Commissioner Dixon gave a report on the work of the Office of the Data Protection Commissioner (ODPC) for the year 2015, and outlined the priorities of her office for 2016 in a presentation to delegates attending the National Data Protection Conference, 28 January 2016.
The Commissioner remarked that key developments in 2015 included political agreement, after four years of negotiations, on the language of the General Data Protection Regulation (GDPR), as well as the Court of Justice of the European Union (CJEU) 'moving on' from the Costeja and Digital Rights decisions to deliver judgment in Schrems, which invalidated the Safe Harbour regime.
Expansion of resources
In terms of priorities for 2016, the expansion of resources of the ODPC was identified as a key issue, with the recruitment of legal staff and technical specialists ongoing. The ODPC is hiring new lawyers, additional audit staff, and has hired a new communications director, as well as additional personnel to manage the call centre. The aim is a better quality of response and specific guidance, to be offered in a shorter timeframe. The ODPC is also moving to a new premises in Dublin City Centre, with the aim of having the fit-out work completed in mid-2016. The Commissioner also indicated the ODPC was aiming to increase the number of targeted audits and technical audits, hoping for greater visibility in relation to the audit work and outcomes.
New Guidance and Website Overhaul
Referencing additional work done by the ODPC in 2015, the Commissioner pointed to the new guidance issued in relation to drones and body-worn cameras, with the guidance on drones pointing out that their use is regulated by the Irish Aviation Authority. Updated guidance in relation to CCTV was issued by the ODPC in 2015. The Commissioner also commented that 'right to be forgotten' issues were a regular focus of the ODPC.
The Commissioner re-stated her commitment to an overhaul of the website of the ODPC. This overhaul is to be matched with new, specific guidance, as well as reproducing more streamlined guidance. Initial results on this project are expected before the end of quarter 1 of 2016.
The Commissioner also focused on emerging trends and issues, for example the current challenges in relation to the development of 'big data' and ensuring that the use of big data is not used to produce results which were 'not anticipated by data subjects' when the data was collected.
Health data is also an area of interest in 2016, with the lifestyle and fitness sector and applications such as 'FitBit' using and analysing data far more. The increase in the number of Irish people who are 'getting active' is a prime source of new data for the health industry, with the potential for analysis of when people exercise, as well as how and where they do so.
Audit of Insurance Companies
Commissioner Dixon referenced the relatively recent practice engaged in by insurance companies whereby smaller premiums are charged in exchange for drivers agreeing to 'telematics' boxes in their cars collecting data about the driver's driving ability. She said that data subjects must be made aware of what they are really getting in exchange for the lower premium, as in what data is collected, what conclusions are drawn from this and which third parties is it being shared with. Commissioner Dixon indicated that insurance companies which collect data from telematics boxes are highly likely to be subjected to an ODPC audit in 2016.
The Commissioner, staying with emerging practices, discussed wifi tracking e.g. when a data subject signs up to airport wifi, and noted that high level analytics were possible when this wifi tracking was combined with smart video analysis. She noted that guidance from the Article 29 Working Party dealing with wifi tracking is imminent, recommending at a minimum sufficient notice and signage.
Speaking more generally, Commissioner Dixon explained that effective security is of huge importance. Encryption is not the full answer. It has to be the right encryption, at the right time, and in the right place, maintaining an appropriate encryption over the life cycle of the holding of the data. She also indicated that the ODPC will issue advice in respect of third party security 'keyholders'.
Regulation of social media
The ODPC is continuing to regulate social media. In 2015, recommendations were made following consultations with Facebook, which primarily focused on subject access requests (and the extent of information which could be delivered) and cross-device opt-outs.
The Commissioner discussed her participation in a think tank in Oxford University in 2015. Discussions focused on how the data protection authorities were the actual enforcers of the many obligations under the law, and as such, the regulators have a significant responsibility as regards the interpretation of high-level requirements.
Special Investigations Unit
A Special Investigations Unit within the ODPC has also been established. This unit has a particular focus and the Commissioner referenced one of the prosecutions recently commenced and facilitated by the unit, against a firm of private investigators in Tuam. She also noted that the unit is providing assistance to the Office of the Information Commissioner in the UK, in connection with its investigations in the same field.
Public Sector Data Protection Compliance
Commissioner Dixon concluded by calling on the Irish public sector and public bodies to achieve a greater level of compliance with data protection law. She said that there should be improvements to the legislative process, including greater analysis and consideration of data protection principles. She noted that if a public body is to interfere with data protection rights, this must be provided for by law, proportionate, necessary and in the general interest. These restrictions are in place because interference with data protection rights constitutes an interference with fundamental rights. There is often a limited analysis of data protection issues in the drafting of legislation. In this regard, the Commissioner again referenced the Schrems decision, noting that the CJEU struck down a legislative instrument, showing that interferences should not be presumed to be permissible simply because it is prescribed by legislation.
Preparing for the GDPR
The Commissioner discussed the work for the ODPC in preparing for the GDPR, which includes working with the ODPC's European counterparts to prepare for the evolution of the Article 29 Working Party into the European Data Protection Board. The implementation of the 'one stop shop' and the relevant consistency mechanism will require much consultation and work.
But before the GDPR…
In the meantime, the Article 29 Working Party is continuing to address current issues, such as the status of 'binding corporate rules' and 'model contract clauses' in the aftermath of the Schrems decision. The Article 29 Working Party has been analysing these mechanisms and their legality in intensive meetings over the past 8 weeks and a statement of guidance in respect of these mechanisms is expected imminently.
The Commissioner's report was an informative update providing an overview of the breadth of issues that the ODPC is currently dealing with, while at the same time presenting the immediate challenges which lie ahead for the ODPC, including the inherent challenges associated with emerging technologies and the progression of the GDPR into law.