The Data Protection Commissioner recently published her Annual Report for 2016. It is clear from the report that 2016 was another busy year for the office of the Data Protection Commissioner (“ODPC”), with activity across all of the ODPC’s main functions, such as investigation and enforcement, consultation and guidance, audits/inspections and notifications.
Key issues and developments described in the 2016 Report include:
GDPR: As would be expected, the Report notes that the next 12 months will be focused on the General Data Protection Regulation (“GDPR”), which will come into effect on 25 May 2018. The Report also states that GDPR readiness will have to include taking account of the emerging implications of the UK’s exit from the EU.
There are a number of provisions in the GDPR where Member States are permitted or required to exercise a limited margin of discretion as to the application of a particular provision. For that reason, national legislation to give effect to those articles is required. During 2016, the ODPC engaged extensively with officials from the Department of Justice and Equality in relation to the preparation of the draft legislation, which will be required to give effect at a national level to the relevant articles of GDPR. However, we still await publication of the draft legislation.
Adoption of the Privacy Shield: The ODPC notes that the new framework for the transfer of personal data from the EU to the US, called Privacy Shield, was adopted by the European Commission on 12 July 2016 as the replacement to the Safe Harbour regime which was struck down by the Court of Justice of the European Union on 6 October 2015. EU/ US Umbrella Agreement: The EU/ US Umbrella Agreement which sets out a high level data protection framework for EU-US law enforcement co-operation was signed on 2 June 2016 and entered into force on 1 February 2017.
The ODPC received and investigated 1,479 complaints in 2016, which is a large increase from the 932 received in 2015. As in previous years, the majority of complaints involved data access requests with 835 complaints, up from 578 last year. The next highest figure for complaints was 176 in relation to disclosure of data, which saw a large increase from 94 complains in 2015. The number of complaints concerning electronic direct marketing continues to remain relatively static, with 118 received in 2016 compared to 104 in 2015. Other complaints received related to unfair processing of data, failure to secure data, use of CCTV footage and the right to rectification of data.
Data Breach Notification
During 2016, the ODPC received 2,301 data security breach notifications, of which only 77 were deemed to be non-breaches, resulting in a total of 2,224 valid data security breaches. This represents a 4.18% decrease on the valid breach notifications reported in 2015.
Similar to 2015, the majority of datasecurity breaches were as a result of an unauthorised disclosure such as an improper disposal of data, third party access to personal data or unauthorised access to data by an employee. Under current Irish law, only telecommunications and internet service providers have a legal obligation to notify the ODPC of a datasecurity breach, however notification by other data controllers is recommended best practice in accordance with the ODPC’s Personal Data Security Breach Code of Practice. Once the GDPR comes into force in May 2018, all data controllers will be subject to mandatory reporting obligations in relation to personal data security breaches.
Engagement with Multinational Organisations
The ODPC continued its engagement with multinational organisations in Ireland, including LinkedIn, Facebook, Apple and Google, on topics including privacy by design and cookie usage and notifications. The supervision of multinationals is now being delivered by the new Multinationals and Technology team at the ODPC. The team now leads on all consultations, investigations and audits that relate to cross-border processing by multinationals. The Report notes that once the GDPR comes into force on 25 May 2018, the ODPC will be the lead data-protection authority for the regulation of multinationals that have their ‘main establishment’ in Ireland under the one-stop-shop model.
Public Sector Bodies Although the Report notes some encouraging improvements in the engagement between the ODPC and public sector bodies, there are also a number of criticisms of practices within the public sector. In particular, the ODPC notes that public sector bodies and government departments have in many cases been slow to adjust to the reality that data-protection rights cannot simply be legislated away without appropriate proportionality analyses and prejudice tests being applied.
Consultation & Guidance
The ODPC was consulted and asked for guidance in relation to data protection issues relating to a number of projects in the public and private sectors, including genetic data and health research, public services cards and the Credit Reporting Register. In addition to GDPR-related guidance, in 2016 detailed guidance was published on issues such as data sharing in the public sector, anonymisation, and location data.
The ODPC carried out 50 audits and inspections in 2016. Audits are sometimes supplementary to investigations carried out by the ODPC in response to specific complaints. The Report states that the ODPC’s technical-audit capability was significantly strengthened during 2016 by the establishment of the Multinationals and Technology section.
The Report notes that in 2016 the ODPC conducted a series of in-depth audits in connection with access to data retained by communications service providers under the Communications (Retention of Data) Act 2011. These audits focused on State agencies that are permitted under the Act to make requests for data from the communications service providers (ie An Garda Síochána (including GSOC), the Revenue Commissioners, and the Defence Forces).
A number of retail outlets written to by the ODPC as part of a data protection sweep on credit cards were selected for audit in order to learn more about the retention of credit-card details by retailers. Themes identified in the 2016 audits include issues surrounding employers seeking PPS numbers, data retention, security of sensitive data, CCTV policy and signage, illegal use of enforced subject access requests, computer-system user accounts, security of postal arrangements, and marketing.
2016 saw the establishment of a centralised legal unit within the ODPC. As part of the ODPC’s on-going drive to increase transparency and information available to the public on their activities, an online Judgments Database was launched on their website in December 2016.
The ODPC issued two statutory enforcement notices in connection with investigations, which obliged data controllers, subject to criminal penalty, to comply with the ODPC’s directions in relation to the collection, keeping and use of personal information. The ODPC also drafted a number of information service notices. None were issued as the data controllers concerned responded in all cases when they were advised that formal action by the ODPC was imminent.
On 31 May 2016, the Data Protection Commissioner commenced proceedings in the Irish High Court seeking a reference to the Court of Justice of the European Union in relation to the validity of standard contractual clauses. The hearing of the proceedings before the Irish High Court (Commercial Division) took place over 21 days in February and March 2017. Judgment has been reserved and, as of the time of going to print, no indication has been given as to when judgment will be delivered. It is interesting to note that the Report states that one of the ODPC’s main goals for 2017 is securing a reference to the Court of Justice of the European Union on the validity of standard contractual clauses.
2016 was the first full year of operation of the Special Investigations Unit. The unit was established primarily to carry out investigations on its own initiative, as distinct from complaints-based investigations.
Binding Corporate Rules & Google Common Position Application
During 2016, the ODPC acted as lead reviewer in relation to seven Binding Corporate Rules applications that will be finalised in 2017. It also acted as co-reviewer in four Binding Corporate Rules applications, two of which were approved in 2016. The Report envisages that with the recognition of Binding Corporate Rules as a tool to transfer data under the GDPR and the introduction of a one-stop-shop mechanism, there will be an increase in such applications and cooperation among EU Data Protection Authorities.
During 2016, the ODPC also acted as lead reviewer for Google’s WP 226 application, which involved an assessment of whether the terms of the Google-modified contracts were in line with the standard contractual clauses for controller to processor transfers adopted through an adequacy finding of the Commission in 2010. Although this was not a Binding Corporate Rules application, it is an example of another cooperation procedure engaged in by the ODPC with other EU Data Protection Authorities.
The case studies included in the Report highlighted the wide ranging issues that the ODPC deals with, including the following:
- Marketing offences: These offences included sending unsolicited marketing emails, telephone calls, and text messages. The companies involved were ordered to pay between €300 and €5,000 in the form of charitable donations.
- Further processing of an individual’s personal data in an incompatible manner: A waste management company was found to be in contravention of Section 2(1)(a) of the Data Protection Acts 1988 and 2003 (the “DPA”) in that it unfairly processed personal data without sufficient notice to its customers. This case involved the transfer of a waste management business from one provider to another, and the associated transfer of customer data. Although customers were informed of the transfer of their data, the interval between the notification and the transfer of services spanned less than four working days. This was found to be insufficient by the ODPC.
- Personal data withheld from an access request on the basis of an opinion given in confidence: This case involved an accommodation-booking website which failed to provide a guest with a particular email about him under an access request. The email had been sent to the website by the accommodation provider and related to a complaint by the accommodation provider about the guest. The website withheld the email on the basis that it consisted of an expression of opinion given in confidence, which under Section 4(4A)(b)(ii) of the DPA, is exempt from the right of access. The ODPC found that the exemption did not apply in the circumstances, and reiterated in the Report the position in its guidance that opinions given in confidence must meet a high threshold of confidentiality for the exemption to apply.
The case studies reflect the pro-active approach that the ODPC takes towards monitoring and enforcing compliance with the DPA, and underline the importance for organisations to fairly and correctly use the personal data of their employees and customers.