Pictured (l-r): Anne-Marie Bohan, Head of Matheson Technology and Innovation Group, Chris Bollard, Partner at Matheson Technology and Innovation Group and Irish Data Protection Commissioner, Helen Dixon.
In advance of Data Protection Day today, Monday 28 January 2019, Matheson last week welcomed Irish Data Protection Commissioner Helen Dixon to its Dublin office for its annual briefing. The Commissioner joined Anne-Marie Bohan and Chris Bollard, Partners within the Matheson Technology and Innovation team, to discuss recent developments in data protection law, including the impact of the GDPR since its introduction in May 2018 and the potential challenges and opportunities that Brexit may bring.
At the event, the Commissioner described 2018, the first year of the GDPR, as the year that data protection became part of mainstream public discourse, noting the significant levels of awareness in Ireland. While the Commission’s focus for last year was on socialising and implementation of the GDPR, 2019 will focus on monitoring and enforcement, with the Commissioner noting that high levels of awareness, building on 2018, will be crucial for compliance. The Commissioner also noted that issues concerning data, privacy and associated areas are not isolated areas of law, with the debate about the interplay of privacy and fundamental issues such as power, democracy and the human role within AI technology increasingly coming to the fore. In Ireland, given the mix of industries, including tech, social media, pharma and financial services, the regulator operates in complex and specific contexts, and the policy and judicial decision making processes will need to address often difficult balances.
Also speaking at the event, Chris Bollard described the main issues Matheson and the firm’s clients have faced since the introduction of the GDPR legislation on 25 May last year. These issues include a huge increase in data breach notifications, negotiations over liability in data processing agreements, the reappraisal of controller/processor roles in commercial arrangements and structuring for one-stop-shop / lead supervisory authorities. Among the further issues described was the concern regarding the ePrivacy regime, and how claims for non-material harm might be approached by the courts. In describing these and various issues, Bollard stated that there is a distinction between privacy actions or “misuse of private information” style torts, and data protection actions as provided for in the Data Protection Act 2018. Furthermore, it is anticipated that going forward we will see data protection actions included in civil claims as there are more ways to breach the GDPR and plaintiff’s rights, with the public more aware of their rights than ever.
In her presentation, Anne-Marie Bohan, who heads up Matheson’s Technology and Innovation group, focused on the international reach of GDPR, specifically addressing the areas of territorial scope, cross-border processing and international transfers, noting that these issues were at the core of the recent €50 million administrative sanction imposed by the French Regulator, CNIL, on Google. Bohan also addressed the potential issues arising from Brexit and of the UK becoming a third country for data protection purposes. Commenting on the upcoming exit of the UK from the European Union, she described how international transfer safeguarding measures will be required not only in the event of a hard Brexit, but also in the event that, should the withdrawal agreement apply, there is ultimately no determination by the European Commission that UK law gives adequate protection to personal data.
