The Data Protection Commissioner's (DPC) Annual Report provides an insight into the approach of her Office to resolving data protection problems.
Approach of DPC to regulation
The Irish Office of the DPC has been subject to some media attention for its approach to enforcement of data protection laws, often emanating from other European countries who perhaps would like to play a greater role themselves. Interestingly, in the foreword to the Report, the DPC notes that many disagree with her "engaged approach" to regulation and explains why she is confident that it is the right one. In our view, it absolutely is. It is essential that data protection authorities have strong relationships with stakeholders and regular meaningful dialogue. We totally agree that it is better for a regulator to be talking to companies and suggesting improvements to borderline compliant products and services before they reach the market, than to see those products launched and to act only once consumers and other stakeholders have already been affected.
The results speak for themselves – in 2014, 960 complaints were received, only 27 of which required a formal decision by the DPC. The remainder of the complaints received were resolved amicably. Enforcement doesn't start and end with fines. Meaningful engagement with the world's leading technology companies which have their European headquarters in Ireland, like Facebook, Apple, LinkedIn and Microsoft, has paid off.
The number of complaints received in 2014 is higher at 960, compared with 910 in 2013. This is unsurprising as data protection issues continue to be headline news, and individuals are becoming increasingly aware of their data protection rights.
Data Access Requests - As in 2013, the largest category of complaints in 2014 (54%) concerned difficulties faced by individuals in obtaining access to their personal data. Responding effectively to data access requests is a challenge for many organisations, due to the nature or volume of information requested. Requests often come from aggrieved customers or employees, and are made in the context of litigation or some other dispute. Organisations need to streamline their procedures for dealing with data access requests. Pre-empting data access requests is also key.
Electronic Marketing - The second largest category of complaint concerned direct marketing emails and phone calls (18%). There was a decline in the number of this category of complaint, which the DPC attributes to its active prosecution strategy under the e-privacy Regulations (S.I.336/2011). However, the level of fines imposed by the courts in respect of such offences continues to remain low.
Data Breach Notifications - The increase in security breach notifications received by the DPC in 2014 is to be expected in light of the corresponding growth in cybercrime. There were 2,188 valid security breaches reported in 2014 compared with 1,507 in 2013. However, many businesses might be surprised that the majority of such security breaches involved human error. This shows the need for further investment in training employees about their data protection responsibilities.
Audits - The DPC has continued to take a proactive role in regard to privacy audits, carrying out 38 audits and inspections in 2014. A particular focus of the DPC's audits was the data-processing activities of credit unions, private investigators, accountants, and liability adjusters. These entities were targeted on the basis of the ongoing investigation by the Office into inappropriate access to state databases by private investigators appointed by organisations engaged in the pursuit of debts.
Insurance companies and other financial institutions will be subject to further scrutiny by the DPC in the coming year with regard to their use of private investigators to examine potentially fraudulent insurance claims.
Enforced Access Requests – The DPC is serious about clamping down on "vetting by the back-door". She warns that from 2015 onwards her Office intends to vigorously pursue and prosecute any abuse detected in relation to enforced access requests.