Keyword is Volume
Helen Dixon, Commissioner for Data Protection (“Commissioner”), has emphasised that the keyword for the DPC in terms of 2019 is volume. This is clearly demonstrated in the statistics highlighted in the Report. This article will provide a summary of the statistics and factors addressed in the Report in the following areas:
• Highlights of the Report – statistical breakdown;
• Increase in complaints – the top categories of complaints received by the DPC;
• Breaches – common areas identified;
• Legal issues encountered by the DPC;
• Supervision – rise in consultation queries;
• Investigations; • Inquiries;
• Data Protection Officers;
• International affairs;
• Processing of children’s personal data and the rights of children as data subjects;
• Litigation and case studies;
• Regulatory Strategy 2020–2025; and
• Trends and patterns.
Highlights of the Report – statistical breakdown
The press release publishing the Report provides its highlights, which include:
• Complaints - 7,215 complaints received in 2019. 6,904 complaints were dealt with under GDPR and 311 complaints under the Data Protection Acts 1988 and 2003. This is a 75% increase on the total number of complaints received in 2018;
• Breaches - 6,069 valid data security breaches notified. This is an increase of 71% on the numbers reported in 2018;
• Prosecutions - four prosecutions concluded by the DPC in respect of nine offences under the E-Privacy Regulations;
• Contact with the DPC - 48,500 contacts comprising approximately 22,300 emails, 22,200 telephone calls and almost 4,000 items of correspondence via post;
• Inquiries - the DPC had 70 statutory inquiries as of 31 December 2019; 49 domestic inquiries and 21 cross-border inquiries; and
• Data Protection Officers - 712 new Data Protection Officers (“DPO”) appointed in 2019; bringing the total number to 1,596 at year-end.
Increase in complaints - the top categories of complaints received by the DPC
The DPC has stated that over 40% of its resources are devoted to the handling of individual complaints. The Report details the increased number of complaints the DPC has received with 457 cross-border processing complaints received through the One-Stop-Shop mechanism. In addition, 165 new complaints were received and investigated under S.I. 336 of 2011 in respect of various forms of electronic direct marketing. As in previous years, the category of access requests was the highest complaint-type received by the DPC in 2019.
The Report includes the below breakdown of complaints received under the GDPR:
Note: the top five complaints represent 76% of total complaints received.
Breaches – common issues identified
From the Report, the DPC confirms that it undertakes a weekly analysis of breach notifications with some common issues identified including:
• late notifications;
• difficulty in assessing risk ratings;
• failure to communicate the breach to individuals;
• repeat breach notifications; and
• inadequate reporting.
Unauthorised disclosures represent the highest category of breaches reported amounting to 83% of all breaches. The majority of unauthorised disclosure complaints relate predominantly to emails, letters to incorrect recipients, papers lost or stolen, verbal disclosures and administrative processing errors.
Legal issues encountered by the DPC
The Report broke down the multiplicity of legal issues that the DPC faced including how best to balance the rights of parties in requests for access to inquiry files, claims of legal privilege, confidentiality and commercial sensitivity made over material submitted by parties to inquiries. Similarly, there have been many issues arising concerning the potential conflict of other national administrative laws with the Data Protection Act 2018 (“DPA 2018”). The DPC anticipates that 2020 will involve the reconciliation of many complex legal issues, which will flow from the conclusion of its first waves of statutory inquiries.
Supervision –rise in consultation queries
During 2019, the DPC received 1,420 general consultation queries. These consultation queries act as a starting point per se for a substantial amount of the DPC’s supervision of controllers and processors. The Private/Financial Sector amounted to 44% of the general consultation queries with 629 in total for 2019.
The Report highlights that the DPC conducted and concluded its first investigation under the DPA 2018 specifically the provisions that transpose the Law Enforcement Directive.
An Garda Siochana – This investigation focused on the use of CCTV and Automatic Number Plate Recognition by An Garda Siochana. In the interest of encouraging compliance, a range of corrective powers were exercised by the DPC. This investigation gave rise to a number of linked investigations into the operation of surveillance technologies and mechanisms by Local Authorities in Ireland. Once these investigations are concluded, the intention of the DPC is to publish guidance based on the findings to help strike a balance between state authorities understanding the requirements under the DPA 2018 and ensuring that the public understand how their rights are protected.
Public Services Card – The DPC conducted a thorough investigation into the personal data processing involved in Ireland’s national public services card. The findings were published in August 2019. Amongst the findings published, the DPC found that there was no lawful basis for the mandating of registration for a public services card by organisations other than by the Department of Employment Affairs and Social Protection (“Department”) when issuing welfare payments. The Department rejected these findings and the DPC issued an Enforcement Notice. An appeal was lodged by the Department to the Circuit Court towards the end of 2019. The outcome of the appeal is awaited.
The Report explained the ability of the DPC under section 110 of the DPA 2018, to conduct two different types of statutory inquiry under section 110 being:
• a complaint-based inquiry; and • an inquiry of the DPC’s own volition
in order to establish whether an infringement of the GDPR or DPA 2018 has occurred.
Complaint based inquiry – The DPC has launched complaint-based inquiries into companies such as Facebook Ireland Limited, Instagram (Facebook Ireland Limited) and WhatsApp Ireland Limited for issues such as lawful basis for processing in relation to each companies’ Terms of Service and Data or Privacy Policies.
Own volition inquiry – The DPC has launched investigations of its own volition into entities such as An Garda Siochana in terms of the CCTV and licence plate recognition technology as discussed above, along with inquiries into the Catholic Church regarding multiple complaints relating to the right of rectification and right to be forgotten initiated by members of the Catholic Church who no longer want such membership. Having considered the inquiry into the complaints made against the Catholic Church, the DPC opened its own-volition inquiry pursuant to section 110 of the DPA 2018 which was directed at the Archdiocese of Dublin and is currently under review.
Data Protection Officers
The GDPR requires the appointment of a DPO with the necessary professional qualities. In particular, it refers to expert knowledge of data protection law and practice.
The Report includes the below breakdown, by sector, of DPO notifications for 2019:
Binding Corporate Rules (“BCR”) were introduced in response to the need of organisations to have a global approach to data protection where many organisations consisted of several subsidiaries located around the globe, transferring data on a large scale. The inclusion of BCR in the GDPR further solidifies their use as an appropriate safeguard to legitimise transfers to third countries.
The Report details that the DPC continued to act or commenced acting as lead reviewer in relation to 19 BCR applications from 12 different companies.
Processing of children’s personal data and the rights of children as data subjects
Throughout 2019, the DPC has stated it has engaged heavily with expert stakeholders in the area of children’s digital rights and the Report notes that the DPC is now finalising its guidance document on children’s data protection rights and the processing of children’s data. This is intended to be a guide for controllers and the Report states that it will focus on the following:
• How and when children should be able to exercise their data protection rights in their own right and the role of parents or guardians in this regard; • What information should be given to children about the use of their personal data; • How the age of digital consent should be implemented for processing based on consent; and • Under what circumstances the profiling of children for advertising or marketing purposes is permissible.
The Report also outlines that in conjunction with the guidance document, the DPC will be publishing a separate child-friendly guide.
Litigation and Case Studies
The Report provides details of case studies which are helpful in understanding the DPC’s approach to complaints and prosecutions. The case studies relate to a range of topics including the right to rectification, complaints regarding direct marketing and data breaches. The Report also contains summaries of significant judgments delivered by the European Court of Justice (“CJEU”) during 2019. This includes (i) the Irish litigation concerning standard contractual clauses and the subsequent referral to the CJEU and (ii) the DPC’s investigation in relation to the public services card as mentioned above.
Regulatory Strategy 2020–2025
The DPC continued its work on its new Regulatory Strategy 2020-2025. Following on from two public consultations last year, the Report informs us that the DPC plans to open a further public consultation during 2020. Accompanying this will be a Strategy Implementation and Measurement Plan, which will set out how the strategic priorities will be implemented through key projects and initiatives.
Trends and Patterns
The DPC, through analysis of the issues brought to its attention, also identifies emerging trends and patterns that are of concern to individuals and organisations. The Report identified the following areas where the DPC provided support to individuals throughout 2019:
• CCTV — particularly in the context of neighbour disputes and the application of the domestic exemption;
• Access requests for children — queries from individuals and organisations seeking clarification as to how they should respond accurately, appropriately and in the child’s best interests;
• Establishing who holds one’s personal data — requests relating to medical practices that have closed and patients who are unable to establish who is now in control of their personal data;
• HR/Employment disputes — specifically workplace surveillance, sharing of information in the context of those disputes and the redaction of third party data in response to employee access requests;
• Exam information — in particular relating to examiner’s notes; and • Photography — particularly as it relates to consent, publication and artistic exemptions.
The Commissioner has stated in the Report that “2020 is going to be an important year”. The judgment of the CJEU in respect of the standard contractual clauses is expected, along with the first draft decisions on big tech investigations being brought by the DPC through the consultation process with other EU data protection authorities. The Commissioner has shared her hopes that the DPC can create the space “to move off “first principles” of GDPR (lawful basis, controller/processor) and really move into the meat of “data protection by design””. No doubt, 2020 will prove to be a very exciting year in terms of data protection for individuals and organisations alike.