On 3 April 2019, the Joint Committee on Justice and Equality met to discuss the implementation of the GDPR with Ms Anna Morgan (Deputy Commissioner), Ms Jennifer O’Sullivan (Deputy Commissioner), and Mr Cathal Ryan (Assistant Commissioner). The Commissioners discussed a range of issues, including the enforcement powers used by the Data Protection Commission (DPC) post-GDPR, the difficulties with verifying parental consent in relation to the provision of information society services to children, and the DPC’s experience of resolving data access requests by amicable resolution. This note highlights some of the Committee’s questions (in abbreviated form), and the responses given by the Commissioners.
Engagement with Technology Companies & Statutory Inquiries
What engagement has the DPC had with the various technology companies?
Ms Morgan explained that the DPC has always reinforced the importance of an ongoing dialogue with multinational technology companies to drive better awareness and increased understanding of data protection law. The DPC’s ongoing dialogue with technology companies has resulted in the DPC becoming aware of the potential roll-out of products and services, where it can input into the data protection compliance of those products and services and influence the technology companies on the manner in which they intend to move forward where it perceives risks to data subjects.
The statutory inquiries the DPC has opened involve a completely different process to its consultation and engagement function. Those statutory inquiries, 15 of which were opened into the multinational technology sector during 2018, have as their ultimate objective the reaching of a decision on whether there has been an infringement of one or more of the GDPR rules. Some of these inquiries were commenced in response to complaints, and others undertaken of the DPC’s own volition. Ms O’Sullivan noted that the inquiries cover a range of data protection matters, including transparency obligations and the legal basis for processing. In light of the personal data breaches reported by two companies, the DPC is also examining the organisational and security measures of those companies under the format of a statutory inquiry.
There are a number of stages to a statutory inquiry process, which are quite formalised. Ms Morgan highlighted that the DPC’s Annual Report (May-December 2018) refers to the overall linear process, including a graphical depiction of the statutory inquiry process in national and cross-border (i.e. one-stop-shop) inquiries. In essence, the national level process involves: setting the scope of the inquiry, information gathering, and applying the law to the evidence gathered to assess whether there is an infringement of the law by the controller or processor. A draft inquiry report is prepared by a DPC investigator setting out its findings, which the parties may make submissions on. The investigator will then prepare a finalised report for the DPC decision-maker, who will consider the report, and make a draft decision in relation to whether there has been an infringement. The DPC is then engaged to make a final binding decision, and if an infringement has occurred whether a corrective power should be applied.
When will decisions and outcomes emerge under the GDPR investigations?
Ms O’Sullivan confirmed that none of the 15 statutory inquiries into multinational technology companies have been completed, as they all need to undergo the EDPB consultation process (i.e. the one-stop-shop procedure). She emphasised that there is a very structured, formal, robust and consistent approach that the DPC needs to take in relation to these statutory inquiries. The latter elements of the statutory inquiry process include engagement with concerned data protection authorities (DPAs). The DPC is obliged to consult with those DPAs as it nears the decision-making process. It must submit a draft decision to those DPAs which they are entitled to examine and submit reasoned and relevant objections on. The DPC must take account of those objections, consider whether they have a bearing on the draft decision and seek a consensus. Ms O’Sullivan noted that this process evidently takes some time.
Domestic Statutory Inquiries
A further 33 domestic statutory inquiries are under consideration. Do any of those domestic statutory inquiries apply to any of the banking institutions functioning in this jurisdiction?
Ms Morgan explained that 31 of the domestic statutory inquiries the DPC has opened relate to the use of CCTV and other types of electronic surveillance of citizens for law enforcement purposes by local authorities. Of the other two inquiries, one relates to a series of data breach notifications made to the DPC relating to Tusla, so it is examining the security issues around those data breach notifications. The DPC’s Annual Report (May-December 2018) notes that the final inquiry relates to allegations of an infringement of Article 38 (Data Protection Officer) of the GDPR by the Department of Employment, Affairs and Social Protection. It also clarifies that these 33 domestic inquiries are own-volition inquiries by the DPC.
Insofar as the financial sector is concerned, Ms Morgan stated that the DPC receives a lot of complaints from consumers regarding banks and insurance companies. In addition, a large proportion of the data breach notifications received by the DPC relate to banks and insurance companies. The DPC is currently considering whether or not there is merit in opening statutory inquiries of its own volition with regard to that ongoing stream of breach notifications. From analysing the breach notifications, Ms Morgan noted that organisational security measures remain a big risk and a large number of breaches relate to unauthorised disclosure that should not have happened, such as a bank statement or an insurance policy being sent out to the wrong address or an old address.
How are statutory inquiries initiated?
Under section 110 of the 2018 Act, the DPC can initiate a statutory inquiry of its own volition or it can commence an inquiry which is complaint-led. Ms Morgan noted there are a range of factors which will influence the DPC’s decision on whether to commence an inquiry of its own volition. For example, if it sees trends or patterns which point to particular issues within a sector or specific organisation and which raise wide-scale concerns regarding the processing of personal data. Factors such as the volume of data subjects being affected, along with different types of processing operations, and the different types of data being processed will be relevant. In addition, there are special categories of personal data that merit particular protection under the GDPR. Equally, issues may be brought to the DPC’s attention by privacy advocacy groups, the media or elected representatives. The DPC may also be alerted to particular issues by other sources, including its own internal monitoring of issues, breach notifications, complaints and trends raised by queries submitted to its information and assessment unit.
Audits & Inspections
Does the DPC carry out unannounced visits in terms of its audit, inspection or inquiry? Give me a sense of the nature of this relationship with the Facebooks of this world.
Ms O’Sullivan confirmed that the DPC has not yet used its powers to conduct unannounced inspections in the context of the 15 statutory inquiries it has opened into multinational technology companies. She stated: “Our relationship with these big multinational technology companies is multifaceted. At the hard-edged enforcement side of it, we have our statutory inquiries that are open. I mentioned that we have not considered those to be investigations, which give us more powers, and we have not used unannounced inspections in those inquiries to date. The nature of the engagement with these companies on these particular statutory inquiries is quite formal. There is a significant amount of correspondence which relates to the fair procedure that we must adopt in these inquiries. Ms Morgan mentioned the right to be heard, the requirement for these organisations to be allowed to make submissions at the various stages of the investigation, and it is quite a formal written type of engagement…”
Ms O’Sullivan also noted that the DPC engages formally with these organisations when the DPC receives intelligence, media reports or submissions, in a pre-inquiry stage. That engagement involves a combination of the following kinds of dialogue: in-person meetings; written correspondence; and the DPC reviewing submissions the companies make on the matter. The DPC may also engage with such companies in circumstances where the company wants to give the DPC an update on their general data protection activities.
Use of Quasi-Judicial Powers by Authorised Officers
Has the power in section 137 [of the 2018 Act] that requires people to attend before the authorised officer been invoked?
Section 137 represents a particular set of powers that can be invoked by authorised officers of the DPC in the context of a statutory inquiry. The authorised officer can, for example, hold an oral hearing and require a person to answer questions under oath. It provides authorised officers with more extensive powers than the standard powers set out under section 130 of the 2018 Act. Ms Morgan confirmed that the power in section 137 has not been activated to date, and that the question of what powers are exercised at what point of an inquiry will depend on the context, the level of co-operation by the organisation in question, and the manner in which the DPC needs to go about gathering evidence and collating information on the scope of the particular inquiry.
Online Safety & Children
Does the DPC have a view on a digital safety commissioner and on the debate on fake news?
Ms Morgan highlighted that a public consultation process has been launched by the Government in relation to new online safety laws, which would provide for the appointment and powers of a digital safety commissioner. The legislation would also transpose the EU’s audiovisual media services directive. Ms Morgan noted that insofar as there is an intersection between data protection and issues of online safety, it occurs in relation to children in particular. DPAs have a newly enunciated obligation under Article 57 of the GDPR to drive public awareness and understanding of the risks arising in relation to the processing of children’s personal data.
Ms Morgan stated that the DPC has been trying to identify methods by which it could better raise awareness and drive good practices among organisations, particularly in the online sector, in regard to processing children’s data. For that reason, the DPC launched a consultation process at the end of 2018, which seeks submissions on a range of issues such as what methods organisations should use to convey transparency information to children to enable them to understand what is happening to their data. It also covers issues such as the appropriate age at which a child should be able to exercise his or her data protection rights, such as making an access or erasure request, because the GDPR is silent on that issue.
That consultation is ongoing and at the end of the process, the DPC’s intention is to produce best practice guidance for organisations on the use of children’s data and, guidance for children which will be written in accessible and easy to understand language to help them to better comprehend the issues around sharing information online. The DPC also aims to use the outputs of the consultation to encourage industry members to come together and produce codes of conduct concerning the processing of children’s data.
Digital Age of Consent & Verification Measures
How is the digital age of consent being implemented? Have many complaints been made about breaches of the legislation? Has there been any investigation into breaches of the legislation?
Ms Morgan noted that one of the core issues the DPC is considering in its public consultation on the processing of children’s data is how organisations can adequately verify age, to identify whether a child falls below or above the digital age of consent threshold (namely 16 years of age). Connected to that, there is the obligation on organisations and online platforms to verify parental consent in regard to that processing.
The methods of verifying age which have been found culturally acceptable in the US have not gone down well in Europe. Ms Morgan highlighted that a range of different methods have been used by organisations, some of which have been based on the Children’s Online Privacy Protection Act (COPPA) 1998 in the US. COPPA is detailed legislation that specifically sets out a range of different techniques, whereby organisations can potentially attempt to verify that the holder of parental responsibility has given consent to the processing. One of the methods referred to in the legislation is the use of micro-payments on a credit card, the theory being that somebody over the age of 18 years will have access to a credit card. The DPC is aware that certain online organisations and companies rolled out this measure as a means of verifying whether consent had been adequately given, and that those companies have received criticism from parents who believed that the gathering of this additional financial information was excessive and disproportionate to the obligation on the organisation to verify parental consent.
Ms Morgan further noted that there are mechanisms such as age gating, which organisations use to verify children’s age by asking for a date of birth, and giving only a certain number of attempts to demonstrate that they are over the age of digital consent. She stated that lots of different sectors and jurisdictions have struggled with this and the DPC is examining how to implement an effective age verification method, bearing in mind that when a platform tries to collect the age of users it will lead to the collection of age information on all users, which raises issues around the excessive collection of personal data under the GDPR. The DPC hopes that its consultation will throw some light on what may be best practice for organisations.
Data Access Requests & Amicable Resolution
In terms of the number of complaints received, access rights complaints were the biggest issue. What enforcement options are available if an access request complaint cannot be resolved amicably?
A significant proportion of data access requests relate to the one-month deadline being missed and a further significant proportion concern the completeness of the information provided. Ms O’Sullivan noted that when the DPC receives a query, concern or complaint from an individual, it generally seeks, initially, to resolve the matter amicably between the individual and the organisation. It is not the case that each complaint ultimately ends up as an investigation. That is particularly true in the case of access requests if it seems like the issue is specific to the case. However, she warned that the achievement of an amicable resolution in a given case does not preclude the DPC from continuing to examine the issue in a more systemic way.
Ms Morgan emphasised that, as outlined in a number of case studies in the DPC’s Annual Report (May-December 2018), amicable resolution is a valuable method for achieving the vindication of the rights of data subjects. She stated that, in the DPC’s experience, most data subjects who make complaints are satisfied when they achieve the vindication of whatever right they had been trying without success to exercise against the data controller; for example, when they have received the information they sought in an access request or achieved the erasure of information. Generally, it is not necessary to take further enforcement steps.
In circumstances where the DPC encounters difficulties in getting a data controller to comply with a data subject’s request, section 109(5) of the 2018 Act gives the DPC power to issue enforcement notices to direct the data controller to do a number of things, such as comply with a particular request or notify a data breach to an individual if that has not already been done. The DPC also has a range of more general enforcement powers where a complaint might turn into a statutory inquiry.
Prior Consultation with the DPC
In responding to requests from the Department of Justice and Equality for observations on new and draft legislation, would the DPC think it appropriate to release its replies to the Members of the Houses or the respective committee?
Article 36 of the GDPR requires members of Parliament to consult with the DPC during the preparation of a proposal for a legislative measure relating to the processing of personal data. Between May – December 2018, the DPC reviewed and provided observations on 25 items of primary or secondary legislation.
Mr Ryan agreed that it would be useful if the DPC’s observations on draft legislation were published. He stated that the DPC had previously considered publishing all of its replies, “but the problem is that our replies may have to be collated together over a period of time to get an overall sense. We may, for example, only get a question on a specific policy approach that is intended to be given legislative underpinning. Instead of looking at a heads of Bill, a piece of legislation or a whole Bill we may sometimes only get a policy approach on where a body is going and we would be involved at that level. We have looked at consultation and publication of our responses because not only would it help the Department it would also give transparency, and other Departments would learn of the particular approach taken or the way a data protection authority has viewed a certain matter. With the creation of online registers for a public sector body, for example, in the recent past we have given observations many times on our views around the creation of online registers and the publication of same on websites. Instead of only the recipient of those observations learning from that, I am very happy to share them out.”
Does the DPC anticipate any impact on its role with the advent of Brexit, whether by crash-out or agreement?
Ms O’Sullivan noted that the DPC has been engaged heavily in Brexit preparations for the past several months. The transfer of personal data outside the EU is a central element of EU data protection law and is taken very seriously because the relative standard of protection for personal data is so high in Europe. Both the DPC and the EDPB have issued guidance on how personal data can continue to be transferred to the UK post-Brexit. If the UK leaves without a withdrawal agreement, it will be considered a third country. Ms O’Sullivan stated that for regular organisations, the simplest and quickest method to transfer personal data to the UK will be standard contractual clauses.
DPC Staffing & Budget
Ms Morgan noted that the DPC’s budget for 2019 is €15.2 million, which is a dramatic increase from the €1.7 million allocated for 2013. The DPC intends to recruit further staff this year, particularly in the legal, technology and investigatory functions, with the aim of having 165 staff by the end of 2019. Based on the increasing volume of matters that it is dealing with, the DPC anticipates that 190 staff will be needed by the end of 2020, and 220 staff by the end of 2021.
The Full Debate is available here.