Ireland’s new Data Protection Commissioner (the “DPC”), Helen Dixon, has issued her first annual report (the “2014 Report”). What do you and your business need to know about the DPC’s annual report? We look at five headline issues, including the DPC’s cooperation with global regulators, plans for upcoming audits and the expansion of the DPC’s staff and budget.
1.The DPC goes global
In 2014, the DPC actively engaged with her fellow EU data protection authorities (“DPAs”), as well as with DPAs from around the globe. These included Canadian, Australian and US authorities, with whom the DPC cooperated in relation to a global security breach. In the 2014 Report, the DPC has underlined the importance of the memoranda of understanding with these global DPAs, noting the efficiencies resulting from these arrangements. Given the growing cluster of US tech companies in Ireland, the DPC is aiming towards greater international cooperation and consultation. Indeed, one of Ms Dixon’s stated goals for 2015 is “to improve international cooperation … in particular with [her] Article 29 ‘Working Party’ counterparts”.
The DPC’s Office has traditionally carried out substantial audits of multinational technology companies. Ms Dixon’s predecessor, Billy Hawkes, led two of the Office’s largest and most detailed audits – those of Facebook Ireland and LinkedIn Ireland. Given the dedicated resources required for large-scale audits of multinational tech companies, the DPC has stated that a “scope-and-risk” based approach will be taken for upcoming audits. As a result, audits may focus only on particular areas of concern, rather than being organisation-wide reviews. This appears to have arisen from the constraints in dedicating staff to audit functions, alongside maintaining the Office’s day-to-day functions.
3.Continued ‘hands on’ approach
The 2014 Report details the extensive consultation and interaction that the DPC had with companies and organisations during 2014, particularly in the tech sector. The DPC acknowledges her position as “lead” regulator for the many multinational tech companies having headquarters or a significant presence in Ireland. Details of the DPC’s interactions with companies such as Facebook, LinkedIn, Adobe, Microsoft and Apple are highlighted. These engagements demonstrate the DPC’s on-going approach as a ‘hands on’ regulator. The 2014 Reports suggests the DPC’s intention to continue this approach of proactive consultation and engagement with the breath of companies under the DPC’s remit.
4.Cracking down on illegal subject access requests
2014 saw the introduction of rules against “enforced” subject access requests. These are requests for access to an individual’s information, which a current or prospective employer obliges the individual to make. The results are then used as a way of checking on the individual’s background – a form of “vetting by the back-door”. In the 2014 Report, the DPC has urged employers to examine their practices, reiterating her intention to focus on this issue in the coming year. The DPC has stated that she intends to “vigorously pursue and prosecute any abuse detected”.
5.Doing more with more
The DPC’s annual budget has been doubled to €3.65m, demonstrating the government’s recognition of the growing demands on the DPC’s Office. New staff members are currently being hired, with the Office intending to increase its headcount to 50 during 2015 (up from 29 in 2014). The DPC will also open a Dublin office this year, while maintaining its Portarlington base. Additionally, the appointment of a junior minister with responsibility for data protection further signals the importance attached by the government to Ireland’s role in this space.