DPC Annual Report – The second for GDPR

Friday, February 21, 2020

AT A GLANCE

On 20 February 2020, the Irish Data Protection Commission (“DPC”) released its second annual report (the “Report”) under the General Data Protection Regulation (the “GDPR”). The Report relates to the period of 01 January 2019 – 31 December 2019, the first calendar year of the operation of the GDPR and the Law Enforcement Directive.

This article sets out some of the main features of the Report.

THE HIGHLIGHTS

In its press release publishing the Report, the DPC sets out the highlights from the Report which include:

• 7,215 complaints were received in 2019 representing a 75% increase on the total number of complaints (4,113) received in 2018.
• 5,496 complaints in total were concluded in 2019.
• 6,069 valid data security breaches were notified representing a 71% increase on the total number of valid data security breaches (3,542) recorded in 2018.
• On 31 December 2019, the DPC had 70 statutory inquiries on hand, including 49 domestic inquiries.
• 457 cross-border processing complaints were received by the DPC through the One-Stop-Shop mechanism.
• 712 new Data Protection Officers (“DPOs) appointed in 2019, with over 1,500 now engaged daily within the public sector and large data processing organisations.

COMPLAINTS

The highest volume category for complaints in 2019 remains data subject access requests. 2,064 complaints relating to data subject access requests were made out of a total 7,215 complaints made in 2019, representing 29% of all complaints made. The majority of these complaints related to the failure of organisations to respond to access requests relating to personal data they held, or failure to release all the appropriate data on foot of a data access request.

COOKIES SWEEP 2019

In August 2019, the DPC commenced an examination of the use of cookies and similar technologies on a selection of websites across a range of sectors, including media and publishing, the retail sector, restaurants and food ordering services, insurance, sport and leisure and the public sector.

The Report states that the sweep demonstrated that quality and detail of information provided to users in relation to cookies varied widely. The Report also points out that many organisations set cookies as soon as a user lands on their website before the user has had any interaction with a cookies banner or consent management tool. In addition a number of the websites examined used pre-checked boxes and sliders set by default to the ‘on’ position.

DPOs

The DPC facilitated the DPO Network which was developed in late 2019. The DPC has also recently published a new section in the Guidance section of its website specifically for DPOs. In the Report, the DPC commits to engaging with DPOs and their teams and has listed mobilising the DPO Network as a priority for 2020.

The first initiative being rolled-out by the DPC for this Network is a DPO conference on 31 March 2020.

THE DPC’S REPORT ON THE PUBLIC SERVICES CARD

On 15 August 2019 The DPC published its findings on certain aspects of the Public Services Card (“PSC”) following a lengthy investigation. The published findings were targeted in particular at two key issues, namely transparency and the legal basis under which personal data is processed by the Department of Employment Affairs and Social Protection (“DEASP”) in relation to the PSC.

A total of eight finding were made in the DPC’s report which were rejected by DEASP. Three relating to the legal basis issue and five relating to issues around transparency. In light of the rejection of the report’s findings, and DEASP’s determination to continue the PSC scheme, without modification, the DPC issued a letter dated 5 September indicating that they would be proceeding to enforcement.

Ultimately an enforcement notice was issued under Section 10 of the Data Protection Acts 1988 and 2003 on 6 December 2019. The notice, which was directed to the Minister for Employment Affairs and Social Protection, Regina Doherty, acting through DEASP, directs the taking of a range of steps to remedy the violations identified in the DPC’s report. The enforcement notice was appealed by the Minister to the Circuit Court and is expected to be heard at some point during 2020.

CASE STUDIES AND KEY EUROPEAN JUDGMENTS

The Report provides details of case studies which is helpful in understanding the DPC’s approach to complaints, prosecutions etc. The case studies relate to a range of topics including the right to rectification, complaints regarding direct marketing and data breaches.

Appendix 1 of the Report contains summaries of the key Court of Justice of the European Union from 2019 including the Planet 49 case, which analysed the standards of transparency and consent required for the use of cookies, and the Fashion ID case, in which it was held that an operator of a website which embeds a social plugin of a third party on its website (such as the Facebook “Like” button) which results in the transmission of personal data to that third party can be considered a joint controller with the owner of that social plugin.

THE FOCUS FOR 2020

The Report indicates that the DPC will focus on the following points in 2020:

• In 2019 the DPC carried out an extensive consultation on the processing of children’s personal data, producing 80 responses. The DPC is now finalising its guidance document on children’s data protection rights and the processing of children’s data. This document is much anticipated following the publication by the UK Information Commissioner’s Office (“ICO”) of the Age Appropriate Design Code. For more details on this see here.
• Continued attention will be paid to enhancing the quality and responsiveness of the service provided by the DPC.
• Following the cookies sweep described above, the DPC has committed to producing updated guidance on cookies and other technologies in 2020 and to placing a strong focus on compliance in this area.
• 2019 saw continued emergence of the Fintech and payments industry with the advent of Open Banking and the European Payment Services Directive 2 (PSD2) with new Fintech start-ups or trusted third-parties (TPPs) setting up operations in Ireland. As the sharing of account information and personal data is the cornerstone of PSD2 this will be a core priority for the coming year for the DPC’s consultation engagement with the private and financial sector.
• Mobilising the DPO Network is a continued priority for the DPC for 2020.
• The DPC will continue work on the DPC’s new Regulatory Strategy, for the period from 2020 to 2025. The Report indicates that the DPC will use this as an opportunity to re-examine how the work of the DPC can have the biggest impact possible within the resources available to it, taking into account the greatest risks to people’s rights.

If you have any queries based on this article – or any general Data Protection queries – please contact Eoghan Doyle, Partner, or Sophie O’ Connor, Associate.