The Office of the Data Protection Commissioner (DPC) has published its Annual Report for 2015. As usual it reveals some interesting statistics and case-studies, and provides an insight into the DPC's approach to regulation.
Approach of the DPC to regulation
In 2015 the DPC continued her "engaged approach" to regulation. She engaged in consultations with organisations, rather than simply watching for transgressions. Whilst consultation is not currently mandatory, it is sensible for companies to have a meaningful dialogue with the DPC regarding proposed new policies, products and services. The Report notes that her engagement with the world's leading technology companies which have their European headquarters in Ireland, in particular Facebook and LinkedIn, has led to her being given advance preview of global changes that those corporations intend to implement.
Her office has also engaged in extensive consultation with other private and public sector bodies. In 2015, her office received 860 requests for guidance towards compliance with data protection laws from organisations. However, the DPC warned that her office does not have the resources to replace the requirement for organisations to procure their own expert advice to ensure compliance, and that the new General Data Protection Regulation (GDPR) will bring an increased power of enforcement for data protection authorities. The GDPR also explicitly requires organisations to organise themselves to ensure they are protecting individuals' right to privacy and to demonstrate their accountability in this regard.
The DPC has a statutory obligation to seek to amicably resolve complaints in the first instance, and in 2015 her office successfully achieved an amicable resolution in 94% of the investigations it conducted into complaints by data subjects against organisations.
The DPC received 932 complaints from individuals in 2015, only 52 of which required a formal decision under section 10 of the Data Protection Acts 1988 and 2003 (the Acts). She prosecuted 4 entities under the ePrivacy Regulations 2011 for direct marketing offences. These statistics show that meaningful engagement by the DPC with organisations has paid off.
Last year, the main issues dealt with by the office of the DPC included: CCTV in the workplace, direct marketing by SMS; email messages issued without consent; banks failing to keep personal contact information up-to-date, and non-responsiveness to data subject access requests. These issues are discussed in the case studies appended to the report.
Data Subject Access Requests
As in 2014, the largest category of complaints in 2015, accounting for 62% (578) of the total complaints received. The Report notes that this reflects the increased awareness by the public of their statutory right of access to their personal data, and also the difficulties faced by individuals in exercising their right of access. Responding to data access requests is a challenge for many organisations due to the volume of information requested, and because it is often made in the context of litigation or some other dispute by aggrieved customers or employees. The DPC plans to conduct an awareness campaign highlighting data access issues during 2016.
The second highest category of complaints concerned electronic direct marketing, accounting for 11% (104) of the total number of complaints. This was a sharp decrease of 72 complaints compared with the previous year. The DPC attributes this decrease to the success of her Office's active prosecution strategy for direct marketing offences, which generates negative publicity against the entities prosecuted.
Data Security Breach Notifications
In 2015, there were 2,317 valid data security breach notifications, compared with 2,188 in 2014. The highest category of data breaches reported under the Personal Data Security Breach Code of Practice (non-legally binding) were unauthorised disclosures such as postal and electronic disclosures. The majority of these disclosures occurred in the financial sector and accounted for 54% of the total data breach notifications received in 2015.
Businesses might be surprised that in the majority of personal data breaches reported to the DPC, only one or two individuals have been impacted. It is worth noting that whilst only telecommunications companies currently have a mandatory obligation to report data security breaches to the DPC, the GDPR brings stricter breach reporting obligations, requiring all data controllers to notify the DPC of any data security breach that occurs.
Enforced Subject Access Requests
An "enforced subject access request" occurs where an individual is obliged by an employer, potential employer or recruitment agency to make an access to a data controller (such as An Garda Siochána). Such requests constitute a criminal offence under section 4(13) of the Acts.
Last year, the DPC wrote to forty organisations across a range of sectors in an effort to identify companies engaged in the practice of requiring individuals to make subject access requests. The DPC was satisfied that no entity investigated sought to deliberately breach the Acts, but nevertheless found that a number of organisations were in breach of section 4(13).
The DPC warns that her office will continue to monitor organisations throughout 2016 to combat practices entailing enforced subject access requests.
The DPC carried out 51 audits and inspections last year on major holders of personal data in the public and private sectors. Just under half of these were unscheduled inspections under section 24 of the Acts. Advance notice of these varied from unannounced (two in 2015) to a few weeks' notice. The Report highlights that entities are targeted for audit based on the amount and type of personal data processed by the entity, as well as the number and nature of complaints the office of the DPC receives.
In 2015, the DPC focussed, in particular, on recruitment practices as part of a wider investigation into enforced subject access requests; insurance companies regarding their access to penalty-point data; the deployment of CCTV in a range of shopping centres and retail outlets, and a review of the data protection policies and procedures in three utility companies.
Ten key audit findings included: lack of data-retention policy; lack of signage of policy for CCTV systems; excessive use of CCTV systems; lack of audit trails to identify inappropriate access; poor call-handling security procedures potentially allowing for "blagging"; illegal use of enforced subject access requests; lack of clarity in relation to data controller/data processor contracts; clear identification of a data controller where a debt collector has been engaged; excessive use of biometric time and attendance systems, and excessive use of body-worn cameras.
Special Investigations Unit
Last year, with its increased resources, the office of the DPC established a Special Investigations Unit headed up by an Assistant Commissioner. The Unit carries out investigations on its own initiative (as distinct from complaints-based investigations). In cases where it identifies offending behaviour, it will use the DPC's statutory powers to progress its investigations.
The Report also highlights the decision of the European Court of Justice (CJEU) in the case of Maximilian Schrems versus the Irish Data Protection Commission last year, which clarified the role of data protection authorities in examining complaints even where the matter complained of is a binding EU instrument, as well striking down the Safe Harbour agreement.
The issue of EU-US transfers of personal data continues to occupy the DPC. Last month, she sought a referral to the CJEU to determine the legal status of international transfers under Standard Contractual Clauses (see here for further information). It remains to be seen whether they will similarly be struck down by the CJEU.
In the meantime, good news for multinational companies transferring data from the EU to the US is that the Article 31 Committee is expected to vote on the EU-US Privacy Shield (to replace the Safe Harbour agreement) this week which, following a positive vote, would allow the Shield to be adopted by the European Commission next week.
The other major news for 2015 was the political agreement on the new data protection framework in Europe, in the form of the GDPR. It will be enforced by European data protection authorities from 25 May 2018. See our dedicated GDPR website for further information.