The Data Protection Commission (“DPC”) recently published its Annual Report for 2021. The Report looks back on the DPC’s regulatory activity over the past year. 2021 was another busy year for the DPC, and the Report highlights the most common types of complaints and breach notifications received; the progress it has made in regard to ongoing domestic and cross border inquiries; and the fines, reprimands and compliance orders it has issued for violations of the GDPR and Law Enforcement Directive (“LED”).
The DPC received 7,469 queries and 3,419 complaints from individuals last year. Of the 3,564 complaints concluded by the DPC in 2021, 463 complaints were concluded by “fast track” amicable means. In excess of 3,100 further complaints were also resolved, but required a higher number of iterative contacts between the parties to achieve resolution. Where an amicable resolution is successfully achieved, a complaint will be deemed to be withdrawn, in accordance with Section 109(3) of the Data Protection Act 2018.
The right of access continues to give rise to the largest number of complaints to the DPC annually. By the end of 2021, the DPC had received 331 new access related-complaints. The Report notes that when the DPC investigates these complaints, it often transpires that the controller has either: (a) not performed an adequate search for personal data; (b) has not advised the individual they are withholding data and the exemption they are relying on for same; or (c) they have not responded within the required timeframe. The DPC has warned that it intends to increase its enforcement in this area in 2022.
Since GDPR came into effect in May 2018, the DPC has received 1,150 valid cross-border processing complaints. Of the 969 cross-border complaints where Ireland acted as Lead Supervisory Authority (“LSA”), 65% (634) complaints have been concluded. 544 (86%) of these complaints were closed through the amicable resolution process. The DPC recently issued a One-Stop-Shop Cross-Border Complaint Statistics Report, which further notes that 86% of all cross-border complaints handled by the DPC as LSA relate to just 10 data controllers.
The DPC handled 187 complaints relating to both notified and non-notified data breaches in 2021. The majority of complaints concerned the personal data of an individual being inadvertently issued to another third party in error. The DPC has found that organisations frequently fail to provide sufficient information to impacted individuals in order to put their minds at ease, leading to complaints and the involvement of the DPC.
Case Studies - Trends
A number of case-studies in the Report concern complaints relating to access requests in which an amicable resolution was reached.
Case Study 2 concerns a request for excessive identity verification documentation. A hotel asked a data subject who had made an access request, to provide a copy of a utility bill and a copy of photo ID verified by An Garda Síochána. However, the DPC pointed out that the postal address and email address being used by the requester were the same as those provided by them during the booking and check-in process at the hotel. The hotel subsequently dispensed with its request for ID. The DPC warned that a request for official ID is only likely to be proportionate to validate identification where the category of information relating to that individual is sensitive in nature and where the information on the official ID can be corroborated with the personal data already held by the data controller such as a photo, address or date of birth and proportionate in order to prove the requester’s identity.
Case Study 15 concerned a request for a recording of a zoom meeting that the data subject had participated in. The meeting was the sporting club’s AGM. The controller refused to provide a copy of the recording on the basis of Article 15(4), namely the footage included images of third parties. The DPC rejected this submission on the basis that the participants were aware the recording was taking place, and may be available to participants or others at a later date. The controller eventually provided the video recording.
Case Study 16 concerned a request for CCTV footage of a personal injuries accident from a retailer. The controller refused to provide the footage on the basis of that it was protected by litigation privilege. The DPC found that the primary reason for capturing the data was for security purposes, and not for the defence of litigation, and therefore requested the footage to be released. In addition, third party images in the footage could be redacted.
Although complaints relating to access requests are frequently resolved by amicable resolution, it is clear that the DPC will impose sanctions or corrective measures when necessary. This is demonstrated by the €110,000 fine recently imposed by the DPC on Limerick Country Council for failure to respond to access requests in respect of CCTV footage, which was collected for traffic management purposes.
The Report contains a number of case studies concerning complaints relating to unauthorised disclosure of personal data in the workplace. There is no mention of any sanctions being imposed by the DPC in regard to these particular data breaches.
In Case Study 5, the complainant alleged that due to a lack of appropriate security measures implemented by his former employer, his personal data was accessible to unauthorised persons, including former colleagues and external third parties. In this case, the company had arranged for confidential documents relating to a legal dispute concerning the complainant’s dismissal, to be stored in a way that gave access only to authorised HR staff. However, the DPC found that the company had failed to properly anticipate and mitigate the risk of human error in storing such documents. However, there was insufficient evidence to support the claim that the complainant’s personal data had been accessible to unauthorised persons. This case serves as a reminder that a company’s security measures must reflect and mitigate the harm that could be caused by relevant risks, including the risk of human error.
Case Study 6 similarly concerns lack of appropriate security measures resulting in an unauthorised disclosure of personal data (including health data) in the workplace. In this case, the complainant alleged that his personal information, including details of a personal injury claim against the company, had been stored on the company’s shared C-Drive, which could be accessed by anyone in the company, and that a copy of the data on a CD-ROM had also been left on the complainant’s desk. This case shows how the fall-out of a failure to protect personal data can be considerable. In this case, it gave rise to legal proceedings against the company by the affected individual, and the dismissal of two employees by the company (who had unlawfully downloaded the complainant’s personal data and sent it to an external email address), not to mention the impact on the individual whose data was disclosed.
Case Study 22 concerns a letter containing health data related to several persons being sent to the wrong email address. Although the message was encrypted, the password for the encrypted letter was issued in a separate email to the same incorrect email address. The Report notes that misaddressed emails are one of the most common causes of breaches notified to the DPC. Whilst encryption is a valuable tool to protect against accidental disclosures, the DPC warns that a separate medium, such as a telephone call or SMS message should be used to communicate the password to the recipient.
Data Breach Notification
In 2021, the DPC received 6,549 valid personal data breach notifications under Article 33 of the GDPR. The highest category of breaches notified concerned unauthorised disclosures (71%). The ten organisations with the highest number of breach notifications recorded against them are public sector bodies and banks, with insurance and telecom companies falling among the top twenty. The DPC has found that most unauthorised disclosures are due to poor operational practices and human error.
The Report notes that since the introduction of the GDPR, the DPC has taken a very hands-on approach to handling every single breach notified, and engaged with controllers on mitigation actions. However, since January 2022, the DPC has adopted a practice of not issuing recommendations or requesting further information in most cases. This does not mean that the DPC is satisfied with the notifications and assessments contained therein. Rather, the DPC recognises that extensive data breach guidance exists to assist controllers, and the DPC will instead be focusing on prioritising enforcement cases.
The DPC received a total of 38 valid data breach notifications under the ePrivacy Regulations (S.I. No. 336/2011). The DPC expects the number of breaches notified under this regime to increase once Ireland transposes the new EU Electronic Communications Code (“the Code”). The ePrivacy Directive and implementing Irish ePrivacy Regulations apply to publicly available electronic communications services (“ECS”). The current definition of ECS covers only traditional telecoms providers and ISPs. However, amongst other changes, the Code broadens the definition of an ECS, with the result that ‘Over-the Top’ services (e.g. instant messaging applications, email, internet phone calls and personal messaging provided through social media) will fall within the scope of the definition. As a result, providers of a wider range of services that were required to notify personal data breaches to the DPC under Article 33 of the GDPR, will have to notify the DPC of such breaches under the ePrivacy regime (i.e. S.I. 336 of 2011).
Rapid Direct Intervention
The Report notes that issues of concern from a data protection perspective may come to the attention of the DPC, and give rise to rapid direct intervention by the DPC rather than the setting up of an inquiry targeted at enforcement action. This approach is taken to ensure a timely response in the interest of affected data subjects. For example, in 2021, the DPC took rapid direct intervention in relation to auctioneers collecting excessive personal data from people wishing to view properties, and in relation to the hospitality sector’s collection of personal data for Covid-19 purposes being on display in a public area.
The Report highlights five statutory inquiries that resulted in a significant sanction or corrective measure in 2021, including in relation to the Irish Credit Bureau (€90,000 fine); MOVE Ireland (€1,500 fine); Limerick City and County Council (€110,000); the Teaching Council (€60,000); WhatsApp (€225,000 fine) (further discussion of the WhatsApp fine is available here).
On 31 December 2021, the DPC had 81 statutory inquiries on hand, including 30 cross-border inquiries. The Report highlights a number of ongoing cross-border inquiries into international technology companies including as follows:
Meta – There are 10 separate inquiries into Meta concerning a range of compliance issues. These issues include, amongst others, the legal basis on which Meta relies to process personal data of users on its platform and transparency information provided to users; and the lawfulness of data transfers from Meta in the EU to its parent company in the US.
Google – There are 2 separate inquiries into Google. These inquiries concern the legality of Google’s processing of location data and the transparency surrounding that processing; and the processing carried out by Google in the context of its “Authorised Buyers” real time bidding advertising technology system.
WhatsApp – This complaint concerns the legal basis on which WhatsApp relies on to process the personal data of users and certain issues related to transparency information which is provided to WhatsApp users.
Quantcast – This inquiry is examining the legal bases relied on by Quantcast for its processing of personal data for the purposes of profiling and target advertising activities, whether its retention of personal data complies with the data minimisation and storage principles, and whether it complies with its transparency obligations to data subjects.
LinkedIn – This inquiry concerns the lawfulness of the processing of personal data of users of LinkedIn for targeted advertising and/or behavioural analysis purposes.
Apple – This inquiry concerns the lawfulness of the processing of personal data of users of the Apple service for targeted advertising.
Twitter – This inquiry concerns an examination of the extent to which Twitter complied with its obligations under the GDPR with respect to a number of personal data breaches it notified to the DPC.
Yahoo – This inquiry is concerned with examining Yahoo’s compliance with the requirements to provide transparent information to data subjects under the provisions of Articles 12-14 GDPR.
TikTok – There are 2 separate inquiries into TikTok. These inquiries concern Tiktok’s compliance with the GDPR’s data protection by design and by default requirements; age verification measures for persons under 13 years of age; and the lawfulness of Tiktok’s data transfers from the EU to China.
Cross-Border Draft Decisions
The Report notes that between 25 May 2018 and 31 December 2021, the DPC sent eight EU-wide cross-border draft decisions, relating to multinational organisations, to other concerned supervisory authorities (“CSAs”) as part of the Article 60 process (i.e. the one stop shop process). As part of the Article 60 process, CSAs are afforded the opportunity to lodge relevant and reasoned objections against a draft decision. Of the eight draft decisions sent forward to the CSAs: two were resolved and concluded following the Article 60 GDPR process; two were sent forward to the EDPB under Article 65 of the GDPR for dispute resolution; and four had objections lodged against them. The Report notes that the DPC is currently assessing whether these objections can be incorporated into the draft decision. If the DPC is unable to incorporate the objections, and the relevant CSA is not disposed to withdraw their objection, the draft decisions will have to be sent forward to the EDPB under Article 65 of the GDPR.
The Report provides details of judgments delivered and /or final orders to which the DPC was a party. The headline case concerns judicial review proceedings taken by Facebook (now ‘Meta’) against the DPC. Following the European Court of Justice’s decision in Schrems II, the DPC unexpectedly initiated a new ‘own volition’ inquiry into the lawfulness of Facebook’s EU-US data transfers under section 110 of the Data Protection Act 2018. The DPC issued a preliminary draft decision (“PDD”) to Facebook on 28 August 2020. That decision notified Facebook of the DPC’s decision to commence an ‘own volition’ inquiry, and of the DPC’s preliminary view that Facebook’s EU-US data transfers are unlawful, and should be suspended. Facebook subsequently launched judicial review proceedings maintaining that the DPC was not entitled to commence the inquiry by way of the PDD, and that the PDD was in effect a premature judgment by the DPC. Ultimately, the High Court found that Facebook had failed to identify any unfairness in the procedure adopted by the DPC in the PDD. The Court therefore concluded that the DPC was entitled to issue the PDD.
In addition, Mr Schrems separately issued judicial review proceedings against the DPC, in which he contended that the DPC’s ‘own volition’ inquiry into the lawfulness of Facebook’s EU-US data transfers amounted to an attempt to exclude him from the procedure. These proceedings were settled on the basis that the DPC’s ‘own volition’ inquiry would proceed in tandem with the DPC’s pre-existing investigation into Mr Schrems’ complaint relating to Facebook’s transfer of his personal data from the EU to the US.
In February 2022, the DPC reportedly issued a revised preliminary decision in respect of its ‘own volition’ inquiry into Facebook’s EU-US data transfers. Facebook were provided with 28 days to make submissions on the decision, following which the DPC was expected to prepare a draft Article 60 decisions for other CSAs. The finalised decision is expected later this year.
What’s ahead in 2022?
The DPC will continue to have a leading profile in relation to international enforcement as it completes further cross-border inquiries into multinational technology companies and exercises its corrective powers. We will undoubtedly see further regulatory activity at Irish and EU level in respect of international transfers of personal data. We also eagerly await further details in relation to the new Trans-Atlantic Data Privacy Framework, which is expected to replace the invalidated EU-US Privacy Shield.
As discussed above, the DPC has also announced that it will prioritise enforcement of controllers’ compliance with the rules on cookies, and compliance with the right of access under Article 15 of the GDPR (further discussion on what to expect in 2021 is available here).
New data protection guidance for the insurance sector is also expected. During 2021, the DPC provided detailed observations on Insurance Ireland’s draft “Guidance on data protection requirements for Insurers when handling personal data”. The guidance is intended to replace the outdated 2013 industry Code of Practice, providing a GDPR compliant document to guide the insurance sector’s processing of personal data.
If you would like to discuss this, or any other related data protection and data privacy matters concerning your business, please do not hesitate to contact Davinia Brennan, or any other member of the Technology and Innovation Group.