Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Observing 2021–22 data breach decisions of the Irish Data Protection Commission
Journal of Data Protection & Privacy,
5
(3),
254-266
(2023)
Abstract
The Irish Data Protection Commission (DPC) regulates many of the top global technology companies and as such its decisions have a significant impact on the companies and on the many users of their platforms. This article examines a number of recent data breach decisions of the DPC and finds them forensic, focused, reasoned and formulaic in approach. The decisions deal with key General Data Protection Regulation (GDPR) provisions, notably on requirements for data breach notification and communication with data subjects. In a change of strategy earlier this year, the DPC no longer offers guidance to controllers dealing with a breach, as was its previous practice. Decisions such as these are likely to help fill that vacuum.
Keywords: data breach; breach notification; DPC; data subjects
The full article is available to subscribers to the journal.
Author's Biography
Marie C. Daly has a background as a litigator, employment and data protection lawyer and lobbyist. She latterly served as the general counsel of Ibec, the largest Irish lobby and business representative group, for over 16 years before joining Covington and Burling LLP. This included responsibility for ensuring competition compliance for 38 trade associations and the development of a data protection compliance regime in recent years. Marie has significant corporate governance experience in the private and public sector having also served as a long-standing board member of two Irish regulators. Marie was, until recently, a member of the Irish Company Law Review Group, appointed by the Minister of Business Enterprise and Innovation, and was deeply involved in the drafting of the comprehensive new Companies Act 2014.
