The Data Protection Commissioner’s annual report for 2017 highlights her Office’s activities on a number of fronts, including complaints, security breaches, prosecutions, investigations, and preparation for the General Data Protection Regulation. As the last annual report to be issued prior to the coming into effect of the GDPR, it is a timely bellweather for her office's approach to those issues.
The increase in the Data Protection Commissioner's (‘DPC’s) activities has been matched by an increase in resources, with budget of €7.5 million for 2017 (increasing to €11.7 million in 2018), and a significant increase in staffing levels.
The annual report details an increase both in the number of complaints received – most of which arose from data subject access requests – and a record number of data breach notifications, the majority of which related to the financial services sector.
The DPC brought a number of prosecutions in relation to private investigators and direct marketing activities, and conducted investigations in relation to the handling of medical files in public areas of hospitals, and the governance of personal data in case management files by the Child and Family Agency (‘TUSLA’), and the introduction of the controversial Public Services Card.
The DPC also appeared before the High Court in ongoing litigation relating to the validity of standard contractual clauses facilitating the transfer of data outside the European Economic Area.
The DPC has focussed her office's resources on preparing for the General Data Protection Regulation (‘GDPR’) in advance of the transposition deadline on 25 May 2018, with a dedicated GDPR Awareness and Training Unit established and an associated microsite launched.
The DPC makes a number of interesting observations in relation to Mr Justice Murray’s Review of the Law on the Retention of and Access to Communications Data, issued in October 2017, commenting that the Government should immediately prioritise the re-working of the existing legal framework for access to retained data – commenting that maintaining the status quo is, in the DPC’s view, 'simply not an option'.
The coming year will likely see the establishment of a new Data Protection Commission to act as the supervisory authority for the purposes of the GDPR, with significantly increased enforcement powers, and with provision made for the appointment of an additional two commissioners.