Irish Data Protection Commission annual report – review of 2019 and focus for the future

The report provides a number of interesting insights into the DPC’s activities over the last year and we highlight below the key trends and issues identified in the report and flag the likely areas of focus for the DPC in the year ahead.  It is clear from the report that as compliance with the GDPR continues to be a significant area of focus for organisations, the DPC is intensifying its efforts and expanding its operations.  Organisations can expect an increase in the level of the DPC’s supervisory, compliance and enforcement activities in the year ahead. 

Data protection complaints 

The number of complaints received by the DPC in 2019 increased by 75% (7,215 in total).  29% of the complaints related to subject access rights, although in proportion to other categories of complaints this figure is dropping. The report reiterates that there is a presumption in favour of disclosure on the part of data controllers when handling subject access requests. Complaints relating to disclosure and fair processing made up the next highest proportion of complaints at 19% and 16% respectively.  

Telcos and banks remain the most complained about sectors, with many complaints focusing on the issue of account administration and charges.  The DPC has expressed frustration that these consumer protection issues are being addressed via complaints to the DPC rather than being dealt with within those sectors. Over the last year there has been an increase in the number of complaints about internet platforms, with the key focus being on the management of individual’s accounts and the right to erasure once an individual leaves the platform.

Disputes between employees and employers or former employers “remain a significant theme” of complaints to the DPC.  The report states that “this is undoubtedly driven by the fact that neither the WRC or the Labour Court can order discovery in employment claims”.  In our experience, the absence of discovery powers means that subject access requests can often play a central role in employment claims. 

Data breach notifications

There were 6,069 valid data breaches notified to the DPC in 2019, up 71% from 2018. Unauthorised disclosures made up 83% of breaches, with an increase in the number of repeat breaches of a similar nature by a large number of organisations (predominantly in the financial sector). The DPC recommends that data controllers take steps to mitigate the risk of data breaches, such as staff training, awareness programmes, implementing stringent password policies and multifactor authentication for remote access, and regularly updating anti-malware software. 

Data compliance investigations 

In 2019, the DPC had 70 ongoing statutory inquiries, including 21 cross-border inquires.  In the technology sector, the DPC is currently involved in six statutory inquiries in relation to several high-profile multinational tech companies.  These inquiries related to several areas of compliance with the GDPR including:

• the lawful basis for certain data processing activities;
• compliance with the transparency principles;
• compliance with access rights; and
• the implementation of organisation and technical measures to secure and safeguard personal data.

Investigations into “big tech” companies progressed in 2019 with two inquiries moving from the investigative stage to a decision-making stage.  We can expect to see decisions arising from these inquiries in 2020. The DPC highlights some the complexities it faces in dealing with legal procedural issues raised during the inquiry processes (for example the application of legal privilege). The report indicates that many of these issues will be resolved following the conclusion of the first wave of statutory inquiries. 

Cookies and AdTech

One area of growing focus in the data protection sphere is the use of cookies and AdTech.  In August 2019, the DPC started to examine the use of cookies and similar technologies on websites across a range of sectors to establish if organisations are complying with data protection principles (in particular the user consent requirements).  User consent in compliance with the GDPR must be obtained by means of a clear, affirmative act and must be freely given, specific, informed and unambiguous. The DPC noted that many organisations use pre-checked boxes/default settings for consent to cookies and some organisations rely on the user’s implied consent to cookies – neither of which are valid under the GDPR. The DPC says it will produce updated guidance on cookies and other technologies to take account of recent CJEU decisions and will place a strong focus on compliance in this area. Organisations who use this technology should review how it is currently being used and take any necessary action. 

Data protection enforcement/prosecutions

Although the DPC acknowledges that the new legal framework under the GDPR will take time for organisations to implement, it notes that intensive work is underway in relation to compliance and prosecutions. As such, we can expect to see an increase in the number and level of fines imposed for non-compliance.  An example of this can already be seen in the area of direct marketing offences. Offences in this area were pursued rigorously in 2019 and 165 new complaints were investigated (77 related to email marketing, 81 related to SMS marketing and seven telephone marketing). Prosecutions were concluded against four entities in respect of a total of nine offences under the E-Privacy Regulations, with sanctions ranging from a criminal conviction and fine for repeat offenders to court ordered charitable donations in lieu of a conviction/fine for more minor breaches.  

Supervision

In its supervisory role, the DPC received 1,420 general consultation queries during 2019. In the public sector, the DPC consulted with government departments on legislative proposals involving the processing of personal data, including parental leave and gender pay gap data.  Recurring concerns for private sector organisations emerging from the DPC supervisory function include: 

• personal data transfers following a no-deal Brexit;
• direct marketing rules under the E-Privacy Directive;
• dealing effectively with data subject access requests; 
• use of technologies in the workplace such as biometric clocking/GPS vehicle tracking and CCTV;
• transfer of employee data in mergers and takeovers;
• discrepancies in privacy policies in multinational companies;
• media reports outlining security issues such as human review of voice recordings; and
• new technologies and their impact on a controller’s data protection obligations particularly in the Fintech and payments sector - the DPC anticipates that this will “gather momentum” in 2020 and the sharing of account information and personal data will be a “core priority” for the DPC’s consultation engagement with the private and financial sector. 

Linked to its function as a supervisory authority, the DPC’s Information and Assessment Unit was contacted almost 48,500 times, including 22,200 calls and 22,300 emails. The DPC published more online guidance to assist in interpreting GDPR and the Data Protection Act 2018 in 2019 and intends to produce more guidance in the coming year, particularly case studies illustrating the practical application of data protection principles.  Notwithstanding the increased level of guidance published by the DPC last year, it is nowhere near the level produced so far by the UK Information Commissioner’s Office (ICO). 

The DPC received 712 (577 in the private sector) new Data Protection Officer (DPO) appointment notifications from organisations in 2019, bringing the total number to 1,596. The DPC intends to mobilise its DPO network in 2020 to foster peer-to-peer engagement and knowledge sharing between DPOs.  The first initiative for the network will be a DPO conference scheduled to take place on 31 March 2020. For details click here: DPC DPO Conference.

One Stop Shop for data protection complaints

The DPC is the Lead Supervisory Authority for a number of multinational corporations whose main establishment is in Ireland.  This means that under the One Stop Shop (OSS) mechanism introduced by the GDPR, it has jurisdiction to manage and address data protection complaints relating to multinational corporations in other member states.  Under the OSS system, the DPC must consult extensively with other data protection supervisory authorities when handling regulatory matters through the OSS and must share draft decisions relating to complaints referred or inquiries conducted under the OSS with all concerned supervisory authorities and consider their views before finalising the decision.  In 2019, the DPC received 457 cross border processing complaints under the OSS which were lodged by individuals via other EU data protection authorities.  

Brexit and international aspects of data protection compliance

Brexit preparation has clearly been a considerable amount of work for the DPC over the last year.  The DPC spent significant time engaging with stakeholders to provide information on Brexit, particularly in relation to Irish companies transferring personal data to the UK.  In the area of international transfers of data, a key area of focus for the DPC has been assessing and approving Binding Corporate Rule (BCRs). BCRs were introduced for organisations that needed a global approach to data transfer on a large scale. In 2019, the DPC acted as lead reviewer in relation to 19 BCR applications for 12 different companies. The DPC expects this number to increase in 2020 during the post-Brexit implementation period when organisations with BCRs approved by the ICO will look to have their BCRs approved by an EU member state’s data protection authority.  In 2019, the DPC also continued to take part in various projects and programmes for international engagement and cooperation on data protection issues with other supervisory data protection authorities and stakeholders.

The future focus of DPC activities

The DPC Regulatory Strategy for 2020 – 2025 will be published later this year. In advance of this, the DPC has engaged in focus groups with the public to establish their expectations and awareness of the DPC.  The findings highlight that many people were confused about their rights and would welcome more real-world examples to understand how they apply in practice. In response, the DPC intends to produce more case studies to highlight issues from a consumer/controller point of view. 

Other areas of focus for the DPC in the future include:

• continuing to prepare for the implementation of GDPR’s certification approval mechanisms which are intended to provide accountability mechanisms to demonstrate an organisation’s data protection compliance efforts to individuals;
• publishing guidance for controllers in processing children’s personal data and encouraging big technology platforms to sign up to a code of conduct on children’s data processing;
• continuing to expand operations – in 2019 the DPC’s staffing level increased from 110 to 140 and it is likely that this number will continue to grow in 2020.  
• awaiting the CJEU decision on the legitimacy of standard contractual clause as a sufficient safeguard for the transfer of personal data;  
• issuing first draft decisions on big technology companies;
• developing sector specific codes of conduct for data processing and compliance with data protection principles. 

Conclusion

The report illustrates how the application of data protection principles continues to evolve to respond to developments in technology, business, social and legal practices.  As such, all organisations will need to ensure compliance with the GDPR is kept under review.  Helpfully, we can expect to see an increase in the amount of guidance in the coming year as a result of DPC consultations, publications and the outcome of investigations and enforcement proceedings in 2020.  

The report includes several case studies and contains detailed information on the outcome of a statutory investigation carried out by the DPC. These provide useful guidance for organisations and practical insights into how the DPC is interpreting and applying data protection principles in real life scenarios.   A copy of the full report is available here. 

For more information on this or any other data protection matters in Ireland please contact the Lewis Silkin team.