The new Irish Data Protection Commissioner (‘DPC’) Helen Dixon has published her annual report for 2014. The following are some of the highlights which are grouped below under relevant themes:
Importance of DPC’s role and independence
In the introductory section the DPC informs us that Christopher Graham, the UK Information Commissioner, was a member of the interview board which appointed her as DPC. No doubt this was done to ensure that a truly objective and reasoned appointment was made for such an important role and will perhaps further strengthen the already good working relationship which the Office of the DPC and the UK ICO have had for many years.
The DPC acknowledges Ireland’s role as the chosen home for the European HQs of many leading global technology companies and the role of the DPC in regulating the activities of these companies from an EU wide perspective.
The report mentions the appointment of an Irish Government Minister with a specific brief for data protection for the first time (Dara Murphy TD, Minister of State with Special Responsibility for European Affairs and Data Protection) which the DPC regards as the Irish Government’s recognition of the increased importance of data protection and its cross-border nature. In this regard, the DPC is keen to emphasise the independence of her Office from the Irish Government.
One of the historical criticisms of the DPC is that it was under-resourced. The DPC stresses the very much increased resourcing (c. doubling in size and budget) of her Office and her goal of seeing considerable further increases in the near future.
The DPC states that effective data protection in Europe will continue to demand close cooperation between stakeholders including other data protection authorities. The DPC lists the increased international cooperation, including with the Article 29 Working Party, among her immediate goals. This broad view is extended further in the report when examples are given of cooperation between the Office of the DPC and data protection authorities in Canada, Australia and the US during an investigation in 2014 that led to “more rapid outcomes that might otherwise have been the case”. This increasing global approach to data protection in Ireland and abroad will be watched very carefully by international companies and financial instructions who may need to take a more joined up cross- border approach to data privacy – treating the data of all of their customers (wherever they are located) in a similar manner and to at least a minimum baseline privacy standard.
Lead regulator in doubt
While the report states that the Office of the DPC continues its role as lead data protection regulator of an increasing number of multinational technology companies (such as it did in recent high profile audits of social media companies with European HQs based in Ireland) there is an acknowledgement that the concept of establishment and hence applicable data protection law is now in doubt, due to a Court of Justice of the EU case. This is almost certainly a reference to the Google Spain case which was given much attention in relation to the ‘right to be forgotten’ but not enough attention in relation to the (new / clarified) test for establishment laid down in that case. The DPC suggests that we will have to wait for the proposed EU Data Protection Regulation to get clarity on this.
Privacy by design and consultation
The DPC speaks about being involved in a consultative capacity with several multi-nationals in the social media and technology spaces in relation to new product and service launches as well as with the Irish public sector, which she states is an effective way to ensure data protection is built into projects from the start. The proposed EU Data Protection Regulation contains provisions dealing with so-called ‘privacy by design’ which serve the same purpose. In case there was any doubt, privacy by design is now very much a part of the Irish data protection landscape in particular for information rich multi-nationals and large domestic companies. Lack of prior consultation with the DPC in this regard may lead to a greater risk of investigation and audit.
Data security breach notifications The number of data security breach notifications is increasing year on year. In 2013, 1,507 notifications were received, which rose to 2,188 in 2014. In this regard, the DPC emphasises the need for all organisations to comply with relevant data security requirements of data protection law and best practice which includes the need to consider data security on a regular basis, saying that “what may have been an acceptable standard five years previously may not now be acceptable and security arrangement must be periodically reviewed”.
Privacy audits, although very time-consuming and resource intensive for the Office of the DPC, are increasingly prevalent. The office conducted 38 audits and inspections including audits of high-profile global social media organisations and the Garda Síochána (Irish police force) during 2014. The report suggests that priority will continue to be given to identifying targets for audits amongst information rich multinational technology companies with establishments in Ireland and to processors of large amounts of personal data in the Irish public sector.
Binding Corporate Rules (BCRs)
It is notable that the DPC is currently acting as the lead authority in two BCRs applications and was involved in 2014 in the capacity as co-reviewer on three separate BCRs applications. More and more multinationals with European operations are looking to ‘future proof’ their international data transfer operations using BCRs and we expect this trend to increase further in the next few months with the proposed Data Protection Regulation being negotiated in the background.
Data subject access requests
The DPC comments that a number of multinationals and large companies do not appear to be adhering to the 40 day period for providing relevant information in response to data subject access request. The majority of these companies the DPC says “are well aware of their data protection obligations and have no legitimate excuse”. In relation to one example the DPC says it expects to see a marked improvement. This is an area where we can expect to see a big push from the DPC for strict adherence to the 40 day deadline and as a result more enforcement including ‘naming and shaming’ of non-compliant organisations.
The total number of complaints during 2014 which were opened for investigation was 960. The report shows that the areas of access rights, electronic direct marketing, disclosure and unfair processing of data make up the biggest percentages of the complaints received. Complaints generally speaking are on an upward trend year on year with the exception of the area of direct marketing where the number of complaints fell. This year on year increase in investigations is not a surprise in view of the very much increased awareness of data protection rights amongst European residents and considerably greater media attention which is leading to more investigations.