The Data Protection Commissioner recently published her Annual Report for 2015. It is clear from the report that 2015 was another busy year for the office of the Data Protection Commissioner ("ODPC"), with activity across all of the ODPC's main functions, such as investigation and enforcement, guidance and education, audits/inspections and notifications.
The ODPC will continue to expand and the Report notes its Dublin staff will move to dedicated premises in the city centre in the second half of 2016.
Key issues and developments described in the 2015 Report include:
GDPR: After four years of negotiations, the General Data Protection Regulation ("GDPR") will come into effect on 25 May 2018. It will bring new enumerated rights for data subjects across Europe, increase the obligations on organisations handling personal data and introduce a new enforcement focus to the role of data protection authorities. The GDPR will harmonise data protection in Europe, and under the GDPR, the ODPC will have an expanded role as the lead supervisory authority for many multinational corporations.
CJEU: The Court of Justice of the European Union ("CJEU") delivered its ruling in the case of Schrems v Irish Data Protection Commissioner in October 2015. The ruling was important and far-reaching, as among other things it invalidated the Safe Harbour regime (which led to the negotiation and recent agreement of the EU/US Privacy Shield). It also led to separate judicial review proceedings brought by the Data Protection Commissioner, in which the validity of the European Commission's decisions regarding the `standard contractual clauses' have been questioned.
The ODPC received and investigated 932 complaints in 2015, which is a small decrease from the 960 received in 2014. The majority of complaints came from data access requests with 578 complaints, which is up from 532 last year. The next highest figure for complaints was 104 in relation to electronic marketing, however this was a large decrease from 176 complaints in 2014. According to the Report this decrease can be attributed to the success of the ODPC's active prosecution strategy and the associated negative publicity against the entities prosecuted. Other complaints received related to disclosure of data, unfair processing of data, internet search result de-listing and use of CCTV footage.
The ODPC issued three statutory enforcement notices in connection with investigations, which obliged data controllers, subject to criminal penalty, to comply with the ODPC's directions in relation to the collection, keeping and use of personal information. The ODPC also drafted a number of information service notices. None were issued as the data controllers involved responded when they were advised that action by the ODPC was imminent.
As a separate but notable development, the ODPC has established a special investigations unit headed by Assistant Commissioner Tony Delaney.
Data Breach Notification
The ODPC received 2,376 data security breach notifications, of which only 59 were deemed to be non-breaches, resulting in a total of 2,317 valid data security breaches, which is a 5.9% increase on the 2014 figure.
Similar to 2014, the majority of datasecurity breaches were as a result of an unauthorised disclosure such as an improper disposal of data, third party access to personal data or unauthorised access to data by an employee. Under current Irish law, only telecommunications and internet services providers have a legal obligation to notify the ODPC of a data security breach, however notification by other data controllers is recommended best practice in accordance with the ODPC's Personal Data Security Breach Code of Practice. Once the GDPR comes into force in 2018, all data controllers will be subject to mandatory reporting obligations in relation to personal data security breaches.
Enforced Subject Access Requests
Following on from the ODPC's commitment in 2014 vigorously to pursue and prosecute any abuses in the area of enforced data subject access requests, 40 organisations across a range of sectors were selected for closer examination in the form of a desk audit. This was followed by further inspection for some organisations. A number of these organisations were found to be in breach of Section 4(13) of the Data Protection Acts 1988 and 2003 (the "DPA") and were instructed to cease this practice immediately. The ODPC was satisfied that no organisation intended to deliberately breach the DPA.
The ODPC carried out 51 audits and inspections in 2015, and just under half of these were unscheduled inspections which arose from investigations or complaints. The report states that the ODPC concentrated on recruitment practices as a part of a wider investigation into enforced subject access requests. The use of CCTV in a number of shopping centres was also chosen for closer examination as well as a comprehensive review of three utility companies. In the public sector, audits of Dublin City Council's Franchise Section and the Road Transport Operator Licensing Unit also took place.
Another area that was of particular attention to the ODPC was the dataprocessing activities of insurance companies with regards to their access to penalty point data under Section 53(3)(c) of the Road Traffic Act 2010. The audits of these insurance companies found that there were a number of issues such as a lack of data-retention policies, a lack of signage and policies for CCTV systems, excessive use of CCTV systems and body-worn cameras, and the illegal use of enforced subject requests. Following this audit, the ODPC made best-practice recommendations and directions to the organisations, and outlined a time line for rectifying the issues.
The ODPC also carried out a desk based audit of 18 mobile apps as part of the Global Internet Privacy Sweep, which focuses on websites and apps targeting or popular amongst children.
The ODPC was consulted and asked for guidance in relation to data protection issues relating to a number of projects in the public and private sectors, including the adoption of a `individual health identifier', a Data Sharing Bill and the liquidation of a hospital. The ODPC also issued new guidance materials on what the Report identifies as three major data protection issues: drones, CCTV and bodyworn cameras.
Binding Corporate Rules
The ODPC is currently acting as lead reviewer in relation to four applications for approval of Binding Corporate Rules. The Report predicts that there will be an increase in applications for approval of Binding Corporate Rules once the GDPR comes into full effect, on the basis that Article 47 will give legal recognition to the process.
Engagement with Multinational Organisations
The ODPC continued its engagement with multinational organisations in Ireland, including LinkedIn, Facebook and Microsoft, on topics including data access requests and privacy by design. The ODPC also established a forensics technical laboratory, investing in equipment for the purposes of developing technical capabilities to assist in performing technical audits, technical investigations and technical research.
The case studies included in the Report highlighted the wide ranging issues that the ODPC deals with, including the following:
- Marketing offences: These offences included sending unsolicited SMS messages without an opt-out option for data subjects, and unsolicited marketing telephone calls. The companies involved incurred fines between 1,000 and 2,500, and also covered the costs of the DPC. The highest financial penalty for unsolicited marketing telephone calls, following a request by the data subjects to be removed from the company database, was a 35,000 charitable donation.
- Failure to keep data safe and secure: The defendant failed to adhere to procedures for the protection of personal data, resulting in the complainant's personal data being lost or stolen. The DPC highlighted that extreme caution should always be exercised to ensure that there is no risk to the security of personal data.
- Further processing of personal data by a public body: This case was resolved amicably between the parties, but highlights the need for organisations to ensure that they only use personal data that is at their disposal for the purposes for which the data was originally obtained and processed.
- CCTV: The DPC found that a supermarket had contravened Section 2(1)(c)(iii) of the DPA by using CCTV in a staff canteen and that this constituted excessive processing of personal data. In another case, the installation of covert CCTV without a specific policy was also held to contravene the DPA. A further decision related to unfair use of CCTV where an employee was not given fair notice that CCTV was in operation.
- Sharing account information: A financial institution was found to be in breach of Section 2(1)(d) of the DPA for erroneously sharing account information with a third party. This case illustrates the need for financial institutions to be vigilant when dealing with the personal data of individuals who have common banking relationships with others to avoid the accidental sharing of personal data.
The case studies reflect the pro-active approach that the ODPC takes towards monitoring and enforcing compliance with the DPA, and underline the importance for organisations to fairly and correctly use the personal data of their employees and customers.