On 1 May 2019, Ms Helen Dixon, the Data Protection Commissioner (DPC), appeared before the US Senate Committee on Commerce, Science and Transportation.  She was invited to testify on Ireland’s implementation of the GDPR, as the US is considering introducing a federal data privacy framework. California has already passed a new data privacy law, the California Consumer Privacy Act, which is due to come into effect on 1 January 2020. This note sets out some of the highlights of the DPC’s testimony.

Data Subject Complaints

The DPC shared her office’s experience in dealing with data subjects’ complaints under the GDPR. She noted, in particular, that:

  • In the 11 months since GDPR came into application, the DPC has received 5839 complaints from individuals. These complaints frequently come from individuals as a means of pursuing further litigation or action (e.g. ex-employees seeking access to their personal data as part of an unfair dismissals case, or individuals seeking access to CCTV footage to pursue personal injuries cases).
  • Many issues arising for individuals are being resolved directly through the intervention of the mandatorily appointed Data Protection Officer in the company before there’s a need to file a complaint with the DPC.
  • Overall, the most complained against sectors in a commercial context are: retail banks, telecommunications companies and internet platforms.
  • In the case of retail banks and telecommunications providers, the main issues arising relate to consumer accounts, over-charging, failure to keep personal data accurate and up-to-date resulting in misdirecting of bank or account statements, processing of financial information for the purposes of charging after the consumer has exercised their right to opt-out during the cooling-off period.
  • Other complaints concerned the requirement for financial lenders to notify details to the Irish Central Bank of credit given to individuals. Certain lenders notified the details twice resulting in adverse credit ratings for the individuals as they appeared to have 2 or 3 times the number of loans as compared to what they actually had.
  • In regard to internet platforms, individuals or not-for-profit organisations on their behalf, have raised complaints about the validity of consent collected for processing on sign-up to an app or service, the transparency and adequacy of the information provided and about non-responses from the platforms when they seek to exercise their rights or raise a concern.
  • The most frequent category of complaint relates to access requests where an individual considers they have been denied access to a copy of the personal data they requested from an organisation. Most of these complaints are resolved amicably by the DPC, with the individual receiving all of the personal data to which they’re entitled. This may be less than they originally sought, as an organisation may apply statutory exemptions where it is lawful to do so.

Clearer standards of data protection expected to evolve in coming years

The DPC expects that much of the GDPR’s success over the coming years will derive from the evolution of clearer, objective standards to which organisations must adhere. Ms Dixon said that these standards will evolve in the following ways:

  • Through the embedding of new features of the GDPR, such as Codes of Conduct, Certification, and Seals, that will drive up specific standards in certain sectors. Typically, Codes of Conduct that industry sectors prepare for the approval of EU data protection authorities (DPAs) will have an independent body appointed by the industry sector to monitor compliance with the code.
  • Through enforcement actions by the DPC where the outcome, while specific to the facts of the case examined, will be of precedential value for other organisations. The DPC currently has 51 (domestic & cross-border)  investigations open. The first set of investigations are expected to conclude during the summer of 2019.
  • Through case law in the national and EU courts, where EU DPA decisions are appealed or in circumstances where individuals use their right of action under the GDPR to claim compensation for material or non-material damage suffered as a result of a GDPR infringement.
  • Through the provision of further regulatory guidance, particularly through published case studies of individual complaints the DPC has handled, or following consultations with stakeholders.

DPC Prosecutions

  • The DPC also enforces e-Privacy laws, pursuant to the e-Privacy Directive, which applies in parallel to the GDPR. Her office annually prosecutes a range of companies for multiple offences. The majority of these prosecutions concern companies targeting mobile phone users with marketing SMS messages without their consent, and/or without providing the user with an OPT OUT from the marketing messages. Equally, a number of companies are prosecuted annually where they offer an OPT OUT but fail to apply it on their database resulting in the user continuing to receive SMS messages without their consent. As a result of several years of some high-profile prosecutions in this area, the DPC considers the rate of compliance is improving.
  • The DPC has also devoted considerable resources to a series of investigations into the “Private Investigator” sector. In the last 4-5 years, the DPC has prosecuted five companies and four company directors for bribing or “blagging” government officials, or utility company staff, to unlawfully procure personal information about individuals.

Judicial Redress 

  • In order to secure damages for data breaches, individuals have a right of action under Article 82 of the GDPR where they, or a not-for-profit representing them, can bring a case through the courts to seek compensation for material or non-material damage they have suffered as a result of infringements of the GDPR. The DPC noted that no Article 82 actions for compensation by individuals in the Irish courts have been heard yet, but such actions will provide further clarification on how the courts view the GDPR and its application.
  • While there are some reports emanating, particularly from the UK, that representative actions are being lined up by some law firms on a “no win no fee” basis post large-scale breaches being notified, the DPC stated that nothing of significance has yet materialised.

The full debate is available here.