The Data Protection Commissioner (“DPC”) recently published her annual report for 2017. In addition to providing useful information on the activities of the Office of the Data Protection Commissioner (“ODPC”) last year, the Report provides welcome insights on how the ODPC is preparing for the GDPR and areas that are likely to receive particular attention once the new regime becomes applicable in May 2018. Organisations who are or will be subject to the jurisdiction of the Data Protection Commission (the new body that will be established as a successor to the DPC) should heed the warnings and avail of the tips contained within the Report.
Key issues and developments described in the 2017 Report include:
1. Further Growth of the ODPC - According to the DPC, 2017 was the year in which the ODPC moved into a different gear as a data protection authority, with its significantly increased budget and human resources enabling it to be prepared for its key role under the GDPR. The ODPC now considers itself to be among the top tier of the most highly resourced national data protection authorities in the EU. Under the draft Data Protection Bill 2018, it is also envisaged that the Data Protection Commission will have particularly robust and wide ranging legal and enforcement powers.
2. Complaints and Queries - The ODPC received a record number of complaints in 2017, with 2,642 complaints being received and investigated this year, up from 1,479 in 2016. As in previous years, the majority of complaints involved access requests, which made up 52% of total complaints. Organisations reviewing their policies for dealing with data subject requests should take note as the scale of such complaints is likely to increase given the extension of such rights under GDPR. General consultation queries increased significantly in 2017 to a total of 1,818, up from 1,078 in 2016 and 860 in 2015. Unsurprisingly, according to the Report almost every query received in 2017 related, either directly or indirectly, to the GDPR.
3. Data Breach Notifications - The number of data breach notifications also increased in 2017 with 2,973 received compared to 2,301 the previous year. The majority of these notifications (which are currently made under a voluntary code of practice, except by telecommunication service providers who are subject to mandatory reporting obligations) came from the financial services sector. As in previous years the most common examples of breaches involved inappropriate handling or disclosure of personal data; loss of personal data contained on devices, USB keys and in paper files; and network security compromise or website security breaches. The Report noted that in many cases, organisations who incurred personal data security breaches were not aware that what had occurred constituted a breach.
4. Engagement with Multinationals - As part of its outreach and investigation functions the ODPC held over 100 meetings with multinational companies this year. Many of these meetings involved companies seeking guidance on GDPR readiness programmes and the new lead data protection authority/ “one stop shop” mechanism under GDPR. It also conducted audits of certain multinationals. Key issues which emerged from such audits included a perceived overreliance on global security policies, a lack of transparency in privacy policies, a lack of defined data retention policies and an overreliance on data processing contracts with third party processers as a means of compliance without appropriate verification and oversight of their processing practices.
5. Cooperation with European Data Protection Authorities - The ODPC played an active role in the Article 29 Working Party and, among other things, served as the lead rapporteur in relation to the production of the Working Party’s draft Guidelines on Transparency. The DPC has stated on many occasions that the Data Protection Commission will focus particular attention on compliance with the Transparency principle. The DPC/Data Protection Commission will also act as lead rapporteur on proposed guidelines on Codes of Conduct under the GDPR, which are intended to be published in mid-2018. In addition, the DPC intends that her office will engage in more intensive cooperation with other EU data protection authorities in cases relating to cross-border processing, once the GDPR becomes applicable. Such cooperation already occurs under current law and the Report refers to cooperation by the DPC with the Dutch DPA in connection with the processing of Dutch National Identity Numbers by Airbnb Ireland.
6. Electronic Marketing - The ODPC received 215 complaints in relation to electronic marketing in 2017. 146 complaints were investigated and the majority of these related to email marketing. 6 entities were prosecuted for multiple offences in respect of unsolicited electronic marketing. A number of the convictions resulted from the failure of the businesses in question to provide properly functioning ‘unsubscribe’ systems. All of the companies prosecuted had previously received a warning from the ODPC or had previously been prosecuted for similar offences. Financial penalties were imposed ranging from €500 to €5,000 and some organisations agreed to make a contribution to the prosecution costs of the DPC.
7. Data Retention - The Report called on the Government to immediately prioritise the re-working of the existing legal framework for access to retained data (currently provided for by the Communications (Retention of Data) Act 2011) following the publication of the Murray Report in October 2017, noting that the failings identified in that report along with the requirements identified by the CJEU in Tele2/Watson “means that retaining the status quo as it presently applies in this jurisdiction is simply not an option”.
8. Litigation - The Report refers to recent data protection cases of note, not least the DPC’s application to the High Court in the case of Data Protection Commissioner v. Facebook Ireland and Maximilian Schrems concerning the validity of standard contractual clauses. The Report noted that while the questions to be referred have yet to be finalised, a reference to the CJEU could be expected in this year. The DPC welcomed the determination of the matters raised in the case, stating that it “will ultimately assist all stakeholders in their understanding of the requirement of EU data protection law to demonstrate adequate protection in the territory to which personal data of EU citizens is sought to be transferred and bring clarity to the relevant tests for comparison between the EU data protection regime and other jurisdictions”.
9. Data Protection Bill - The Report noted that the ODPC has provided contributions to a number of Oireachtas committees engaged in pre-legislative scrutiny of Bills dealing with data protection issues. In particular, the Report reiterated the DPC’s serious concerns about the proposal that Irish public bodies will not be subject to administrative fines for breaches of the GDPR, except where they are acting as ‘undertakings’ and competing with private sector entities. The DPC states that “public bodies must be standard bearers for the highest standards of data protection, but unfortunately numerous historical examples have shown that government departments often struggle at least as much as private enterprises with compliance”.
10. Key Investigations - 91 audits/inspections were carried out by the ODPC in 2017 across a broad range of sectors and organisations. The ODPC also participated in the 5th annual Privacy Sweep of the Global Privacy Enforcement Network which focussed on the use of e-receipts and online travel services. The Sweep found that in 94% of cases, retailers offering e-receipts to customers provide no information with regard to the processing or deletion of email addresses gathered for this purpose.
Some of the more large-scale investigations concerned:
- The Hospital Sector: The Special Investigations Unit opened an investigation into the processing of patients’ sensitive personal data by hospitals. Although the final investigation report has yet to be published, the Report notes that matters of concern found in the 20 hospitals inspected included concerns about controls in medical record libraries, storage of confidential wastepaper baskets within the hospital setting and lack of privacy when discussing medical and personal issues. The ODPC intends to seek an action plan from the hospitals concerned to implement recommendations which will be provided in the final report and to monitor implementation over the following twelve to eighteen months.
- The Public Services Card: Following widespread media coverage and the receipt of numerous concerns from members of the public, the ODPC engaged in detailed correspondence with the Department of Employment Affairs and Social Protection in relation to the introduction of a Public Services Card. Having considered the information provided in the course of that correspondence, the DPC invoked her power under section 10 of the Data Protection Acts 1988 and 2003 to conduct an investigation which will examine the legal basis for processing personal data in connection with the PSC; the appropriateness of envisaged security measures; and the satisfaction of transparency obligations in relation to the information provided to the public in respect of the PSC. The findings of the investigation are expected in the first half of 2018.
The DPC also noted that her office receives many complaints in circumstances where data protection rights are not the appropriate means of dealing with the issue at hand. In particular, the Report cites a large volume of complaints relating to loan book sales, where individuals sought to assert data protection rights in connection with the transfers of loans relating to them. The DPC states that “in many of these cases, data protection law cannot resolve the issues at hand nor can it be used to prevent otherwise legitimate commercial transactions that were clearly provided for within the terms and conditions of the contractual relationship between the parties”.
11. Case Studies - The case studies included in the Report highlighted the wide ranging issues that the ODPC deals with including:
- The right to be forgotten: A search engine operator was requested to delist links to webpages containing articles alleging that the complainant individual had been removed from his position as a public official in connection with his involvement in potentially fraudulent activities. Although the search engine operator had sought to argue that the information was sufficiently serious to be in the public interest such that interference with the complainant’s right to be forgotten was justified, the ODPC found that this did not negate the obligation on the part of the operator to ensure that the relevant information was accurate, complete and up to date. Thus, in circumstances where the complainant could provide documentation demonstrating that he had been found not guilty in respect of all charges, the public interests justification did not suffice.
- Private investigators: As part of a wide ranging investigation into the Private Investigations sector, the Special Investigations Unit uncovered access by a particular company engaged in providing information to the insurance sector, to records held both on databases in the Department of Social Protection and on the PULSE database of An Garda Síochána. The company was charged with 37 counts of improper access to and disclosure of personal data under section 22 of the Data Protection Acts. Notably, the directors were separately charged with 37 counts of breaches of section 29 for their part in the offences committed by the company. This resulted in fines of €10,000 for the company with a further €10,000 being imposed on one of the directors.
- Data breaches resulting from employees’ failure to adhere to policy: A number of the case studies dealt with data breaches which occurred as a result of deviation by individual employees from the policies and procedures imposed by their employer. The decisions of the ODPC make it clear that a data controller is responsible for the actions of their employees in connection with the processing of personal data. The Report noted that the motive of an employee or the deliberate or accidental nature of the actions which they have undertaken in relation to personal data does not absolve data controllers of responsibility and highlighted the importance of appropriate quality control and oversight mechanisms to ensure adherence to data protection law.
- Access Requests and CCTV: An educational organisation released some but not all CCTV footage of an individual that it held in response to a request. When the requester followed up seeking the further footage, they were informed that it had been deleted as part of the controller’s policy of only retaining CCTV footage for 28 days. The DPC upheld the individual’s complaint, noting that they were not provided with all of the personal data to which they were entitled that was held by the organisation at the time of their first request. The Report states that this illustrates the DPC’s position, which is that upon receiving an access request relating to CCTV footage from a specific day, a data controller is obliged to preserve any such footage from that day until the access request is resolved.
Overall, the case studies presented in the Report, along with the activities outlined in the Report in general, highlight the pro-active approach of the ODPC towards compliance, and underline the importance for organisations of ensuring that all of their employees are aware of data protection requirements, and that practices and procedures which demonstrate compliance with data protection law are implemented in advance of the 25 May.