The Irish Data Protection Commission (DPC) published its Annual Report on 7 March 2023. Our Privacy & Data Security team examines the headlines and key points organisations should know from the DPC’s round-up of last year’s activities.
- The DPC issued fines in excess of €1 billion in 2022. This significant sum amounted to two-thirds of the data protection fines issued across Europe last year.
- The DPC collected €17,639,500 on behalf of the Irish exchequer in 2022. The (relatively) low collection rate is a result of many of the DPC’s decisions being appealed or subject to judicial review proceedings.
- 17 cross-border inquiries were concluded by the DPC over the course of 2022.
- As of 31 December 2022, the DPC had 88 statutory inquiries ongoing, including 22 large-scale cross-border inquiries. According to media reporting accompanying the Annual Report, several of these are close to completion so we can expect more decisions and large fines in the coming months.
- The DPC concluded 10,008 individuals’ cases (6,875 queries and 3,133 complaints) and processed 9,370 new cases (6,660 queries and 2,710 complaints) last year.
- Access requests again made up the bulk of the complaints (42%).
- The DPC concluded 207 direct marketing investigations and successfully prosecuted 4 violations against two companies.
- The DPC reported a 13% decrease in the number of GDPR data breach notifications received in 2022 compared to 2021.
- Breach notifications under the ePrivacy Regulations increased 176% compared to 2021. This increase is attributed to the expanded definition of “electronic communications service” which brought “over the top” services within scope of the ePrivacy Regulations.
- During 2022 the DPC was the lead reviewer for 27 BCR applications from 16 different companies. Three of those applications were approved.
- The DPC had 196 staff members at the end of the year with a number of changes in the senior team over the course of the year.
In 2022, the DPC concluded 17 large-scale inquiries and issued a record €1 billion in administrative fines. As part of the decisions in those inquiries the DPC also issued multiple reprimands and compliance orders. Bringing processing operations into compliance can be a costly exercise for companies as it typically requires significant internal resources and manpower.
The Annual Report also provides an insight into the objections the decisions of the DPC have received as part of the Article 60 GDPR co-decision making process since May 2018. The German supervisory authorities (including both federal and all Lander authorities) topped the chart by submitting objections in 12 of the inquiries. This is closely followed by the French and Italian regulators which both submitted objections in 8 inquiries.
A One-Stop-Shop or a legal maze?
The foreword by Commissioner Dixon observes that the One-Stop-Shop mechanism (OSS) has “created something of a legal maze that requires, constant navigation building an ever more complex landscape for litigators.”
OSS was established under the GDPR with the objective of streamlining how organisations that do business in more than one EU member state engage with supervisory authorities. The OSS allows for these organisations to be subject to direct oversight by just one supervisory authority, where they have a ‘main establishment’, rather than being subject to separate regulation by the data protection authorities of each member state.
For organisations, the process has become more convoluted after the decision of the General Court of the European Court of Justice in a case involving WhatsApp Ireland (T-709/21). WhatsApp applied to have a decision of the EDPB from July 2021 against it annulled. Despite the binding nature of the EDPB’s decisions, the General Court held that WhatsApp lacked the necessary legal standing to make the application. As it currently stands, the law requires companies to apply to the Irish High Court, as part of its appeal against the DPC’s Final Decision, to make a preliminary reference to the CJEU concerning the validity of the EDPB decision.
Cross-border complaints from individuals are the basis for the majority of interactions between EU data protection authorities. The Annual Report gives an insight into the inner workings of this cooperation by explaining that ‘Voluntary Mutual Assistance’ requests are used to communicate details of cross-border complaints and follow up communications and actions on complaints, as well as notification to supervisory authorities on supervision cases, inquiries and sharing of documents. ‘Formal Mutual Assistance’ requests are used to formally request information from another supervisory authority to request that a supervisory authority take certain actions.
Despite these internal procedures, Commissioner Dixon observes that OSS often does not serve individuals well as it is a protracted process. By way of example, an Irish citizen lodged a complaint with the DPC in 2019 about a German company who passed their details on to a UK supplier without the complainant’s consent. In accordance with the requirements of the GDPR, the DPC referred the complaint to the relevant German authority. Despite the apparent simplicity of the complaint, the matter took more than three years to resolve, and a final decision was only issued in January 2023.
To improve the operation of the process and results for individuals, it is suggested by Commissioner Dixon that the OSS mechanism should be examined by legislators.
Supervision and guidance
As part of its supervision function, the DPC continued its engagement with public and private sector organisations. During engagement with organisations the DPC will proactively identify, at a high level, data protection concerns to ensure organisations are aware of their compliance obligations and any potential problems in advance of the processing commencing.
The Annual Report provides an insight into the types of issues that will be considered as part of such engagement including; the lawful basis, transparency, prominent location of contextual notices, retention periods, data minimisation and purpose limitation. The DPC also notes that it is not precluded from taking enforcement action in the context of such engagements if it considers it necessary. This is of particular relevance for ‘large platform providers’ with whom the DPC will continue to engage with in 2023.
In case you missed it, the DPC produced a significant amount of guidance over the year. It published 7 new pieces of substantial guidance, including 3 short guides aimed at educating children on their privacy rights, 5 infographics, updated 11 pieces of existing guidance, added 15 new case studies to its website and published three reports including the One-Stop-Shop Cross-Border Complaint Statistics report. The DPC also hosted 32 online webinars for members of the DPC Network covering a range of topics.
Data protection claims
Also of note, the first civil action for compensation under section 117 of the Data Protection Act 2018 made its way to the Circuit Court this year. SIPTU members took a case against the union after it inadvertently sent an email containing their personal details to a group of 212 other SIPTU members. No evidence of actual loss suffered as a result of the email distribution was offered by the claimants. Rather the claimants had sought damages for loss and distress. The Circuit Court rejected the claim, holding that more than minimal loss was necessary, and notably ordered the claimants to pay SIPTU’s costs.
For more information on any aspect of the Report and their potential impact on your organisation, contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.