We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
27 March 2020
Data protection complaints
Data breach notifications
Data compliance investigations
Cookies and adtech
Data protection enforcement and prosecutions
OSS for data protection complaints
Brexit and international aspects of data protection compliance
The Data Protection Commission (DPC) recently published its annual report for 2019, the first full calendar year since the EU General Data Protection Regulation (GDPR) came into force.
The report provides a number of interesting insights into the DPC's activities over the past year. This article highlights the key trends and issues identified in the report and the areas on which the DPC is likely to focus in 2020. It is clear from the report that as compliance with the GDPR continues to be a significant area of focus for organisations, the DPC is intensifying its efforts and expanding its operations. As such, organisations can expect an increase in the DPC's supervisory, compliance and enforcement activities.
The number of complaints received by the DPC in 2019 increased by 75% (7,215 in total). Of these, 29% related to subject access rights, although in proportion to other categories of complaint, this figure is dropping. The report reiterates that there is a presumption in favour of disclosure on the part of data controllers when handling subject access requests. Complaints relating to disclosure and fair processing made up the next highest proportion of complaints at 19% and 16% respectively.
Telcos and banks remain the most complained about sectors, with many complaints focusing on the issue of account administration and charges. The DPC has expressed frustration that these consumer protection issues are being addressed via complaints to the DPC rather than being dealt with within those sectors. Over the past year, there has been an increase in the number of complaints about internet platforms, with the key focus being on the management of an individual's accounts and the right to erasure once individuals leave the platform.
Disputes between employees and employers or former employers remain a significant theme of complaints to the DPC. The report states that "this is undoubtedly driven by the fact that neither the [Workplace Relations Committee] or the Labour Court can order discovery in employment claims". Arguably, the absence of discovery powers means that subject access requests often play a central role in employment claims.
There were 6,069 valid data breaches notified to the DPC in 2019, an increase of 71% from 2018. Unauthorised disclosures made up 83% of the breaches and there was an increase in the number of repeat breaches of a similar nature by many organisations (predominantly in the financial sector). The DPC recommends that data controllers take steps to mitigate the risk of data breaches, such as:
In 2019 the DPC had 70 ongoing statutory inquiries, including 21 cross-border inquires. In the technology sector, the DPC is currently involved in six statutory inquiries relating to several high-profile multinational tech companies. These inquiries relate to several areas of compliance with the GDPR, including:
Investigations into big tech companies progressed in 2019, with two inquiries moving from the investigative stage to the decision-making stage. The decisions from these inquiries are expected in 2020. The DPC highlights some of the complexities that it faces in dealing with legal procedural issues raised during the inquiry processes (eg, the application of legal privilege). The report indicates that many of these issues will be resolved following the conclusion of the first wave of statutory inquiries.
Although the DPC acknowledges that the new legal framework under the GDPR will take time for organisations to implement, it notes that intensive work is underway in relation to compliance and prosecutions. As such, the number and level of fines imposed for non-compliance is expected to increase. An example of this can already be seen with regard to direct marketing offences. Offences in this area were pursued rigorously in 2019 and 165 new complaints were investigated (77 related to email marketing, 81 related to SMS marketing and seven related to telephone marketing). Prosecutions were concluded against four entities in respect of nine offences under the E-Privacy Regulations, with penalties ranging from a criminal conviction and fine for repeat offenders to court-ordered charitable donations in lieu of a conviction or fine for more minor breaches.
In its supervisory role, the DPC received 1,420 general consultation queries during 2019. In the public sector, the DPC consulted with government departments on legislative proposals involving the processing of personal data, including parental leave and gender pay gap data. Recurring concerns for private sector organisations emerging from the DPC supervisory function include:
Linked to its function as a supervisory authority, the DPC's information and assessment unit was contacted almost 48,500 times in 2019, including 22,200 times by phone and 22,300 times by email. In 2019 the DPC published more online guidance to assist in interpreting the GDPR and the Data Protection Act 2018 and it intends to produce more guidance in 2020, particularly case studies illustrating the practical application of data protection principles. Notwithstanding the increased level of guidance published by the DPC in 2019, it is nowhere near the level produced so far by the UK Information Commissioner's Office (ICO).
The DPC received 712 new data protection officer (DPO) appointment notifications from organisations in 2019 (577 in the private sector), bringing the total to 1,596. The DPC intends to mobilise its DPO network in 2020 to foster peer-to-peer engagement and knowledge sharing. The first initiative for the network was supposed to be a DPO conference scheduled for 31 March 2020, which has been postponed due to the coronavirus pandemic.
The DPC is the lead supervisory authority for numerous multinationals whose main establishment is in Ireland. This means that under the one-stop-shop (OSS) mechanism introduced by the GDPR, it has jurisdiction to manage and address data protection complaints relating to multinationals in other member states. Under the OSS system, the DPC must consult extensively with other data protection supervisory authorities when handling regulatory matters through the OSS and must share draft decisions regarding complaints referred or inquiries conducted under the OSS with all concerned supervisory authorities and consider their views before finalising the decision. In 2019 the DPC received 457 cross-border processing complaints under the OSS which were lodged by individuals via other EU data protection authorities.
Brexit preparation constituted a considerable amount of work for the DPC throughout 2019. The DPC spent significant time engaging with stakeholders to provide information on Brexit, particularly in relation to Irish companies transferring personal data to the United Kingdom. In international transfers of data, a key area of focus for the DPC has been assessing and approving binding corporate rules (BCRs) which were introduced for organisations that needed a global approach to data transfer on a large scale. In 2019 the DPC acted as lead reviewer in relation to 19 BCR applications for 12 different companies. The DPC expects this number to increase in 2020 during the post-Brexit implementation period when organisations with BCRs approved by the ICO will look to have these approved by an EU member state's data protection authority. In 2019 the DPC also continued to take part in various projects and programmes for international engagement and cooperation on data protection issues with other supervisory data protection authorities and stakeholders.
The DPC regulatory strategy for 2020 to 2025 will be published later in 2020. In advance of this, the DPC has engaged in focus groups with the public to establish their expectations and awareness of the DPC. The findings highlighted that many people were confused about their rights and would welcome more real-world examples to understand how they apply in practice. In response, the DPC intends to produce more case studies to highlight issues from a consumer or controller point of view.
Other future areas of focus for the DPC include:
The DPC's annual report illustrates how the application of data protection principles is continuing to evolve to respond to developments in technology, business, social and legal practices. As such, all organisations will need to ensure that their compliance with the GDPR is kept under review. Helpfully, an increase in the amount of guidance is expected in 2020 as a result of DPC consultations and publications and the outcome of investigations and enforcement proceedings.
The report includes several case studies and contains detailed information on the outcome of a statutory investigation carried out by the DPC. These provide useful guidance for organisations and practical insights into how the DPC is interpreting and applying data protection principles in real-life scenarios.(1)
For further information on this topic please contact Linda Hynes at Lewis Silkin Ireland by telephone (+353 1566 9876) or email (firstname.lastname@example.org). The Lewis Silkin Ireland website can be accessed at www.lewissilkin.com/en/ireland.
(1) The full report is available here.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.