Call McGarr Solicitors on: 01 6351580

GDPR; Getting ready for Privacy by Design

Privacy by design

Article 25 GDPR requires organisations to adopt privacy by design and by default. Generally, these will come as new principles in data protection implementation to many of the organisations obliged to adopt those principles before 25th May 2018. That’s the date the Regulation comes into force.

Failure to do this will be easily detected; under Article 30 GDPR organisations are obliged to establish and maintain a register of data processing activities. Implementation of privacy by design and by default should be recorded in the register. Failure to record will reveal a failure to comply, attracting a fine. A false record relating to Article 30 would constitute a crime attracting the penalties under the GDPR and those penalties are very severe (a fine of up to €10 million or 2% of annual global turnover).

Implementing security for personal data is essentially, a sub-set of privacy by design and by default. Data controllers and processors must implement appropriate technical and administrative measures to protect the personal data. Those measures must be
tested regularly to ensure their effectiveness.

Again, these steps and measures must be recorded in the register of treatment activities.

These are policies that can be expected to come from the highest level of authority in an organisation. The senior management of an organisation must make sure there is  enough time to comply with the GDPR before 25th May 2018. The EU provided a period of two years to become compliant; over 50% of that time is gone.

Many organisations are gearing their compliance projects up now. Data Compliance Europe can offer assistance in assessing where you are now, compared to what you need to be doing to be ready for GDPR. This sort of Gap Analysis should be one of the first steps taken in a GDPR project, as it will set out the roadmap for everything to follow.

GDPR: Is your business a Foinavon?

GDPR is a race to the finish

Less than one year from now every business holding (i.e., processing) personal data will have undergone a significant process of internal change or will, more likely than not, be in breach of the GDPR. The change process will have started at the top of the business and will have devolved downwards in the form of training (and other changes). With a considerable amount of work businesses can make the necessary changes. Those businesses that succeed in changing and adapting will survive, those that fail will not survive the effects of the GDPR fines and other losses in the form of compensation awarded in civil action claims from individual data subjects (the people who own the personal data).

The process of change will not be easy. It will not be quick.

Organisations can get help, to change, from Data Compliance Europe.

PS. Foinavon won the Grand National in 1967 at odds of 100/1. His rivals fell at the 23rd fence in a melee. He was well behind coming to the fence and managed to swing wide as he jumped, gaining a 30 length lead on his rivals.

GDPR; The Peril of holding data without good title

title deed

If you belong to some form of “circulating library” of personal data, less than one year from now you will encounter an excruciating dilemma. Under Article 14 of the GDPR you must notify the data subjects, whose data you have just received, of that fact and of your intentions with regard to the data. If you fail to do that you will be in breach of the Regulation. If you do it, the data subjects may direct you to delete it. If there is no legal basis for your possession of the personal data in the first place it is very likely that the data subject will report you to the regulator.

What is necessary to know is this; personal data will require to be accompanied by its “title deeds”. The ownership or right to possession of personal data, and the right of transfer, must be proved.

Possession of personal data will not be cheap. Receiving it might prove to be very expensive.

Phishing Fraud Warning

Phishing warning-
People are apparently receiving these emails purporting to be relating to McGarr Solicitors from a domain called They’re not from us. Don’t click them- just delete.

This is a phishing email, not from McGarr Solicitors

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) comes fully into effect on 25th May

I suggest this soundbite to sum up the GDPR; “Nothing about me without me”.

The phrase is not new, it comes most recently from the UK National Health Service in the terms “No decision about me without me”.

Under the GDPR, processing of personal data (possession is processing) must be legal; it must be lawful. Each act of processing must be confirmed to be lawful and
documented. That means that organisations must show and prove compliance by
reference to records kept in relation to all personal data processing activities, specifying the purpose of the processing, the lawful basis for the processing, who the data subjects are, details of any recipients that the data may be shared with, retention policies and security measures taken.

An essential element of GDPR requirements is the obligation to have the data subject’s
consent to the processing. Forms of “consent” previously valid or sufficient may not suffice for the GDPR.

So, if an organisation cannot conform to a standard in the terms “Nothing about me
without me”, it will be acting illegally, as of 25th May 2018 if it processes personal data. Remember, possession is processing.

One Year Plus One Month

There is a revolution coming; in fact it has arrived. The revolution is favourable to persons, to individuals.

A person is, in principle, entitled to control of her data. If government or commercial interests wish to use that data they must comply with the General Data Protection Regulation (GDPR).

The GDPR is current law and comes into effect on 25th May 2018. That date represents a cliff-edge. That edge has been made more severe due to Brexit.

Brexit, as the UK has expressed it to date, is in principle a wish to evade EU laws (including the GDPR).

However, every UK-based entity/undertaking, the UK itself, will be exposed to the GDPR, subject to its provisions and obliged to comply with those provisions while it is processing the data of EU citizens.

Contemporaneous with that, every Irish entity, the Irish state itself, must ensure that any data sent to the UK from Ireland, the process of sending it, is in compliance with the GDPR. That may result in the necessity of stopping data flows to the UK, in order to avoid triggering a breach of the GDPR in Ireland.

Breach of the GDPR will expose entities to considerable penalties in the form of fines. Undertakings are exposed to the possibility of being fined up to €20 million or 4% of annual global turnover, whichever is the higher.

Undertakings in Ireland, holding data, may not hold that data unless the data was obtained fairly. The concept of fairness carries the obligation to give detailed information about how data is processed, the grounds being used to justify processing data, (just holding data is “processing”), what rights individuals have to access, delete and “port” data, and object to processing.

There is a lot to do.


“Brexit” is a neologism and a portmanteau word. It is one we have become familiar with in recent months. I doubt it is in any dictionary, being too new.

Nevertheless, looking things up in dictionaries can be useful, even though you can’t find the word you are searching for. In connection with Brexit, “nominalism” is worth a look, about which my dictionary commences – “… a denial of the existence of abstract entities of any kind…”.

Brexit is surely an abstraction, currently lacking a definition, but a complete refutation of nominalism.

Of lesser weight, but still significant, is a common error of grammar heard from Ernie Wise on the BBC in 1987; “Everyone got used to the image of Eric and I”.

Ernie was handicapped by the absence of helpful books on grammar in bookshops. There are books on grammar in bookshops but they are not helpful.

The New Yorker once featured a cartoon showing a cop writing a “traffic ticket”. The malefactor is driving a van with “ME AND WALLYS PRODUCE” on the side. The cop is saying; “Sorry, but I’m going to have to issue you with a summons for reckless grammar and driving without an apostrophe”.

Words matter.

Submission to the Oireachtas Committee on Health re Part 2 of the General Scheme of the Health Information and Patient Safety Bill

This submission was made today, slightly after the deadline of 3pm.

Nonetheless, I have submitted it for the consideration of the Oireachtas Committee on Health in response to their call for submissions.

I post it here for reference. Printable version can be downloaded here:




By Simon McGarr, McGarr Solicitors

Section 5 (1)

“Nothing in this Act shall be construed as permitting the processing of personal data and personal health data in contravention of the Act of 1988 except to the extent provided by any provision of this Act.”

Comment: The Data Protection Acts are transposition of EU Law (Specifically, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the Data Protection Directive)) and any national legislative provision which purports to restrict, amend or create exemptions from same are ineffective. The State must be bound by the provisions of the Data Protection Directive and its national transposition in the Data Protection Acts. The Acts permit specific and limited infractions on a citizen’s data protection rights, but only when such a provision is both provided for by law and, and it is important to note that this is an additional requirement, only when such legal provision is necessary and proportionate. (See joined cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Ors)

All of which is to say that, if there is any modification of the Data Protection Acts, which are not already in compliance with those Acts, then they are, by definition, not in compliance with Ireland’s duties to apply EU Law.

Section 6:

This right already exists in Section 6 of the Data Protection Acts. It is common, for example, for Plaintiffs in personal injury actions to make Data Access Requests for their Personal Data from medical providers and to nominate their solicitors to receive same on their behalf. Though it is couched in such a way as to create an additional right (the right to compel the delivery of medical records to a nominated third party), this right is already dealt with in the Data Protection Acts. This section appears to instead seek to create a parallel data access right to that already granted under Section 4* of the Data Protection Acts, but, in sub-Section (2), to purport to create additional requirements upon a data subject in making a request and in subsection (3) to create exemptions from the requirements to respond to Data Access Requests and in subsections (4) and (5) to create further exemptions from the requirement to provide records to a data subject on receipt of such a Request. It is not open to Ireland as an EU member state to create such a divergent data subject access system. Subsection (6), which states that subsections 2-5 of that heading is without prejudice to the rights under the Data Protection Acts simply recognises the legal reality while also rendering subsections 2-5 ineffective. Subsection 8 attempts to define a class of personal data records as not falling within the definition of health records. Again, it is not available to an EU member state to seek to redefine the definition of personal data or classes thereof.

It is not possible to restrict EU Law rights by national legislation, simply by asserting that such a restriction is without prejudice to the EU law rights.

Section 7

This seems sensible.

Section 8.

No comment on this section

Section 9

This section is to be welcomed. However, it is not clear that it is helpful to try to create a new category of data “personal health information”. It would be better to use the terms defined in EU law and caselaw- “Sensitive personal data” and “personal data”. Any domestic category will have to be interpreted at some point to identify which EU category it sought to embody.

Section 10

This is the section most impacted by the decision in the Bara and Digital Rights Ireland cases. This section simply is not in compliance with EU Law as interpreted by the CJEU and should be redrafted to bring it in line with same. In addition, Subsection (5) of this head is an infringement on the Independence of the Data Protection Commissioner, a right derived from the Charter of Fundamental Rights of the EU and the Data Protection Directive.

Section 11

This section is outside my competency to comment upon.

Section 12

Subsection (5) of this head is an infringement on the Independence of the Data Protection Commissioner, a right derived from the Charter of Fundamental Rights of the EU and the Data Protection Directive.

*originally, incorrectly, this cited Section 6

McGarr Solicitors representing Syrian refugees

UNHCR/Achilleas Zavallis

McGarr Solicitors is acting for a number of Syrian refugees being held in Greece including Ensaf, 13, and her father Bashar. They are challenging the decisions of the European Council that have led to them being kept apart from Ensaf’s mother Layali and her brother Riyad, 15, now safely resettled in Germany.

Last year their home in Syria was bombed, and the family’s priority was to use what little money they could scrape together to get their deeply traumatised son out of Syria. Layali and Riyad went ahead, and Ensaf and Bashar waited in Syria while Bashar recovered from a head injury from the bombing.

But the day Ensaf and Bashar arrived in Greece by rubber dingy was the 20th of March- the first day the EU-Turkey Agreement was implemented, mandating that “All new irregular migrants crossing from Turkey to the Greek islands as of 20 March 2016 will be returned to Turkey.” As a direct result of the decisions taken by the Taoiseach and the other members of the European Council unanimously voting for the EU-Turkey Agreement, Ensaf and Bashar are still stuck in Greece, waiting in an administrative limbo where they are unable to access their legal right to reunite with their waiting family in Germany.

EU Law

EU law recognises the importance of family reunion amongst refugees. The Dublin Regulation allows a family member arriving in a Dublin Regulation country (such as Germany) to apply for immediate family members to join them.

The EU was conceived in the midst of the greatest refugee crisis in European history. The 1948 Universal Declaration of Human Rights guarantees a ‘… right to seek and to enjoy in other countries asylum from persecution’ and in 1951 the Geneva Convention defined refugees’ specific rights, including the right not to be forcibly returned to countries they have fled.

On the 24th June 2016, our office issued proceedings naming the European Council, the European Union, Ireland and the Attorney General as defendants. All the defendants have now entered conditional appearances (nominated their legal representatives). We will be seeking to have the case referred to the Court of Justice of the European Union (CJEU) for a decision on the legality of the European Council’s actions that have left Ensaf and her family divided.

This case is being brought on behalf of familes in two different countries. But clearing the blockages to their reunification has the potential to bring resolution and reunifcation to many of the families similarly victimised, separated and trapped by the arbitrary actions arising from the unlawful EU-Turkey Agreement in European camps.

All of which is the sort of thing you’d expect to read about on a solicitor’s website, but doesn’t carry the emotional weight of listening to one 13 year old girl and her mother who just want to be together again.

Microsoft wins in US Warrant Case over data in Ireland

US 2nd Circuit Courthouse where Microsoft win their warrant appeal

As readers with long memories may recall, McGarr Solicitors and White and Case of NY represented Digital Rights Ireland, joined by Liberty and the Open Rights Group in their amicus application to the United States Court of Appeals for the Second Circuit in support of Microsoft’s appeal against an order in respect of a Warrant seeking certain data which was located in Dublin.

You can read about that, including the full text of the amicus brief as filed, at our post on the matter.

Today the result of the case came out, with two written judgments, both concurring that Microsoft should prevail and that the orders of the lower courts should be reversed and vacated.


You can download and read the joint judgment of Judges Carney and Bolden here.
However, I would also suggest- if you are the sort of reader who is interested in these matters- that the concurring judgment of Mr. Justice Lynch is also well worth reading. He has made a special point of addressing the role of Congress in updating US law to take account of both privacy concerns and the concerns of other sovereign states.

He closes his judgment;

I fully expect that the Justice Department will respond to this decision by seeking legislation to overrule it. If it does so, Congress would do well to take the occasion to address thoughtfully and dispassionately the suitability of many of the statute’s provisions to serving contemporary needs. Although I believe that we have reached the correct result as a matter of interpreting the statute before us, I believe even more strongly that the statute should be revised, with a view to maintaining and strengthening the Act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions after carefully balancing the needs of law enforcement (particularly in investigations
addressing the most serious kinds of transnational crime) against the interests of other sovereign nations.

The full concurring judgement can be read and downloaded as Microsoft Concurring Opinion 2d Cir at that link.