Monday, April 8, 2019
AT A GLANCE
On 28 February 2019, the Irish Data Protection Commission (“DPC”) released its first annual report (the “Report”) under the General Data Protection Regulation (the “GDPR”). The Report relates to the period of 25 May – 31 December 2018, and details a dramatic rise in the number (and complexity) of complaints and queries made to the DPC since the GDPR went live on 25 May 2018. This increased level of mobilisation to tackle what individuals see as data misuse is reflective of the increasing desire for individuals to understand what happens with their personal data.
The DPC has responded accordingly by hiring 50 new staff – this equates to a 135-strong DPC office with plans to recruit an additional 30 staff throughout 2019 in order to “meet the demands of the tasks assigned under the GDPR and to deliver public value in what is an area of critical importance to society.”
We list below some interesting statistics and year-on-year comparisons provided by the Report:
- 3,542 breaches were notified to the DPC – Taking 2018 as a whole, there were 4,740 recorded breaches, representing a 70% increase on 2017;
- 2,864 complaints were made to the DPC – With 4,113 over the course of 2018, this represents a 56% increase on 2017. However, out of this figure, only 18 formal decisions were issued by the DPC;
- 900 DPO notifications were received by the DPC;
- 11 Binding Corporate Rules applications were made with the DPC as lead regulator;
- 35% of the complaints relate to data subject access rights – this figure is actually down on 2017 figures;
- Over 1,000 Data Protection Officers (“DPOs”) were appointed by Irish organisations throughout 2018; and
- Many organisations have provided stats on the number of access requests, requests for portability and erasure and the systems they have set up to handle such requests.
TECHNOLOGY LEADERSHIP UNIT (“TLU”)
Towards the end of 2018, the DPC established an advanced technology evaluation and assessment unit. The unit’s objective is “supporting and maximising the effectiveness of the DPC’s supervision and enforcement teams in assessing risks relating to the dynamics of complex systems and technology.” The TLU has enabled the DPC to provide improved technology-focused internal guidance on ePrivacy, internet protocols and data portability, advertising technology and accountability. Looking to 2019, the TLU will conduct data controller surveys and desktop studies, to evaluate data controllers’ data protection compliance. Importantly, the TLU also aims to further relationships and dialogue with tech teams of other EU supervisory authorities, experts in academia, and other data entities and regulatory agencies.
BINDING CORPORATE RULES (“BCRs”) AND INTERNATIONAL TRANSFER ISSUES
- BCRs were introduced in 2003, following discussions in response to the need for organisations to have a global approach to data protection. It is expected that the DPC will soon issue approval decisions on a number of BCR applications, once the EDPB has given its opinion in accordance with the consistency mechanism set out in Article 64 of the GDPR. The DPC has also:Assisted other Data Protection Authorities (“DPAs”) by acting as co-reviewer on 8 BCRs;
- Participated in the second annual review on the functioning of the EU–US Privacy Shield in coordination with entities such as the US Department of Commerce; and
- The DPC was contacted by several companies who indicated their intent to move their lead authority for BCR purposes from the UK to Ireland in light of Brexit.
ONE-STOP SHOP (“OSS”)
The OSS mechanism was established in mind of organisations that carry out their activities in more than one EU member state – by requiring organisations to deal with just one DPA, the OSS streamlines the process of reporting and facilitating data-related issues taking place in different European locations. The DPC acted as the lead supervisory authority for 136 cross-border processing complaints, which were originally lodged with other EU authorities. Interestingly, consent made up approx. 27% of the cross-border complaints received by the DPC, with the right of erasure and right of access making up close to 25%.
With companies such as Facebook, Google, LinkedIn and Microsoft having their European HQ located in Ireland, this means that the DPC is the lead supervisory authority for these multinationals. The role of the lead supervisory authority includes the investigation of complaints or alleged GDPR infringements relating to cross-border processing, and preparing draft decisions.
The DPC made children’s data a priority even before the coming into force of the GDPR. There was an ongoing public consultation process around the processing of children’s data. The DPC welcomed perspectives of 8-16 year olds on:
- How, when and in what contexts children may exercise their own rights independently of their parents or guardians;
- Views on the age at which children should be able to sign up to free apps in their own right;
- How age should be verified by service providers; and
- How parental or guardian approval should be sought and verified.
COMPLAINTS – COMPLAINT CASE STUDIES
The Report also provides insight into case studies, which is particularly helpful in understanding the DPC’s approach to specific rights and obligations:
- Case Study #1 concerning the transmission of data by a Government Department via WhatsApp – The DPC was satisfied that given the lack of any other secure means to contact the official in question, the transmission via WhatsApp was necessary to process the personal data for the purpose provided (visa eligibility);
- Case Study #2 concerning data subject access requests – this issue arose in the context of the disclosure of CCTV footage, where the DPC pointed out that data subjects often hold the mistaken belief that because they have not consented to the processing of their personal data, it is de facto unlawful. However, there are a number of legal bases other than consent that justify processing depending on the particular circumstances. With regard to the legitimate interests justification, the DPC will scrutinise whether the circumstances of the processing satisfy the elements that the Court of Justice of the European Union (“CJEU”) has indicated must be present for controllers to rely on this legal basis;
Other case studies involved amicable resolutions, data breaches, prosecutions and litigation concerning the DPC.
THE FOCUS FOR 2019
The DPC will focus on the following points in 2019:
- Continued roll out of GDPR guidance;
- In early 2019, the DPC will launch a consultation on a 5-year regulatory strategy to meet the demands of the tasks assigned under the GDPR – this will allow broad stakeholder input into how resources are deployed;
- A DPO network – where opportunities for peer-to-peer DPO dialogue – will be rolled out;
- Particular attention will be paid to tech giants’ in relation to issues such as large-scale data breaches and legal bases for processing;
- Tech giants’ commitment to Codes of Conduct and raising the bar in individual sectors in terms of standards of data protection and transparency – these efforts are particularly important in mind of the EU elections in May 2019 (ad tech and the online advertising ecosystem is crucial in this respect);
- We also await a ruling on the High Court reference on the validity of Standard Contractual Clauses. This will be heard and decided by the CJEU later this year;
- DPOs continuing key role in embedding effective data protection practices in their organisations and driving real improvements in standards of data protection and security; and
- Continued sharing of learning amongst sectoral groups will be important to drive higher standards of data protection.
For more on this topic, contact the Data, Privacy and Technology Team at Philip Lee.