Googly Eyes via FlickrAbout this time last year, the Government lost some votes on important issues as the Bill that became the Data Protection Act 2018 (also here) was at Committee Stage in the Dáil. Writing on this blog, I described this as an example of new politics making for interesting times. Rather magnanimously, they did not seek to reverse these defeats; at the last stage of the Bill, the Minister confirmed that it was “not [his] intention to revisit the putting of the amendment in any other form”. In the intervening year, much has changed – for one thing, we are a year closer to a general election, commentators forecast that the next budget in October will be this Government’s last, and there is speculation that the Taoiseach may even call a snap election earlier than that. All of this means that the detente of new politics is breaking down. There can be no surer sign of this than that the Government is no longer magnanimously prepared to accept parliamentary defeats, and will reverse them if it can. There was a shameful example of this arrogance earlier this week in the Seanad, during the Report Stage debate on the Copyright and Other Intellectual Property Law Provisions Bill 2018.…

Read More »

The further GDPR travails of Ross O’Carroll-Kelly

| No Comments
| GDPR

Ross O’Carroll-Kelly (pictured left) is in GDPR-trouble again. Last time, he was fired from his job as an estate-agent for failing to report a data breach, when his work lap-top was stolen from his car just as the GDPR came into full effect. This time (as recounted in last Saturday’s Irish Times magazine; audio here), he learns to his great cost the power of the data subject access request under Article 15 GDPR.

The background is well explained by Jennifer O’Connell’s experiences also recounted in last Saturday’s Irish Times magazine. Her story starts with staff members in a hotel asking customers: “If you enjoyed the service, would you minding leaving a TripAdvisor review, and mentioning me by name?” As she explains

It’s not only people in the service industry whose job security now rests on the whims of the terminally irate. If you’re a writer, Goodreads and Amazon reviews are your nemesis. If you’re a driver, it’s Uber. If you rent out your house, it’s Airbnb. If you’re a journalist, it’s the below-the-line comments.

She hasn’t reviewed the hotel waiter yet (she’ll be kind); but “in a Dublin hotel a few months ago, unable to sleep due to the sound of the four-hour, vigorous, live-action porn show on the other side of the cardboard door connecting [her] room with the one next door, [she] lay there plotting [her] TripAdvisor review”.…

Read More »

60minutes says that the GDPR is the law that lets Europeans take back their data from big tech companies

| No Comments
| GDPR, Privacy




From the report embedded above (with added links):

Tech companies’ reign over users’ personal data has run largely unchecked in the age of the internet. Europe is seeking to end that with a new law

… the European Union enacted the world’s most ambitious internet privacy law [the General Data Protection Regulation (the GDPR)], even winning support from the CEO of the biggest tech company in America, Apple’s Tim Cook. …

Max Schrems: The default under the European system is you’re not allowed to use someone else’s data unless you have a justification. …

Jeffrey Chester: Americans have no control today about the information that’s collected about them every second of their lives. …

Today, if one of the big tech companies chooses to ignore Europe’s new data protection law it could cost them 4 percent of their global revenues, which for the biggest companies would mean billions of dollars. Those decisions will likely be made here in Dublin, … Ireland’s data protection commissioner Helen Dixon says it’s not going to be business as usual.

Helen Dixon: U.S. internet companies have no doubt that this law is serious, it has serious bite. And all of them are eager to avoid any engagement with that.

Read More »

Cliff Richard v BBC – Part II – Media speech and publication in the public interest

| 1 Comment
| Freedom of Expression, Privacy

The record man said
‘Don’t let it go to your head, I’m gonna make you a star’
… So mama please don’t worry about me, I’m nearly famous now.

Sir Cliff Richard OBE in Greenwich 2017 (via Flickr) (element)1. Introduction
The words above are in the first verse of “I’m Nearly Famous”, the title track of an album released in 1976 by Sir Cliff Richard [Sir Cliff], pictured left rocking Greenwich, UK, in 2017. Six weeks earlier, the South Yorkshire Police [SYP] had admitted that their tip off to the BBC that he was being investigated in respect of allegations of historic sex abuse infringed his privacy (see, eg, Richard v BBC [2017] EWHC 1648 (Ch) (26 May 2017)). On foot of that tip off, the British Broadcasting Corporation [the BBC] gave those allegations and the search of Sir Cliff’s property in Sunningdale, Berkshire prominent and extensive television coverage. Last week, in Richard v BBC [2018] EWHC 1837 (Ch) (18 July 2018) Mann J held that that the BBC’s broadcasts also infringed Sir Cliff’s privacy, and awarded him £210,000 damages. In a previous post, I have considered Mann J’s analysis that Sir Cliff had a reasonable expectation of privacy under Article 8 of the European Convention on Human Rights [the ECHR] in respect of the police investigation.…

Read More »

© cearta.ie 2020. Powered by WordPress