Friday, February 21, 2020
AT A GLANCE
On 20 February 2020, the Irish Data Protection Commission (“DPC”) released its second annual report (the “Report”) under the General Data Protection Regulation (the “GDPR”). The Report relates to the period of 01 January 2019 – 31 December 2019, the first calendar year of the operation of the GDPR and the Law Enforcement Directive.
This article sets out some of the main features of the Report.
THE HIGHLIGHTS
In its press release publishing the Report, the DPC sets out the highlights from the Report which include:
COMPLAINTS
The highest volume category for complaints in 2019 remains data subject access requests. 2,064 complaints relating to data subject access requests were made out of a total 7,215 complaints made in 2019, representing 29% of all complaints made. The majority of these complaints related to the failure of organisations to respond to access requests relating to personal data they held, or failure to release all the appropriate data on foot of a data access request.
COOKIES SWEEP 2019
In August 2019, the DPC commenced an examination of the use of cookies and similar technologies on a selection of websites across a range of sectors, including media and publishing, the retail sector, restaurants and food ordering services, insurance, sport and leisure and the public sector.
The Report states that the sweep demonstrated that quality and detail of information provided to users in relation to cookies varied widely. The Report also points out that many organisations set cookies as soon as a user lands on their website before the user has had any interaction with a cookies banner or consent management tool. In addition a number of the websites examined used pre-checked boxes and sliders set by default to the ‘on’ position.
DPOs
The DPC facilitated the DPO Network which was developed in late 2019. The DPC has also recently published a new section in the Guidance section of its website specifically for DPOs. In the Report, the DPC commits to engaging with DPOs and their teams and has listed mobilising the DPO Network as a priority for 2020.
The first initiative being rolled-out by the DPC for this Network is a DPO conference on 31 March 2020.
THE DPC’S REPORT ON THE PUBLIC SERVICES CARD
On 15 August 2019 The DPC published its findings on certain aspects of the Public Services Card (“PSC”) following a lengthy investigation. The published findings were targeted in particular at two key issues, namely transparency and the legal basis under which personal data is processed by the Department of Employment Affairs and Social Protection (“DEASP”) in relation to the PSC.
A total of eight finding were made in the DPC’s report which were rejected by DEASP. Three relating to the legal basis issue and five relating to issues around transparency. In light of the rejection of the report’s findings, and DEASP’s determination to continue the PSC scheme, without modification, the DPC issued a letter dated 5 September indicating that they would be proceeding to enforcement.
Ultimately an enforcement notice was issued under Section 10 of the Data Protection Acts 1988 and 2003 on 6 December 2019. The notice, which was directed to the Minister for Employment Affairs and Social Protection, Regina Doherty, acting through DEASP, directs the taking of a range of steps to remedy the violations identified in the DPC’s report. The enforcement notice was appealed by the Minister to the Circuit Court and is expected to be heard at some point during 2020.
CASE STUDIES AND KEY EUROPEAN JUDGMENTS
The Report provides details of case studies which is helpful in understanding the DPC’s approach to complaints, prosecutions etc. The case studies relate to a range of topics including the right to rectification, complaints regarding direct marketing and data breaches.
Appendix 1 of the Report contains summaries of the key Court of Justice of the European Union from 2019 including the Planet 49 case, which analysed the standards of transparency and consent required for the use of cookies, and the Fashion ID case, in which it was held that an operator of a website which embeds a social plugin of a third party on its website (such as the Facebook “Like” button) which results in the transmission of personal data to that third party can be considered a joint controller with the owner of that social plugin.
THE FOCUS FOR 2020
The Report indicates that the DPC will focus on the following points in 2020:
If you have any queries based on this article – or any general Data Protection queries – please contact Eoghan Doyle, Partner, or Sophie O’ Connor, Associate.