On 25 February 2021, the Irish Data Protection Commission (the “DPC”) released its Annual Report for 2020 (the “Report”), covering the period of 01 January 2020 – 31 December 2020. In a year which saw both the DPC’s staff numbers and its budget increase, the Commissioner for Data Protection, Helen Dixon, commented:
“The progress the DPC has made in 2020 provides a solid platform on which to build across our enforcement and complaint-handling functions in particular. The GDPR must be understood as a project for the now, but equally for the longer-term. The DPC intends to continue as a leader in its full implementation.”
This article sets out some of the main features of the Report. The full Report can be accessed here.
1. Highlights
1.1 In its press release publishing the Report, the DPC set out some highlights from the Report including:
- 10,151 cases handled in 2020, up 9% on 2019 figures (9,337).
- 4,660 complaints received in 2020 (down from 7,215 in 2019).
- 4,476 complaints in total were concluded in 2020 (down from 5,496 in 2019).
- 6,628 valid data security breaches were notified in 2020 (which is an increase of 10% on 2019), the majority relating to unauthorised disclosure and being the result of human error as opposed to any systemic issues.
- Over 35,000 contacts were received through the DPC’s Information and Assessment Unit, including 10,000 telephone calls and 23,200 emails.
- In May 2020, the DPC issued its first fines under the GDPR, levying two separate fines against an Irish state agency (TUSLA).
- The DPC triggered the EDPB’s Article 65 Complaint Resolution Mechanism, becoming the first supervisory authority to do so.
- In December 2020, the DPC issued its first fine in a cross-border case, fining Twitter International Company €450,000.
- 354 cross-border processing complaints were received by the DPC through the One-Stop-Shop mechanism.
- 147 new complaints were investigated under S.I. No. 336 of 2011 (E-Privacy Regulations) in respect of various forms of electronic direct marketing: 66 related to email marketing; 73 related to SMS (text message) marketing; and five related to telephone marketing. Prosecutions were concluded against six entities in respect of offences under the E-Privacy Regulations.
- The DPC opened an extensive consultation on its draft guidance on the rights of children as data subjects — Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing. That draft guidance is now available here.
- New guidance in relation to the use of cookies and tracking technologies was published (available here) and the DPC conducted an extensive public awareness campaign signalling its intention to begin follow-up enforcement action during Q4 of 2020. Enforcement Notices were served on seven organisations for non-compliance in December 2020.
2. Imposition of Fines
2.1 On foot of statutory inquiries, the DPC decides whether breaches of data protection law have occurred and may decide on the corrective action required to be taken, including the imposition of administrative fines. In May 2020, TUSLA became the first recipient of fines administered under the GDPR.
2.2 Over the course of 2020, fines were imposed on TUSLA, Kerry County Council, Waterford City & County Council, the HSE, Ryanair, Twitter, Groupon and UCD.
2.3 In December 2020, Twitter became the recipient of the first cross-border fine in relation to the company’s compliance with its obligations in respect of the notification and documentation of personal data breaches: a technical bug meant that, when users on the Android app changed their email address, private tweets became publicly visible. Twitter failed to promptly notify the DPC of the breach and, thus, breached Article 33(1) of the GDPR. Twitter also breached Article 33(5) by failing to adequately document the personal data breach. The €450,000 fine was, by some distance, the largest fine administered by the DPC in 2020.
2.4 With four separate fines, TUSLA were the most frequently fined organisation. TUSLA’s breaches related to (1) a failure to implement appropriate technical and organisational measures with regard to the redaction of confidential documents when sharing them with third parties (€75,000 fine), (2) a letter issued to a third party containing the identity of individuals who had made allegations of abuse (€40,000 fine), and (3) 71 breaches notified to the DPC regarding unauthorised disclosure of personal data – the breaches related to security of processing, the accuracy of data held by TUSLA, and a failure to promptly notify data breaches (€50,000 and €35,000 fines).
2.5 A final decision on whether WhatsApp has complied its GDPR transparency obligations is expected soon and could result in a record level fine being imposed on the Facebook-owned messaging service.
3. Key Projects
The Report also provides an overview of a number of projects undertaken by the DPC.
3.1 ‘Children Front and Centre’ – In December 2020, the DPC published a draft version of its guidance document, ‘Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing’, providing recommendations on how to enhance the level of protection afforded to children and their personal data. The issues addressed included the age at which children can exercise their own data protection rights for themselves, the role of parents / guardians in acting on behalf of their children, age verification, verification of parental consent and the rules governing the processing of children’s personal data for direct marketing, profiling, or advertising purposes.
3.2 Cookies Investigations Sweep and Enforcement – Following the DPC’s publication of its guidance on the use of cookies and tracking technologies, a period of 6 months was given to organisations to come into compliance in respect of the cookies used on their websites or platforms. During this period, the DPC also conducted an awareness campaign on the topic. Arising from its investigations, the DPC then contacted 20 organisations to warn them that enforcement notices would be issued in the event compliance issues were not remedied within 14 days. Seven enforcement notices were subsequently served that related to failures to obtain valid consent to the use of cookies and to provide clear and comprehensive information about the use of cookies. In the Report, the DPC also notes more complaints and concerns arise from members of the public on the topic of cookies and tracking technologies.
3.3 Regulatory Strategy – The DPC continued to develop its strategy for regulation, covering the period from 2020 to 2025. The aim of the strategy is to ensure clarity in regulatory process (whose rights are being protected and which organisations are being regulated) and consider how it can achieve the best possible results for the maximum amount of people. In 2020 the DPC continued to engage with stakeholders in the development of the strategy. It also published its ‘Two-Year Activity Report’ which took stock of the reality of regulating since the GDPR came into force and highlighted issues that must be factored into the Regulatory Strategy.
3.4 The Arc Project – The Arc Project is an EU funded partnership between the DPC, the Croatian Data Protection Authority and Vrije University in Brussels running from March 2020 until March 2022. The project aims to increase compliance with data protection law across small and medium enterprises by using surveys, roadshows and conferences to gain a clearer understanding of the climate in which these enterprises operate.
4. Statutory Inquiries
4.1 At the date of publication of the Report, the DPC had 83 ongoing inquiries, up from 70 in 2019. 12 of these inquiries involved Facebook, three involves Apple, three involved Twitter, two involved WhatsApp, two involved Google and one involved LinkedIn.
4.2 The main issues concerned the lawfulness of data processing, transparency and investigations into potential data breaches.
5. Complaints
5.1 The DPC received 4,660 complaints in 2020, down from 7,215 in 2019. The main areas of complaint were data subject access requests (27%), fair processing of personal data (26%), disclosure of personal data (12%), direct marketing (7%), and right to erasure (7%).
6. Brexit and COVID-19
6.1 As the end of the Brexit transition period loomed closer and possibility of a no-deal Brexit appeared more likely, the DPC maintained ongoing engagement with impacted stakeholder who would need a legitimate mechanism to transfer data in and out of the UK. In December 2020, the Trade and Cooperation Agreement was signed between the EU, the European Atomic Energy Community and the United Kingdom. This Agreement provides, among other things, for data transfers between the EU and the UK and allowed a specific transition period of four months (extendable to 6 months) from 1 January 2021 whereby transfers could continue as before. The 4 month period ended on 30 April and an extension took place for the EU to adopt adequacy decisions in respect of the UK. On 19 February 2021, the European Commission published its draft decisions on the UK’s adequacy and found the UK to be adequate. The draft decisions have also been considered by the European Data Protection Board who recently released two favourable opinions. The draft decisions are now being considered by a committee of the 27 EU Member Governments.
6.2 The DPC was also a vital consultant to the Government as a range of public health initiatives with personal data processing implications were introduced, including the COVID-19 contact-tracing app (which the DPC was pleased to see accompanied by a Data Protection Impact Assessment and Source Code for the contact tracing app) and the communication of COVID-19 PCR test results.
7. The focus for 2021
7.1 With increased resources comprised of a team of 145 officers and annual budget of €19.1m, the DPC will continue to focus on its role in cross border statutory enquiries and collaborate with other data protection authorities in 2021. Enforcement measures will continue to take place especially in the area of cookies and the DPC will certainly expend its other regulatory activities in the areas of complaint-handling, codes of conduct and certification and protection of children’s privacy.