The Data Protection Commission (“DPC”) recently published its first Annual Report, detailing its activities between 25 May 2018 (the day it came into being as a successor to the Data Protection Commission) and 31 December 2018 (the “Report”). The period was marked by the application of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) across the EU and the commencement of the Data Protection Act 2018 (the “2018 Act”) in Ireland. Over the course of 2019, the DPC is expected to conclude high-profile inquiries into the data processing activities of Facebook, Whatsapp, Instagram, Apple, Twitter and LinkedIn and to adjudicate on key issues affecting not only multinational tech companies headquartered in Ireland but all controller and processors who are subject to the jurisdiction of the Data Protection Commission. It remains to be seen whether the DPC will levy any administrative fines or exercise other corrective powers in connection with these inquiries or otherwise.

Key issues and developments described in the Report include:

Update on the DPC

The Report lists the following as the core functions of the DPC in the light of the GDPR and the 2018 Act:

  • driving improved compliance with data protection legislation by data controllers and processors;
  • handling complaints from individuals in relation to the potential infringement of their data protection rights;
  • conducting inquiries and investigations regarding potential infringements of data protection legislation;
  • promoting awareness among organisations and the public of the risks, rules, safeguards and rights in relation to processing of personal data; and
  • co-operating with data protection authorities (“DPAs”) in other EU member states on issues such as complaints and alleged infringements involving cross-border processing.

The DPC’s funding has been raised significantly (€1.7 million in 2013 to €11.7 million in 2018), acknowledging the expanding role it plays as one of the leading DPAs in the EU.

Following a major recruitment campaign in 2018, 30 new staff had joined the DPC by the end of December, with a further 20 new recruits in early 2019, bringing the total workforce to 135. It is anticipated that the DPC will increase its staffing by a further 30 recruits over the remainder of 2019.

The Report also notes that in early Q2 of 2019, the DPC will launch a consultation on a five year regulatory strategy allowing broad stakeholder input.

The Numbers

Part 2 of the Report sets out the following key facts and figures for the period:

  • 2,864 complaints were received by the DPC (1,928 under the GDPR regime) with the largest single category of complaints relating to “Access Rights”;
  • While the majority of complaints continued to be resolved amicably, the DPC issued 18 formal decisions (13 complaints upheld; 5 rejected);
  • 32 complaints were investigated under the ePrivacy Regulations (S.I. 336 of 2011) regarding electronic direct marketing: 18 related to email marketing; 11 related to SMS marketing; and 3 related to telephone marketing;
  • Prosecutions were concluded during this period against 5 entities in respect of a total of 30 offences under the ePrivacy Regulations;
  • 136 cross-border processing complaints were received by the DPC through the one-stop-shop mechanism that were lodged by individuals with other DPAs;
  • 48 data breach complaints were handled by the DPC from affected data subjects;
  • 3,452 valid data security breaches were recorded with the largest single category being “Unauthorised Disclosures”;
  • 15 statutory inquiries were opened in relation to multinational technology companies’ compliance with the GDPR;
  • Regarding the multinational technology sector, the DPC received 16 requests, both formal and voluntary, for mutual assistance from other EU DPAs;
  • The DPC received 900 Data Protection Officer notifications.

Complaints

Part 3 of the Report sets out what constitutes a ‘complaint’ under the GDPR and the 2018 Act and includes a breakdown of complaints by type. The Report notes that under the GDPR regime, most complaints relate to ‘Access Rights’ (582 complaints), while complaints relating to ‘Multinational Complaints – Other’ and ‘Unfair Processing of Data’ account for 22% and 15% of the overall complaints respectively.

The Report includes several case studies relating to the amicable resolution process under the 2018 Act, pursuant to which the DPC, where it considers there is a reasonable likelihood of the parties to a complaint reaching an amicable resolution within a reasonable timeframe, may take steps to arrange or facilitate the amicable resolution of a complaint.

Data Breach Notifications

Since 25 May 2018 a new mandatory breach notification obligation has applied to all organisations that are data controllers. Part 4 of the Report notes that these now account for most breach notifications received by the DPC.

Between 25 May and 31 December 2018, the DPC received 3,687 data-breach notifications under Article 33 of the GDPR, of which 145 cases (4%) were classified as non-breaches as they did not meet the definition of a personal data breach as set out in Article 4(12) of the GDPR. A total of 3,542 valid data protection breaches, were recorded by the DPC during the same period, representing an increase of 27% (747) on the numbers reported in 2017.

Special Investigations

Work continued between 25 May and 31 December 2018 on the DPC’s special investigation of the Public Services Card and its registration process. As noted in the Final Report of the Office of the Data Protection Commissioner, a draft 138 page report was issued to the Department of Employment and Social Protection (the “Department”) for comment in August 2018. The draft report contained 13 provisional findings as well as 17 requests for further information. Submissions and further information were received from the Department in late 2018. The DPC’s examination of the extensive submissions and materials (comprising some 470 pages) from the Department is on-going.

In June 2018, the DPC, through the Special Investigations Unit (“SIU”), opened 31 own volition inquiries under the 2018 Act into surveillance of citizens by the state sector for law-enforcement purposes through the use of technologies such as CCTV, body-cams, drones and other technologies. The Report notes the purpose of these inquiries is to assess whether the processing of personal data that occurs in those circumstances is compliant with data protection law.

Two inquiries were initiated by the DPC between 25 May and 31 December 2018:

  • TUSLA: the DPC launched an inquiry under the 2018 Act into the large number of data breaches which have occured in TUSLA, many of which involved special categories of personal data. The inquiry will look at whether appropriate organisational and technical measures are being implemented by TUSLA under the GDPR.
  • Department of Employment Affairs and Social Protection: The DPC also initiated an inquiry into allegations of infringement of Article 38 (Data Protection Officer) of the GDPR by the Department of Employment Affairs and Social Protection.

Technology Multinationals Supervision

The DPC acts as lead supervisory authority under the GDPR one stop shop mechanism for numerous data-centric multinational companies with EU headquarters situated in Ireland. As of 31 December 2018, the DPC had 15 statutory inquiries open in relation to multinational technology companies’ compliance with the GDPR. These inquiries can be commenced in response to complaints received by the DPC, in response to breaches notified to the DPC and at the DPC’s own volition having identified matters that warrant further examination. Companies being investigated include but are not limited to Facebook Ireland Limited, Twitter International Company, Apple Distribution International and Facebook Inc. Separate to complaint handling and inquiry processes, the DPC continues to place significant emphasis on proactive engagement with multinational companies.

The DPC issued 23 formal requests seeking detailed information on compliance with various aspects of the GDPR between 25 May and 31 December 2018.

A formal mechanism is available to data controllers under Article 36(1) of the GDPR for prior consultation with the DPC in circumstances where the organisation, having undertaken a Data Protection Impact Assessment on a new processing operation, has identified a high risk to the rights and freedoms of individuals that cannot be mitigated. The Report notes that there were no requests to the Technology & Multinationals division of the DPC under Article 36 for prior consultation in the period of 25 May 2018 to 31 December 2018.

Prosecutions by the DPC

Five entities were prosecuted for offences under Regulation 13 of the ePrivacy Regulations in respect of electronic direct marketing. The summonses for these five cases covered a total of 30 offences. Of the 5 prosecution case studies included in the Report, it is interesting to note that the decision to prosecute in 4 of the cases was on the back of prior warnings issued to the offending entity.

Update on Litigation

The DPC continued to contribute to a range of Circuit Court and High Court litigation relating to data protection principles and provisions. The following case is particularly worthy of note:

  • Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems : In April 2018, the High Court issued a request for a preliminary ruling from the CJEU in the context of a complex case about the validity of standard contractual clauses that allow for the transfer of personal data from the EU to the US. Facebook sought a stay on the reference to the CJEU pending an appeal of the making of the reference itself. The appeal against the reference was heard by the Supreme Court over 21-23 January 2019, however, the reference to the CJEU has not been stayed in the interim and is pending before the CJEU. According to the Report, the CJEU is expected hear this case and deliver its decision later this year.

Binding Corporate Rules

Binding Corporate Rules (“BCRs”) aim to ensure organisations employ a global approach to data protection where the organisation consists of several subsidiaries located around the world. The DPC continued to act, or commenced acting, as lead reviewer in 11 applications for BCRs. It is expected that the DPC will issue approval decisions on a number of these applications in the first half of 2019 once the European Data Protection Board (“EDPB”) has given its opinion in accordance with the consistency mechanism set out in Article 64 of the GDPR. The DPC has also assisted other DPAs by acting as co-reviewer on 8 BCRs.

Between 25 May 2018 and 31 December 2018, the DPC was contacted by several companies who indicated that they were considering moving their lead authority for BCR purposes from the UK to Ireland in light of Brexit. Consequently, the DPC is anticipating an increase in the number of BCR applications to it during 2019.

DPC’s Consultations on Children and Regulatory Strategy

The DPC has launched a large-scale consultation around the processing of children’s data. The first stream was launched on 19 December 2018 and is open until 5 April 2019. This stream is aimed to engage adult stakeholders, including parents, educators, organisations that represent children’s rights, child-protection organisations, representative bodies for parents and educators, and organisations that collect and process children’s data. A second stream of the consultation was rolled out on 28 January 2019 in schools and Youthreach centres to gather the perspectives of children aged 8 to 16 on the issues. The consultation will look at the following:

  • how, when and in what contexts children may exercise their own rights independently of their parents or guardians;
  • the age at which children should be able to sign up to free apps in their own right;
  • how age should be verified by service providers; and
  • how parental or guardian approval should be sought and verified if required.

A best-practice guidance note reflecting the results of the consultation will be produced by the DPC.