To mark Data Week, Mason Hayes & Curran looks at three areas surrounding data protection that are important both now and for the future.
Data protection in Ireland is being ramped up, with companies failing to adhere to data laws now in greater danger of facing fines of up to €20m.
Looking globally, there have been some high-profile examples of data protection and the legal rights to it being played out in the courtroom, including the Google Spain ‘right to be forgotten’ case.
There is then, of course, the EU’s highest court declaring in 2014 that the EU Data Retention Directive was invalid, resulting in uncertainty for the corresponding national laws across the EU.
In an opinion piece from the European Parliament’s Legal Services, the organisation said it firmly believed that EU member states should examine their national data retention measures to see whether they complied with the decision of the court.
So, what changes has Ireland undergone in recent years and what precedent has been set by decisions outside of our control?
ISO 27018: Cloud computing privacy standard – one year on
Last September marked the first anniversary of the publication of ISO 27018 – an international privacy standard governing the processing of personal data in the cloud – that has been well received by data protection experts, but has not been without challenges for both customers and cloud providers.
The standard confused many analysts and cloud providers as it made a number of references to both physical storage media and hard-copy materials, which seems somewhat out of place on a list of requirements for online cloud services.
However, as Mason Hayes & Curran explains, cloud customers have been welcoming of the decision in the face of a growing demand for total company transparency now and in the future.
You can read more about MHC’s thoughts on what ISO 27018 has achieved so far here.
Personal data and your right to access it — Ireland vs the UK
We might share much in common with our nearest neighbour but, in some instances, we can be worlds apart.
Highlighted last September by Masan Hayes & Curran, one such instance of this is when it comes to the legal framework for data protection surrounding a person’s right to access data relating to them in contentious cases.
One area that the two nations differ on was highlighted in the case of Ali Babitu Kololo, who submitted a subject access request (SAR).
Kenyan national Kololo was found guilty of robbery with violence and the kidnapping of British nationals and sentenced to death by a Kenyan court and, as part of a challenge to his conviction, lawyers for Kololo submitted a SAR to the UK Metropolitan Police Service (MPS), which assisted with the investigation, but the reasoning behind this request was challenged by the MPS.
Under Ireland’s legal framework, however, there’s much more power in the hands of the individual, as you can read about in more detail here.
Challenges to data protection under the internet of things
Regular readers will be familiar with the concept of the internet of things (IoT), believed to be the next step in technology that will connect billions of devices sharing vasts amount of information with one another.
Unsurprisingly, within that, there are major implications for data protection, which led to think tanks and governmental organisations putting their minds at work to develop frameworks that could lead to a regulatory standard for IoT devices to follow.
What came from this, among other things, was the Article 29 Working Party – a collection of 28 EU national data protection authorities – which devised a list of 10 of the biggest challenges facing an IoT future.
You can read about what these 10 challenges are, as well as some of the additional measures discussed by Mason Hayes & Curran, here.