The Data Protection Commission (DPC) published its annual report for 2020 last week.

The annual report details the DPC’s activities from 1 January until 31 December 2020 in monitoring, educating and regulating the application of data protection and e-privacy laws in Ireland.

The Commissioner’s foreword to the annual report notes that: “A headline feature of the GDPR in replacing the previous EU Directive were the dissuasive enforcement tools it offered to deal with cases posing significant risk to EU data subjects”. These new tools were brought to bear in 2020 as the DPC issued its first administrative fine in May 2020, levying two separate fines against an Irish state agency. On 15 December last, it also issued its first fine against a ‘big tech’ company.

Key highlights from 2020: the year in numbers

  • 2020 saw a 10% increase in personal data security breaches notified to the DPC against the previous year – a total of 6,628. The most frequent breach reported to the DPC was unauthorised disclosure which accounted for 86 per cent of notifications.
  • Of the total recorded breach cases noted above, 90% were concluded in 2020 (5,932 cases).
  • Individual data subjects submitted 4,660 complaints under the GDPR to the DPC.
  • The DPC handled a total of 10,151 cases in 2020, up 9% on the previous year’s figure of 9,337.
  • The DPC also received 354 complaints from peer Data Protection Authorities (DPAs) in which the DPC was identified as Lead Supervisory Authority under the GDPR.
  • By year end, 83 statutory inquiries were live which included 27 cross-border inquiries.
  • 14 judgments or final orders delivered on foot of proceedings, in which the DPC was involved.
  • The first administrative fine under the GDPR was issued in May and in December 2020, the DPC issued its first fine in a ‘big tech’ or cross-border case, fining Twitter International Company €450,000.

Trends for 2021

Misuse of data protection law: The DPC highlighted “an unwelcome trend” persevere over the past year where either through genuine confusion or “misuse the GDPR to obfuscate or pursue other agendas” inaccurate assertions are made by organisations and individuals on how and when the GDPR does and does not apply. One cautionary example provided by the DPC is deletion of CCTV footage by an organisation after it is on notice of an access request for that footage and the organisation claims the GDPR required the deletion every seven days.

Litigation concerning Standard Contractual Clauses: In July 2020, the Court of Justice delivered judgment in proceedings referred from the High Court, which involve the DPC, Facebook and Maximillian Schrems. The Court of Justice’s judgment, known as Schrems II (on which we have previously updated), held that the transfer mechanism used to underpin personal data transfers from the EU to the US (or any third country) must ensure “essentially equivalent” protections to those enjoyed in the EU are maintained. On foot of the judgment, the DPC initiated an inquiry into Facebook’s transfers to the US which is now the subject of a judicial review by Facebook. Judgment is expected this year and may further elaborate the law in the area of personal data transfers.

Cookies and tracking technologies: We previously updated on the expansion of DPC activity in cookies compliance and enforcement. In December 2020, the DPC served seven Enforcement Notices on organisations for non-compliance for infringements of the e-Privacy Regulations (SI 336 of 2011) such as failure to obtain valid consent for the use of cookies and for failing to provide clear and comprehensive information about the use of cookies on the websites concerned. In the report, the DPC reaffirms its commitment to investigations and enforcements in this area for 2021 and beyond.

Brexit: The European Commission’s short-term, temporary initiative (until 30 June 2021 at the latest) to provide for continued free flows of personal data between the EU and UK has eased the pressure on Irish organisations for the moment. The Commission has also last month published a draft adequacy decision on the UK for a longer-term transfer solution which will now be subject to the opinion of the European Data Protection Board (composed of the DPC and other European DPAs) and then approval from a committee composed of representatives of the EU Member States under what is known as the comitology procedure. Following which, the European Commission may adopt the final adequacy decision for the UK.