The Data Protection Commission (DPC) has published its Annual Report for 25 May-31 December 2018. As always, the Report reveals some interesting statistics and case studies. In the coming months, the DPC expects to conclude a number of statutory inquiries, which it launched in 2018, into multinational technology companies with EU headquarters situated in Ireland. The DPC anticipates that the conclusion of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services. This briefing note sets out some of the highlights of the Report.

Complaints

There was a substantial rise in the number of complaints made to the DPC due to greater public awareness of data protection issues and rights (a 56% increase). While the majority of complaints continued to be resolved amicably, the DPC issued a number of formal decisions.

Statistics

  • 2,864 complaints received between May and December 2018
  • Largest category of complaints concerned data access requests (977 out of the 2,864 complaints)
  • 4,113 complaints received in the 2018 calendar year (compared with 2,642 in 2017)
  • 136 cross-border processing complaints received through the new one-stop-shop mechanism
  • 32 electronic marketing complaints investigated under the e-Privacy Regulations 2011
  • 18 formal decisions by the DPC (13 upheld the complaint, and 5 rejected the complaint)

Case-Studies

Case-studies 1-3 and 4-7, respectively, concern complaints received, and amicable resolutions sought, by the DPC. The Report notes that in many of the complaints that the DPC handles, data subjects hold the mistaken believed that because they have not consented to the processing of their personal data, it is unlawful. However, there are a number of legal bases other than consent that justify processing. The DPC has warned that it will “rigorously interrogate” whether the circumstances of the processing justify reliance on the legitimate interests legal basis.

Case studies 3 and 7 discuss one of the most common data breaches, namely unauthorised disclosure as a result of sending emails to the wrong address. Case Study 3 concerned the disclosure by an airline of a web-chat transcript by email to the wrong customer, as a result of using an auto-fill function in software. The DPC warned that such functions should be used with caution, and safeguards deployed, such as on-screen prompts to double-check recipient details.

Case Study 7 concerned the erroneous disclosure by a car dealership of the complainants’ personal data to the wrong email address. The DPC highlighted that it is not enough in such instances, to acknowledge to the DPC and/or data subject that a data breach has occurred. It is also incumbent on the data controller to take all reasonable remedies to remedy such a breach, including recalling the email (if possible), asking the unintended recipient to confirm they have deleted the email, and putting in place measures to prevent a recurrence.

Data Breach Notifications

Most organisations engage with the DPC and accept its guidance around mitigating losses for affected individuals, communicating any high risks to them and learning lessons from the breach to avoid a repeat. The Report notes that where a breach has been notified to a data subject by the data controller, but not to the DPC, the DPC’s Breach Complaints Unit will ensure the breach is retrospectively reported to the Breach Notifications Unit, accompanied by a clarification from the data controller/processor as to why the DPC was not notified in the first instance.

Statistics

  • 3,542 valid data security breaches notified to the DPC
  • 145 invalid breach notifications (which did not meet the definition of a ‘personal data breach’ under Article 4(12) of the GDPR)
  • 4,740 valid data security breaches were notified in the 2018 calendar year (compared with 2,795 in 2017)
  • Largest category of breaches concerned “unauthorised disclosure” of personal data (3134 breaches)
  • 38 cross-border processing personal data breach notifications were handled by the DPC, involving 11 organisations

Case-Studies

Case-Studies 9-13 discuss sample data breaches notified to the DPC, including failure to implement the data protection policies in place; an unencrypted USB device lost in the post; website phishing; loss of paper files in transit, and a SIM card swap attack.

Investigations

A number of statutory inquiries have been launched by the DPC under section 110 of the Data Protection Act 2018 (the 2018 Act), which are expected to reach the decision and adjudication stage in 2019. The DPC has not yet commenced any statutory inquiry under section 137, Part 5 of the 2018 Act, which provides additional investigatory powers, including the power of an authorised officer conducting an investigation to hold an oral hearing.

The Report provides a useful flowchart showing the phases of a statutory inquiry, where the DPC is acting as lead supervisory authority in relation to a cross-border processing issue and a complaint has been lodged with the DPC directly, or the DPC has commenced an inquiry of its own volition. However, the sequencing may be subject to change following completion of the first wave of statutory inquiries, and the crystallisation of the inquiry process at national and EU level in those cases.

Statistics

  • 31 own-volition inquiries opened by the DPC’s Special Investigations Unit (SIU) into surveillance of citizens by the state sector for law-enforcement purposes (concerning surveillance by CCTV, body-worn cameras, automatic number-plate recognition (ANPR) enabled systems, drones and other technologies);
  • 15 statutory inquiries by the DPC under section 110 of the 2018 Act as lead supervisory authority, into GDPR compliance by multinational technology companies, including Facebook and its affiliates (10), Apple (2), Twitter (2), LinkedIn (1);
  • 23 formal requests by the DPC to technology companies seeking information on GDPR compliance.

New Technology Leadership Unit

The DPC has established an advanced technology evaluation and assessment unit, the ‘Technology Leadership Unit’ (TLU). The TLU’s objective is ‘to maximise the effectiveness of the DPC’s supervision and enforcement teams in assessing risks related to the dynamics of complex systems and technology’. The TLU has enabled the DPC to provide enhanced technology-focused internal guidance on ePrivacy, internet protocols and data portability, ad tech and accountability. It is also planning to provide external guidance and training in areas such as Artificial Intelligence and machine learning, ad tech, device ID settings and cybersecurity.

The DPC has received several submissions from privacy advocates concerning the conduct of technology companies in the advertising sector, particularly in relation to behavioural advertising. Issues of concern highlighted to the DPC include: the use of special categories of personal data for profiling purposes; how location data is being used by advertisers; the processing of personal data for advertising purposes without a lawful basis; and individuals not being aware who has access to their personal data.

Statistics

  • The DPC received 16 requests (formal and voluntary) for mutual assistance from other EU data protection authorities in relation to the technology sector.
  • The mutual assistance requests concerned topics such as transparency of processing agreements; privacy notices; the interaction of the GDPR and the ePrivacy Directive, and digital advertising.

Case Studies

Case study 14 demonstrates use of the DPC’s enforcement powers in its investigation of LinkedIn’s “mentions in the news” feature. LinkedIn was forced by the DPC to suspend the service for European users as a result of complaints that the feature was wrongly associating LinkedIn members with media reports of people that happened to have the same name. The DPC stated that this gave rise to concerns around the lawfulness, fairness and accuracy of the personal data processed.

New DPC Consultation Teams

In 2018, the DPC continued its proactive consultation work. The DPC has set up three new dedicated consultation teams, each headed by an Assistant Commissioner, including: (i) public sector and law enforcement; (ii) health and voluntary sector, and (iii) private and financial.

The Consultation Unit has encouraged the development of Data Protection Officer (DPO) networks whereby groups of DPOs in a related area collaborate to share knowledge and experience. The Unit is open to attending regular roundtable forums with DPO networks to advise on sector-specific data protection issues, and ensure best practices become commonplace.

The DPC has also opened a public consultation on the processing of children’s personal data and the rights of children as data subjects under the GDPR, with a closing date of 5 April 2019. Following the consultation, the DPC will work with industry, government and voluntary-sector stakeholders to encourage the drawing up of Codes of Conduct to promote best practices by organisations that process the personal data of children, in accordance with the DPC’s obligation under Section 32 of the Data Protection Act 2018.

Litigation

Prosecutions

The DPC concluded prosecutions against five entities in respect of 30 offences under the e-Privacy Regulations 2011. Case Studies 15-19 discuss prosecutions taken by the DPC for direct marketing offences. These prosecutions were generally taken as a result of the companies failing to heed earlier warnings by the DPC about their direct marketing practices. In the majority of cases, the court ordered, in lieu of a conviction and fine, the company to make a charitable donation and pay the DPC’s prosecution costs.

Litigation in which the DPC was involved

In Nowak v The Data Protection Commissioner [2018] IEHC 443 (12 July 2018), the High Court ruled that where a data subject explicitly limits their data access request, it is legitimate for the organisation to solely provide the personal data specified rather than all the personal data held. In addition, the Court held that in requesting a copy of specific personal data, it is reasonable for the controller to assume that the data subject is not seeking the descriptions of the personal data processed (as provided for in section 4 of the Data Protection Acts 1988 and 2003) (see our previous blog for other Irish DPC litigation from 2018).

CJEU case-law

Last year, the Court of Justice of the European Union (CJEU) delivered a number of important decisions on the concept of controllership, including in the Facebook Fan Pages case (Case C-210/16), and in the Jehovah’s Witnesses’ case (Case C 25/17). Those decisions emphasise that the concept of a ‘data controller‘ should be interpreted broadly. However, that does not mean that every data controller has equal responsibility or has to have access to the relevant personal data to be a ‘data controller‘. The CJEU found that joint controllers might be involved at different stages of the processing to different degrees, so that the level of responsibility (and liability) of each controller must be assessed by reference to all the circumstances of the case.

In another case, Ministerio Fiscal (Case C-207/16), the CJEU was asked to interpret its earlier decision in the Tele2 case. In that case, the CJEU held that only the objective of fighting ‘serious’ crime is capable of justifying public authorities’ access to personal data retained by service providers. It stated that that interpretation was based on the principle of proportionality, namely that serious interference can be justified only by the objective of fighting serious crime. By contrast, the CJEU found in Ministerio Fiscal that where the interference is not serious, access may be justified for the purpose of preventing, investigating, detecting and prosecuting criminal offences generally, so long as such access does not constitute a serious infringement of privacy.

What’s ahead in 2019?

Much new salient case law is expected from the CJEU in 2019. In particular, the Irish High Court’s reference on the validity of standard contractual clauses (SCCs) for transferring personal data out of the EEA is expected to be heard and decided by the CJEU this year. The Advocate General’s opinion and CJEU ruling in the Planet49 case are also eagerly awaited to provide guidance on cookie-based transparency and consent.

In late 2018, the DPC commenced a project to develop a new five-year DPC regulatory strategy, allowing stakeholders input into how the DPC deploys its resources. This will include extensive external consultation during 2019. The strategy will set out the DPC’s regulatory priorities and give insight to organisations and individuals on how the DPC intends to regulate.

Other activities the DPC plans to continue in the coming year include:

  • To monitor new developments in the fintech industry in the use of blockchain, security and big-data processing. It is currently assessing the impact of the Payment Services Directive 2 (PSD2) on the banking sector and the applications that allow third parties to access and deliver payment of services by way of the consent of a customer via his or her bank account.
  • To engage with the private and financial sector in relation to transparency standards to ensure customer notices and privacy policies comply with the GDPR; to better understand the application of emerging technologies to data-processing operations, and in regard to legislative proposals to implement national banking and insurance fraud data bases.
  • To examine the ad tech sector. The DPC has said that the conclusion of some of its statutory inquiries in 2019 should “contribute to answering some of the questions relating to this complex area”.