Ireland’s Data Protection Commission (DPC) published its annual report on February 28, 2019, covering the period from May 25, 2018 (the date that GDPR came into effect) until the end of the 2018.
For a variety of reasons (including that many large multinational tech firms have located their EU headquarters in Ireland), the DPC has become somewhat of a hub for EU privacy complaints and other activities. While the DPC’s report contains a lot of interesting information, the statistics regarding the DPC’s activities over the first seven months under the GDPR are of particular interest, especially given the significant role the DPC plays in EU privacy oversight and enforcement.
Full details can be found in the report itself, but here is a summary of some of the items that we found to be most interesting:
- Data Breaches: 3,452 valid data security breaches were recorded by the DPC during the reporting period.
- This represents a 27% increase on the numbers reported in 2017.
- The largest single category of data breach notifications was “unauthorized disclosures”, consisting of 85% of all notifications. The next three largest categories were: paper lost (5.3%), hacking (3.1%) and phishing (2.9%).
- 38 of the breaches related to 11 multinational technology companies.
- Although there were 3,452 valid data security breaches recorded by the DPC, only 48 data-breach complaints from affected data subjects were handled by the DPC (most of which concerned the personal data of an individual being issued to another third party in error, though several concerned more systemic breaches).
- Increase in number of Complaints: During the reporting period, the DPC received 2,864 complaints. This is a significant increase relative to pre-GDPR levels.
- Access Rights Complaints Dominate: The most common type of complaint received by the DPC was in relation to access rights, which constituted 34% of all complaints.
- Cross Border and Multinational Complaints: 22% of GDPR complaints received by the DPC were multinational complaints. Further, 136 of the complaints were originally lodged with other EU data protection authorities but were transferred to the DPC as the lead supervisory authority. These numbers confirm that the DPC continues to play a central role in cross-border oversight and enforcement in the EU.
- Amicable Resolution: Most complaints continue to be “amicably resolved”, with only 18 formal decisions being rendered by the DPC.
- Binding Corporate Rules: The DPC is acting as lead reviewer in relation to 11 Binding Corporate Rules applications (and acted as co-reviewer on 8 others), and expects to issue approvals on a number of these in the first half of 2019.