The Data Protection Commission ("DPC") recently published its Annual Report for 2022. The Report looks back on the DPC's regulatory activity over the past year. 2022 was a significant year for the DPC in terms of enforcement of the GDPR. The DPC imposed in excess of €1 billion in fines, as well as multiple reprimands and compliance orders. The Report reveals some interesting trends and statistics. It discusses complaints and breach notifications received; the Irish and EU-level litigation to which the DPC is a party, and the 17 large-scale statutory inquiries it completed in 2022, as well as ongoing inquiries. It also includes 20 interesting case-studies which illustrate the approach taken by the DPC in relation to a range of data protection compliance issues.
In this article, we look at some of the key highlights of the Report.
The handling of individual complaints is a high-volume area of the DPC's remit. Last year, the DPC received 2,700 complaints under the GDPR, and 10 complaints under the Data Protection Acts 1988 and 2003.
Top 5 Complaints
The right of access continues to give rise to the largest number of complaints to the DPC annually. Of the 2,710 complaints received, 42% concerned access requests. However, the Report notes that there has been a marked improvement in the response of public sector bodies to access requests, likely due to Data Protection Officers ("DPOs") gaining experience in this area and the implementation of improved procedures by these bodies. The remaining top five categories of complaints concerned fair processing (14%), the right to erasure (10%), direct marketing (9%) and disclosure issues (7%). Where possible, the DPC endeavours to resolve individual complaints amicably, as provided for in Section 109(2) of the Data Protection Act ("DPA") 2018.
In the period between the GDPR coming into force on 25 May 2018 and the end of 2022, the DPC received 1,205 GDPR cross-border complaints as Lead Supervisory Authority. 854 (71%) of these complaints were concluded by the end of 2022. The DPC, in her foreword to the Report, notes that the operation of the one-stop-shop ("OSS") procedure in these matters often "does not serve individuals well" as a result of the "unnecessarily protected process" involved. The Report provides the example of a complaint lodged by an Irish citizen with the DPC about a German company, which, despite the simplicity of the issue at hand, took more than three years to resolve. The DPC states that the OSS process "requires examination by legislators to improve the timeliness and appropriate handling of decisions for EU citizens".
Direct Marketing Complaints
The DPC continued to actively investigate and prosecute offences relating to electronic direct marketing under the ePrivacy Regulations 2011 (S.I. 336/2011). The DPC received 205 new complaints in relation to electronic direct marketing in 2022. A total of 207 electronic direct marketing investigations were concluded by the DPC in 2022 (2 of which originated in 2020, 50 in 2021 and 155 in 2022). The DPC prosecuted two companies (a telco and a publishing house) in respect of four separate charges of sending unsolicited marketing communications without consent. The court imposed convictions on all charges and fines totalling €6,500.
Data Breach Notification
In 2022, the DPC received 5,695 valid personal data breach notifications under Article 33 GDPR. Interestingly, despite the rise in cybercrime over the last year, this number represents a 13% decrease on the GDPR data breach numbers reported in 2021. The reduction in breach notification may be indicative of organisations becoming more wary of reporting data breaches given the risk of investigations, enforcement, fines, and compensation claims that often follow notification. Indeed the Report notes that the DPC monitors breach notifications with a view to both identifying trends and informing potential inquiries. A review of the domestic inquiries completed by the DPC last year also reveals that the majority of these inquiries were initiated following the DPC's receipt of personal data breach notifications (see 'Enforcement and Fines' below).
In keeping with previous years, the "top ten" organisations with the highest number of breach notifications recorded against them were public sector bodies and banks, with insurance and telecoms companies featuring prominently in the top twenty. The DPC found that the highest category of data breaches notified to the DPC concerned unauthorised disclosures, affecting one or small numbers of individuals. In addition, 62% of these unauthorised disclosures arose as a result of correspondence inadvertently being misdirected to the wrong recipients (by post, email and otherwise). The DPC noted that poor operational practices, human errors and autofill options on email address bars gave rise to many of these breach notifications.
The DPC received a total of 105 valid data breach notifications under the ePrivacy Regulations 2011 in 2022. This represents a three-fold (176%) increase on the number of ePrivacy breach notifications for the same time period in 2021.
The Report attributes the increased number of breaches notified to the DPC under the ePrivacy Regulations 2011 as being the result of changes in legislation. The new European Union (Electronic Communications Code) Regulations 2022 (S.I. 444/2022) expand the definition of "electronic communications service", to bring "over the top" service providers, such as messaging services, within the remit of the ePrivacy Regulations 2011. Regulation 4 of the ePrivacy Regulations 2011 requires services falling within its remit to report data breaches to the DPC within 24 hours. Whilst the 2022 Regulations have not yet been commenced, it appears that impacted companies are already adapting their data breach policies and procedures to comply with the ePrivacy Regulations 2011.
Enforcement and Fines
Although the DPC has been criticised in the past for the slow progress of its statutory inquiries, the Report notes that two-thirds of fines issued across Europe last year were issued by the DPC. Summaries of these decisions are available in the Report and on the DPC's website.
Cross-border Inquiries concluded in 2022
The DPC concluded 17 statutory inquiries last year, nine of which resulted in a fine being issued, along with reprimands and compliance orders in certain cases. The five largest fines were imposed following cross-border inquiries into Meta and its Instagram service, ranging from €17 to €405 million for various infringements of the GDPR. The DPC also imposed reprimands on Twitter and Airbnb for requesting excessive identity verification documentation and processing such documentation without a lawful basis, when individuals made erasure requests.
Domestic Inquiries concluded in 2022
The four remaining fines were imposed following domestic inquiries into organisations who had notified the DPC of a data breach following a cyber-attack or inadvertent unauthorised disclosure of data, including Slane Credit Union (€5,000), Bank of Ireland (€463,000), Virtue Integrated Elder Care (€100,000 fine) and Fastway Couriers (€15,000). In addition, a reprimand (but no fine) was imposed on an unnamed Consultancy Provider following a data breach notification. In all of these cases, the DPC found the organisations had not implemented security measures appropriate to the risk profile of the data processed, in breach of Article 32 GDPR.
Further domestic inquiries were commenced in relation to the PIAB, Allianz, and Ark Life following data breach notifications to the DPC, but no GDPR infringements were found to have occurred. In particular, the DPC found that Allianz and Ark Life had complied with Article 32(1) GDPR by: (i) implementing policies which were specifically tailored to the risks associated with the processing; (ii) implementing repeated training to sectors of the business which were most susceptible to personal data breaches; and (iii) taking proactive measures to counter the increasing risk profile of some business units by implementing additional security measures after some of the personal data breaches occurred.
A reprimand was also issued in respect of Pre-hospital Emergency Care Council for failure to designate a DPO, failing to publish the contact details of the DPO, and failing to communicate those details to the DPC.
Appeals against cross-border DPC decisions
The Report notes that a number of concluded cross-border DPC decisions have had legal proceedings lodged against them by the relevant entity, including appeal and judicial review proceedings in Ireland. In addition, the relevant entities have also, in a number of cases, lodged annulment proceedings against the EDPB decisions that informed the adoption of the final decision by the DPC.
A decision of the General Court of the CJEU (T-709/21) in December 2022 found WhatsApp's application for annulment of the EDPB decision of July 2021 to be inadmissible, on the grounds that WhatsApp lacked the necessary standing to make the application. Accordingly, the Report highlights that the law, as it now stands, does not permit EDPB decisions to be directly challenged by the complainant or controller parties. Instead such parties must apply to the Irish High Court, as part of their appeal against the DPC's Final Decision, to make a preliminary reference to the CJEU concerning the validity of the EDPB decision. The DPC states that the OSS in its current form "has created something of a legal maze that requires, constant navigation building an ever more complex landscape for litigators".
As of 31 December 2022, the DPC had 88 statutory inquiries ongoing, including 22 large-scale cross-border inquiries. A number of these inquiries are reportedly close to completion, so we can likely expect more decisions and fines in the coming months.
Engagement & Supervision
Over the past year, the DPC continued to engage with public and private sector organisations, as part of its supervisory role, to identify, at a high level, data protection concerns in relation to the launch of new products and services, and to ensure organisations are aware of their compliance obligations and potential problems in advance of the roll out of such products and services. The DPC warns, however, that it may take enforcement action against a particular organisation in the context of such engagement, if it appears necessary to do so.
The DPC received 322 consultation requests during 2022, 42% of which involved the public sector, 41% the private sector, 2% the multinational tech sector, and 11% the health sector.
The Report notes that DPC engagement with the multinational technology sector included, for example, the DPC engaging with TikTok in regard to its proposed change of lawful basis for personalised advertising for users aged 18 and over, from consent to legitimate interest. TikTok agreed to pause the change in lawful basis to allow for further assessment by the DPC and other EU/EEA DPAs of the justification for relying on legitimate interests. In addition, the DPC engaged with several technology companies to review their policies, procedures and technologies relating to the processing of personal data for the purpose of combating online child abuse material, and made a number of recommendations regarding transparency, retention and purpose limitation.
Written Judgments involving the DPC
The Report sets out nine cases involving the DPC in which judgments were issued last year. These cases include, for example, the Court of Appeal's decision in Doolin v DPC. In that case, the court held that an employer's use of CCTV footage for disciplinary purposes constituted unlawful further processing, in circumstances where the CCTV policy stated that images were recorded for the security and health and safety purposes. The case highlights the importance of having clear policies and procedures in place for processing personal data relating to employees, particularly in relation to CCTV footage. Organisations must carefully consider the purpose(s) for which it is collecting personal data, and ensure these purposes are clearly set out in the organisation’s data protection policy, and are communicated to employees and/or other data subjects whose personal data is collected.
Another case, Director of Corporate Enforcement v DPC, shows the importance of the DPC applying fair procedures when reaching its decision. In that case, the Circuit Court held that when the DPC delivered its final decision, it did not give the ODCE fair notice of certain amendments it had made to a draft version of the decision previously shared with the parties. Following the court's ruling, the complaint was remitted to the DPC so that it could receive further submissions from the parties in relation to the amendments in question, and then prepare a revised decision to take account of same.
The Report further notes that compensation cases in the EU are continuing the same trend as the last few years with only conservative awards, if any at all, made by Member State courts where cases have progressed to hearing. The first civil action for compensation under section 117 of the DPA 2018 proceeded to hearing in Ireland last year, and followed this trend. SIPTU members took a case against their Union, in circumstances where the Union had inadvertently sent an email with the names and address of the claimants to a group of 212 other SIPTU members. The Circuit Court dismissed the case, finding that proof of more than minimal loss was necessary, and that no evidence was presented of any actual loss suffered by the claimants resulting from the email distribution. The SIPTU members who took the case against the Union were also ordered to pay its costs.
In a separate case, not discussed in the Report, the Irish Circuit Court stayed a compensation claim for non-material damages allegedly suffered as a result of a breach of the GDPR, pending six decisions awaited from the Court of Justice of the European Union ("CJEU") relating to non-material damages (previously discussed here). The Circuit Court held it was necessary to stay the claim in order to avoid the risk of irreconcilable judgments. It seems likely that other compensation claims for non-material damages under the GDPR will be similarly stayed by the Irish courts pending the determination of these preliminary references by the CJEU.
The Report highlights that a number of important data protection decisions were issued by the CJEU in 2022, such as a decision which significantly broadens the interpretation of when special category data is processed (previously discussed here). The CJEU also repeated in a number of decisions last year that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime (discussed here).
What's ahead in 2023?
We will likely receive further legal certainty in the year ahead on some key articles of the GDPR, as a number of Member State court cases filter up to the CJEU. The Report notes that the volume of preliminary references from Member State national courts to the CJEU on issues not considered "acte clair" under the GDPR has continued to increase with around 45 cases currently pending at the CJEU.
We will also see more big decisions from the DPC as it concludes further cross-border inquiries, along with more data protection litigation involving the DPC. In addition, as the Report notes, we will see the entry of new regulators of digital platforms onto the pitch, as the certain provisions of the Digital Services Act, Digital Markets Act, and the Online Safety and Media Regulation Act come into force.