On 28 February 2019, Ireland’s data protection supervisory authority, the Data Protection Commission (DPC), published its first annual report under GDPR (Report). The Report follows on from the DPC’s final pre-GDPR annual report and covers the period 25 May to 31 December 2018.
We take a look at some of the highlights and key issues in the Report.
The Report in numbers
The report contains some interesting statistics and year-on-year comparisons, in particular:
2,864 - the number of complaints were made to the DPC. This represents almost an 86% increase compared to 2017.
35% - the portion of complaints relating to access rights. Access rights continue to be a key area of activity, but make up a smaller portion of overall complaints compared to 2017.
3,542 - the number of breaches that were notified to the DPC. This represents almost a 115% increase relative to pre-GDPR figures.
18 - the formal decisions issued by the DPC. 13 upheld the complaint, with 5 rejecting the complaint.
11 - the number of Binding Corporate Rules (BCR) applications with the DPC as lead regulator.
900 - the number of Data Protection Officer (DPO) notifications received by the DPC.
135 - DPC headcount at end January 2019. This is up from 85 at the end of 2017 and 110 at the end of 2018. 30 more staff will be recruited in the remainder of 2019.
These numbers are reflective of an increase in individuals’ awareness and exercise of data protection rights, and the increased engagement between business and the DPC which has flowed from the GDPR.
The Report confirms the DPC’s role as a hub for cross-border privacy complaints: A new category, termed ‘multinational complaints – others’, makes up 22% of all GDPR complaints in the Report
Period. This puts these complaints behind only access rights as the largest category of complaint. The DPC also dealt with 48 data breach complaints in the same period.
The Report sets out the DPC’s views on the new complaint-handling mechanism under the Data Protection Act 2018. Where an amicable resolution is not possible, the DPC is no longer legally obliged to make a formal, statutory decision. Instead, the DPC has a range of tools including providing advice to the complainant, issuing statutory notices to controllers or processors, and opening statutory enquires.
Technology Leadership Unit
In late 2018, the DPC established an advanced technology evaluation and assessment unit, the Technology Leadership Unit (TLU). According to the Report, the TLU objective is supporting and maximising the effectiveness of the DPC’s supervision and enforcement teams, particularly with respect to risks arising from complex systems and technology. The TLU, in particular, produces guidance on technology and data protection, and has already published internal guidance on ePrivacy, internet protocols and portability, and ad tech. External guidance, training and outreach is planned in respect of AI and machine learning, ad tech, and device ID settings. In 2019, the TLU will carry out surveys, together with desktop studies, to understand data controllers’ compliance with GDPR.
The Report underlines the cross-border element of the DPC’s role. In anticipation of the DPC’s cooperation and consistency engagement with the European Data Protection Board (EDPB), a One Stop Shop Operations team was established. The DPC received 136 cross-border processing complaints, which were originally lodged with other EU data protection authorities, through the new OSS mechanism. To manage this process, a new system of online data sharing– the EU IMI system – has been rolled out between the supervisory authorities.
During the Report Period, the DPC also received 16 (formal and voluntary) requests for mutual assistance from EU counterparts. These requests related to matters such as transparency; the interaction of GDPR and the ePrivacy Directive, and digital advertising in the ad tech sector.
The DPC opened 15 statutory inquiries in relation to the compliance of multinational technology companies with the GDPR. The inquiries were commenced on the basis of complaints received, due to specific breaches notified, and, in certain cases, at the DPC’s own volition. The investigations are expected to largely be concluded later this year. The DPC’s aim is that the results of these investigations will provide precedents for better implementation of GDPR principles across key aspects of internet and ad tech services.
The Report also highlights the DPC’s role of supervision and engagement. In particular, the DPC proactively engages with technology companies to better understand how they use personal data and the actions taken towards compliance. In the Report Period, the DPC issued 24 formal requests seeking detailed information on compliance.
In advance of the GDPR coming into force, the DPC established a Children’s Policy Unit. At the end of 2018, the DPC launched the first stream of a public consultation on the processing of children’s personal data and the rights of children under the GDPR. In the second stream, launched in early 2019, the perspectives of 8-16 year olds are being sought. Submissions are open until the extended date of 5 April 2019.
The consultation seeks insights on:
How, when and where children may exercise their own rights, independently of their parents
The age at which children should be able to sign up to free apps in their own right
How ages should be verified by service providers, and
How parental or guardian approval should be sought and verified, if required
The aim is to produce guidance material for children and young people, as well as the organisations that process their data.
DPC in 2019
The Report contains various references to the DPC’s intended activities during the remainder of 2019:
Rolling out a DPO network, offering the opportunities for peer dialogue amongst DPOs
Communicating with relevant organisations regarding their obligation to appoint a DPO under GDPR throughout the year
Building on efforts in 2018, continuing engagement with the private and financial sector, focusing in particular on transparency compliance and the challenges around the presentation and readability of customer notices and privacy policies
In cooperation with EU counterparts, continuing stakeholder engagement in relation to ad tech and the online advertising ecosystem
As always, the Report contains various case studies, which provide insights into the DPC’s approach to specific rights and obligations. The Report also documents court cases in which the DPC is a party, including prosecutions for direct marketing offences. The case studies cover matters including the scope of access requests, the disclosure of CCTV footage, and data breaches. In a follow-on post, we will provide comment and analysis on some of the key case studies in the Report.