As the first full calendar year of the operation of the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) came to a close, both national and European bodies took time to reflect on the attitudes and application of the GDPR on a domestic and EU level.
From a European perspective, the European Data Protection Board (the “EDPB”) provided its feedback in its report:“Contribution of the EDPB to the evaluation of the GDPR under Article 97”. Similarly on a national level, the Irish Data Protection Commission (“DPC”) recently published its second Annual Report, detailing its activities for 2019 (the “Report”). Both the DPC and the EDPB detail the success of the GDPR as well as outlining the areas for improvement in implementing measures provided for by the GDPR.
1. Contribution of the EDPB to the evaluation of the GDPR under Article 97
Overall the EDPB welcomed the success of the GDPR noting that it has:
- strengthened data protection as a fundamental right;
- harmonised the application of data protection principles; and
- increased the investigative and corrective powers of Supervisory Authorities (SAs).
The EDPB recognised that the effective enforcement of the GDPR by SAs is dependent on the resources made available to them. The EDPB stated that in most instances such resources are said to be insufficient. Overall, the EDPB recommended that, rather than revising the GDPR, EU legislators should focus on adopting the ePrivacy Regulation ‘to complete the EU framework for data protection and confidentiality of communications’.
The main issues dealt with in the review refer to measures under Chapter V and Chapter VII of the GDPR and are summarised below.
Chapter V: Adequacy decisions (Article 45) and Standard Contractual Clauses
Article 45 of the GDPR provides that transfers of personal data to a third country or international organisation may take place where the EU Commission has decided that the third country or organisation ensures an adequate level of protection of the personal data. In its review of adequacy decisions, the EDPB welcomed the interest displayed by third countries to engage with the EU. The board noted that in the case of the Japan decision, additional binding and enforceable rules were negotiated between Japan and the EU in respect of data transfers between them. The EDPB recognised the importance of the European Commission continuously monitoring the applicability of these rules.
The EDPB stated that it will continue to participate in the evaluation of current and future adequacy decisions. However, the EDPB also recommended that the following improvements are introduced in the adequacy decision procedure:
- The timely production of relevant documents to the EDPB;
- The translation of documents into English;
- The ability for SAs to effectively cooperate to enforce data protection rules; and
- The Commission’s consultation with the EDPB on the overall assessment of the decision to revise adequacy decisions.
In the context of trade agreements, the EDPB recommended that the European Commission should be unwilling to discuss data protection issues with counterparties. In particular the EDPB cautioned the Commission in relation to recent comments made on “free flow data” at the last G20 and G7 meetings. The EDPB stated that prior to any free flow of data there must be a high level of protection for data under the GDPR or an adequacy decision to ensure that the onward transmission of such data is not compromised.
The EDPB noted the legal and operational concerns for organisations who continue to use the European Commission’s current set of Standard Contractual Clauses (“SCCs”) given that such SCCs were adopted by the Commission under the old Data Protection Directive (Directive 95/46/EC) and have not been updated to reflect the requirements under the GDPR. For example, the EDPB noted that the SCCs of 2010 do not take into account the requirements under Article 28 GDPR. The EDPB urged the Commission to provide updated sets of all SCCs and in doing so, to take into account current cases on international transfers pending before the EU Court of Justice. This includes the Schrems II case, which the DPC summarises in detail in its Report.
Chapter VII: Cooperation Mechanism (Article 60)
The cooperation mechanism under Article 60 of the GDPR aims to “formalise and strengthen the exchanges and the cooperation among SAs in the EU”. Under this mechanism a lead supervisory authority (“LSA”) and concerned supervisory authorities (“CSA”) coordinate to facilitate the conclusion and decision on cases with cross-border elements. This tool may be used before the One Stop Shop (the “OSS”) procedure commences.
In order to assist supervisory authorities in establishing their role as either a LSA or CSA a dedicated workflow was put in place by the EDPB. So far 1,346 such cooperation schemes have been initiated to assist in determining a supervisory authority’s role as a LSA or CSA. The EDPB also created a centralised database where all cases with a cross-border element can be registered. Between the introduction of the GDPR and the end of 2019, Ireland had been registered as an LSA in 127 cases in the centralised database, which is much greater than the SA average of 23 cases. While during this period 141 draft decisions have been made by LSAs, Ireland has yet to issue a draft decision.
The EDPB highlighted difficulties supervisory authorities face when engaging with the OSS due to differences in national procedures, these difficulties include:
- procedures with complaint handling, including the admissibility criteria;
- time frames for handling complaints or cases;
- modalities of implementation of the right to be heard for the parties of a proceeding;
- role of the complainant; and
- different complaint-handling methods including resolving complaints by the vindication of the specific complainant’s rights, amicable settlement and prioritisation of complaints for handling to the extent appropriate.
The EDPB observed that all supervisory authorities appear to perform additional tasks to those delegated to them under the GDPR with many supervisory authorities also overseeing matters relating to the Law Enforcement Directive and the ePrivacy framework. It was highlighted that most of these authorities have insufficient resources to deal with all of these tasks.
The review indicates that across the EU/EEA supervisory authorities had received approximately 275,557 complaints accumulatively since the implementation of the GDPR with Ireland receiving a sizeable portion of these complaints comparatively (12,000). Approximately 785 fines have been issued by these authorities in the same period with only 8 supervisory authorities yet to impose any fines, Ireland being one of the eight. It is interesting to note that in its Report the DPC highlights that there have only been three fines in respect of cross border cases across the EU. Given the disproportionate amount of cross border complaints that the DPC handles, this perhaps goes some way to explaining the absence of fines from the DPC to date.
2. The DPC’s Annual report (1 January 2019 – 31 December 2019)
The Commissioner remarked that the increased budget for 2019 to €15.2 million enabled staff numbers to increase to 140 by the end of the year, reflecting the increased workload of the DPC. The Commissioner recognised that much of the workload flowed from preparations for Brexit.
The Commissioner also recognised that 40% of the DPC’s resources are dedicated to dealing with individual complaints, noting that telecommunication companies and banks remain the most complained about sectors.
Review of 2019
Part 2 of the Report sets out the following key facts and figures for the period which saw a significant increase in the number of complaints received:
- 7,215 complaints were received by the DPC (6,904 under the GDPR regime) with the largest single category of complaints relating to ‘Access Rights’;
- The DPC issued 18 formal decisions (13 complaints upheld; 7 rejected and 9 partially upheld);
- 165 complaints were investigated under the ePrivacy Regulations (S.I. 336 of 2011) regarding electronic direct marketing (an increase from 32 during the previous period): 77 related to email marketing; 81 related to SMS marketing; and 7 related to telephone marketing. 130 of these complaint investigations were concluded during 2019;
- 457 cross-border processing complaints were received by the DPC through the OSS mechanism which were lodged by individuals with other Data Protection Authorities (“DPAs”);
- 207 data breach complaints were handled by the DPC from affected data subjects;
- 6,069 valid data security breaches were recorded with the largest single category being “Unauthorised Disclosures”;
- 6 statutory inquiries were opened in relation to multinational technology companies’ compliance with the GDPR bringing the total number of cross-border inquiries to 21.
Access Rights Complaints
The Report observed that under the GDPR regime, most complaints related to ‘Access Rights’ (approximately 29% of total complaints), many of which were against banks and solicitors practices in addition to complaints regarding the failure of schools and sporting clubs to respond to access requests. August 2019 saw an increase in requests to the State Examinations Commission for access to exam scripts, provided for under section 56 of the Data Protection Act 2018 (the “2018 Act”). The Report also includes several case studies relating to complaints under the 2018 Act, the Data Protection Acts 1988 to 2003 and the ePrivacy Regulations.
One Stop Shop Complaints
The OSS mechanism permits organisations who have a main establishment in the EU to be subject to regulatory oversight by just one DPA, rather than being subject to regulation by the DPAs of each member state. As the DPC is the LSA for a number of multinationals whose main establishment is in Ireland a significant number of complex cross-border complaints were transferred to the DPC by other DPAs in 2019.
Data Breach Complaints
The DPC noted general public dissatisfaction with both the manner in which businesses and organisations have communicated with individuals who claim they have suffered a data breach and also the remedial action the relevant controller had subsequently taken. Part 5 of the Report features data breach notification case studies and the relevant recommendations of the DPC with regard to remedying these types of breaches.
Part 6 of the Report summarises each of the 21 cross-border statutory inquiries currently ongoing by the DPC, most of which relate to either Apple, Facebook or Twitter. In addition the Report sets out synopses of each national statutory inquiry currently ongoing, of particular note is the 2019 Cookies Sweep and the Catholic Church inquiry.
The Catholic Church inquiry relates to the refusal to erase personal data of individuals who no longer wish to be associated with the Church. The DPC is investigating whether there is a lawful basis for processing this data.
The DPC notes that it is evident that there is greater awareness amongst private sector organisations of their data protection obligations. During 2019 these organisations focused on reducing the volume of queries received. The DPC found that some of the main recurring concerns for private sector companies throughout 2019 included:
- Personal data transfers following a No-Deal Brexit;
- Direct Marketing rules under the ePrivacy Directive;
- Effectively dealing with Subject Access Requests;
- Use of technologies in the workplace such as biometric clocking/GPS vehicle tracking and CCTV in the workplace;
- Transferring of employee data in mergers and takeovers; and
- New technologies and their impact on controller’s data protection obligations.
Data Protection Officers
In 2019, the DPC received 712 DPO notifications through its website.
The EDPB set up a DPO Network in November 2019 to bring together the DPOs of all EU DPAs. The network facilitates discussion on the role of a DPO within organisations, knowledge sharing and peer to peer engagement. The Irish DPC’s data protection officer is a member of this network and plans to focus on promoting the network during 2020. The first initiative being rolled-out by the DPC for this network is a DPO conference on 31 March 2020 which recognises the demands of DPOs for more resources and support.
In late 2018 and early 2019 the DPC ran a public consultation on the processing of childrens’ personal data and the rights of children as data subjects under the GDPR. The consultation was divided into two streams:
- Stream 1 invited adults including parents, educators, children’s rights organisations, and others to submit responses to questions set out in a consultation document on the DPC’s website; and
- Stream 2 invited children and young people to participate directly through a specially designed lesson plan and consultation process. This stream gathered the views of approximately 1,200 children and young people across Ireland.
The DPC released two preliminary reports in July and September 2019, each dealing with one stream of the consultation. The related guidance is expected to be published shortly in draft form, following which the DPC will run a further public consultation taking account of the views of stakeholders before finalising it. In addition, the DPC will publish a separate child-friendly guide to clearly set out their rights under data protection law and caution of any risks they may face when disclosing their personal data online.
What’s in store for 2020?
Regulatory Strategy 2020–2025
The DPC’s new Regulatory Strategy is a five year project to re-examine how the DPC will structure its work to ensure maximum impact on people’s data protection rights in an ever-changing environment.
In order to better understand its audience the DPC ran its first consultation in July 2019 which involved a series of focus groups with members of the public. The purpose of these focus groups was to understand:
- people’s views on data protection rights;
- the role of the DPC;
- how compliance with data protection law should be encouraged, facilitated and maximised; and
- how non-compliance should be regulated.
In contrast to the views of the EDPB, the DPC found that many people still feel confused about their personal data protection rights and would benefit from worked-through scenarios to better understand the application of their rights in practice.
Later, in December, the second public consultation exercise was commenced in relation to the DPC’s target outcomes, which concluded at the end of January this year. The DPC will continue to analyse the submissions received for both consultations in conjunction with drafting the Regulatory Strategy itself. The DPC plans to release a Strategy Implementation and Measurement Plan during 2020, which will set out how the strategic priorities will be implemented and how target outcomes will be measured.
Operational Change Programme
During 2019, the DPC’s operational programme focused on its internal procedures, processes, systems and management information in order for the Commission to derive the maximum benefits possible from its new Case Management System which we will be introduced in 2020.