The Data Protection Commission (DPC) has published a two year Regulatory Activities Report, which reviews the range of its regulatory tasks from 25 May 2018 to 25 May 2020.
The Report notes that the purpose of the two-year assessment is “to provide a wider-angled lens through which to assess the work of the DPC since the implementation of the GDPR; in particular, to examine wider datasets and annual trends to see what patterns can be identified.”
Enforcement Activities
The DPC has carried out the following enforcement activities since 25 May 2018:
- opened 24 cross-border inquiries and 53 national inquiries;
- issued its first GDPR fines, along with reprimands, against an Irish state agency, Tusla;
- sent its first major-scale Article 60 Draft Decision in relation to Twitter to the EDPB;
- exercised its reprimand and corrective powers against An Garda Síochana;
- issued an enforcement notice regarding use of the Public Services Card on the DEASP (currently under appeal);
- issued 59 section 10 decisions under the DPA 1988, as amended;
- concluded nine litigation cases in the Irish courts;
- applied to the Irish High Court to refer questions regarding the validity of the Standard Contractual Clauses to the CJEU (due to be heard by the CJEU on 16 July 2020);
- brought about the postponement or revision of six planned big tech projects with implications for the rights and freedoms of individuals;
- successfully prosecuted 11 companies for a combination of 42 offences under the ePrivacy Regulations 2011; and
- handled 66 Law Enforcement Directive (LED) complaints.
- received 746 complaints from peer DPAs in which the DPC has been identified as Lead Supervisory Authority; and
- received 124 formal and voluntary mutual assistance requests (not complaint related).
The Report contains 19 case studies, which demonstrate the type of suspected data protection infringements the DPC has investigated, and provide guidance to entities in similar situations. The case studies cover issues such as: inadvertent disclosure; fair obtaining and retention of personal data, data subject access requests (DSARs) for a retailer’s CCTV footage, as well as for personal correspondence with a state agency; insufficient security measures; data minimisation and AML; excessive processing of personal data for insurance purposes; location tracking, and voice data.
Supporting Individuals and Industry
From 25 May 2018 to 25 May 2020, the DPC:
- received in excess of 40,000 emails, 36,000 phone calls and 8,000 postal contacts (concerning information/advice or ongoing cases);
- opened 15,025 cases in support of individuals’ rights (concluded 80% of cases opened; 22.62% of cases logged concerned DSARs; 7.96% of cases were amicably resolved);
-
received between 12,437 breach notifications (94.88% concluded, and 93% fell within scope of the GDPR); and
- reduced conclusion times for cases (average number of days taken to conclude a case or query down by 53% over two years. The average from 1/1/2020 to 25/5/2020 was 26 calender days).
Breach Notifications
The most frequent cause of breaches reported to the DPC was unauthorised disclosure (80%); whether by digital, verbal or other manual means. Human error is at the root of far more reported breaches than phishing, hacking or lost devices (5.6% collectively). The Report states that many of the breaches that the DPC examined could have been prevented by more robust technical and organisational measures being introduced by the data controller, and the processes for testing, assessing and evaluating these measures being overseen by the Data Protection Officer (DPO). This is a learning that the DPC will be reinforcing going forward.
At present, the DPC workload in the breach area is heavily influenced by the need to engage with organisations to address elementary processing liabilities, which are occurring at a very basic level.
As we move forward in time, the DPC expects to see changed behaviours amongst its regulated entities, resulting in a reduction in the volume of breach notifications that can be attributed to a lack of due care and attention.
Trends
The most frequent GDPR topics for queries and complaints have consistently been: DSARS; fair processing; disclosure; right to be forgotten (delisting and/or removal requests); direct marketing and data security.
The Report states that figures indicate that the DPC is dealing with high volumes of cases that are potentially resolvable at a data controller and data protection officer level.
Cookies
The Report notes that the DPC will allow a period of six months from the date of its publication of Guidance on Cookies (issued on 6 April 2020) for controllers to identify any areas of non-compliance and to bring themselves into compliance.
After 5 October 2020, the DPC will commence enforcement action against controllers who fail to comply. Such action will include enforcement notices under the ePrivacy Regulations 2011 and, where the controller is processing personal data resulting from its use of cookies, the DPC will use its powers under the GDPR and the Data Protection Act 2018 to initiate inquiries and investigations and to carry out inspections where required.
DPOs
In the two years since the introduction of the DPO role, there have been 1,823 DPOs registered with the DPC.
The Report notes that there is a prevailing sense of disconnect between the role of the DPO as described in the GDPR and its manifestation in reality. Many DPOs reported feeling isolated in their role, under resourced and solely accountable for the activities of the data controller. Data controllers, in their turn, reported confusion regarding the necessary qualifications for DPOs and the way in which DPOs were to be incorporated into planning and operations. For many organisations, the role of DPO was not bedding down in a harmonised way.
The Report states that the “introduction of DPOs was not intended to stymie business, but rather to facilitate the provision of a critical friend – bespoke to the needs of an organisation – to ensure that business could progress in a compliant manner”.
The DPC intends to start commencing enforcement actions against those organisations that are required by the GDPR to appoint a DPO and have failed to do so. This enforcement action will also encompass the organisations where a DPO has been appointed, but that appointment has not been notified to the DPC in accordance with Article 37 GDPR.
LED Complaints
66 LED complaints have been handled by the DPC since the LED came into force in May 2018, as transposed by the Irish Data Protection Act 2018. The majority of complaints handled concerned the An Garda Síochána, and its alleged failure to provide all the personal data of an individual in response to a DSAR, in addition to complaints regarding driving penalty notices, traffic accidents and CCTV footage.
Conclusion
The last two years of its regulatory life have been extraordinarily busy for the Data Protection Commission. The DPC, in moving forward with its regulatory remit, is committed to upholding individuals’ data protection rights and ensuring that all organisations within its purview comply with the principles that underpin the GDPR.