Tag: Irish Data Protection Commission

Irish DPC to assess TikTok’s plans for opening Data Centre in Ireland

13. August 2020

The short video app TikTok is planning to establish a data centre in Ireland under the One Stop Shop (OSS) data processing mechanism, the Irish Data Commission has stated.

However, the company needs to first be assessed to determine if they meet the requirements of the OSS.

The OSS rules, introduced under the General Data Protection Regulations (GDPR) rules, mean companies can make the Irish Data Protection Commission the lead supervisory authority, if they meet the criteria, and would not have to deal with regulators in each of the 28 EU member states but could be monitored by a lead regulator in one state. This would benefit the company in the case that if something happens, it would be one investigation, one decision and one appeal, rather than one for each country affected.

These plans come at a time when the popular app is facing some criticism, however. Not only is TikTok on the verge of being banned in the United States, a lot of doubts in regard to their handling of user data have surfaced in the past few months.

Last week in Beijing, the Beijing Internet Court ruled against TikTok’s owner Tencent Holdings in cases alleging the misuse of user data. The data was shared without consent between the WeRead and WeChat apps, violating the users’ privacy.

The move to establish a data centre in Ireland “will create hundreds of new jobs and play a key role in further strengthening the safeguarding and protection of TikTok user data with a state of the art physical and network security defense system planned around this new operation,“ stated Global Chief Information Security Officer of the company, Roland Cloutier.

Following the moves of big tech giants of recent years, TikTok plans to open the data centre by the year 2022. The Irish Data Protection Commissioner stated that the examination for the OSS mechanism is currently underway.

Irish Data Protection Authority investigates Google’s processing of location data

6. February 2020

The irish data protection authorty (namely The Data Protection Commission (DPC)) is, in its role as Lead Supervisory Authority, responsible for Google within the European Union.

The DPC startet a formal investigation into Google’s practices to track its user’s location and the transparency surrounding that processing.

Following a number of complaints by serveral national consumer groups all across the EU, the investigation was initiated by the DPC.  Consumer organisations argue that the consent to “share” users’ location data was not freely given and consumers were tricked into accepting privacy-intrusive settings. Such practices are not compliant with the EU’s data protection law GDPR.

The irish data protection authority will now have to establish, whether Google has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency.

The investigation will add further pressure to Google. Google is facing a handful of investigations in Europe. The DPC has already opened an investigation into how Google handles data for advertising. That investigation is still ongoing. If Google is found not complying with the GDPR, the company could be forced to change its business model.

However, there are still a number of steps before the Irish DPC makes a decision including the opportunity for Google to reply.

Advocate General’s opinion on “Schrems II” is delayed

11. December 2019

The Court of Justice of the European Union (CJEU) Advocate General’s opinion in the case C-311/18 (‘Facebook Ireland and Schrems’) will be released on December 19, 2019. Originally, the CJEU announced that the opinion of the Advocate General in this case, Henrik Saugmandsgaard Øe, would be released on December 12, 2019. The CJEU did not provide a reason for this delay.

The prominent case deals with the complaint to the Irish Data Protection Commission (DPC) by privacy activist and lawyer Maximilian Schrems and the transfer of his personal data from Facebook Ireland Ltd. to Facebook Inc. in the U.S. under the European Commission’s controller-to-processor Standard Contractual Clauses (SCCs).

Perhaps, the most consequential question that the High Court of Ireland set before the CJEU is whether the transfers of personal data from the EU to the U.S. under the SCCs violate the rights of the individuals under Articles 7 and/or 8 of the Charter of Fundamental Rights of the European Union (Question No. 4). The decision of the CJEU in “Schrems II” will also have ramifications on the parallel case T-738/16 (‘La Quadrature du net and others’). The latter case poses the question whether the EU-U.S. Privacy Shield for data transfers from the EU to the U.S. protects the rights of EU individuals sufficiently. If it does not, the European Commission would face a “Safe Harbor”-déjà vu after approving of the new Privacy Shield in its adequacy decision from 2016.

The CJEU is not bound to the opinion of the Advocate General (AG), but in some cases, the AG’s opinion may be a weighty indicator of the CJEU’s final ruling. The final decision by the Court is expected in early 2020.

Data Protection Commission announces statutory inquiry into Facebook

17. December 2018

The Irish Data Protection Commission announced in a press release on  December 14, 2018 that it had initiated a statutory inquiry into Facebook.

Due to the frequent, especially in the recent past, data breaches of the American company and the total number of reported data breaches since the GDPR came into force on May 25, 2018, the Irish Data Protection Commission has initiated an investigation into compliance with the relevant provisions of the GDPR against Facebook.

In recent weeks, reports of renewed breaches of data protection by Facebook have continued.

Most recently, it became known that the Italian competition authority AGCM had imposed a fine of 10 million euros on Facebook because the company had passed on data to other platforms without the express consent of the users and that a bug in the programming interface for picture processing led to third-party apps having access to pictures of 6.8 million Facebook users, some of which had not even been published by the users.