Headlines from the DPC’s Annual Report 2024

The DPC recently published its Annual Report for 2024, the first report since the two new Commissioners stepped into their roles succeeding Helen Dixon’s decade-long tenure. Our Privacy & Data Security team discusses some of the highlights.

What you need to know

• The DPC’s new leadership adopts a proactive and collaborative approach to GDPR compliance. It emphasises early engagement and accountability to reduce potential data protection risks.

• AI dominated the DPC’s 2024 agenda. This included intense engagement with technology companies introducing large language models in the European market. The DPC also requested an opinion from the EDPB on the use of personal data to develop AI models.

• It was a busy year on all fronts with many changes to foster inter-regulatory cooperation in an increasingly complex digital landscape.

“[t]he GDPR gives organisations the freedom to shape the specifics of their approach to meeting data protection obligations, but it also requires organisations to be accountable for their choices both to individuals and regulators”.

For many controllers with their main establishment in Ireland, being “accountable” will mean early engagement with the DPC’s Supervision and Enforcement function to mitigate potential data protection risks and harms to individuals. But, the DPC is clear, this proactive engagement does not give “carte blanche or advance approval of plans to any organisation”. These comments offer valuable insights into the regulatory approach we can expect from the new Commissioners.

Fast paced AI developments

AI was the buzzword of 2024, and this is reflected in the DPC’s activities over the course of the year. It commenced an own-volition inquiry into Google's use of EU data subjects' information for the development of its PaLM2 AI model and specifically examined whether Google complied with any obligation to undertake a Data Protection Impact Assessment. The DPC also engaged with Meta on its reliance on legitimate interest as a legal basis to train its AI models. The DPC took the unprecedented action of applying to the High Court for an order against X, formerly Twitter, in August 2024. The application sought to prohibit the company from processing the personal data contained in EU/EEA users’ public posts to train its AI tool, “Grok”. The power to bring these urgent proceedings under Section 134 of the Irish Data Protection Act has existed since 2018. However, this was the first time the DPC exercised this power and the action is indicative of the DPC’s willingness to exercise its full powers when it deems it necessary to protect data subjects.

2024 also marked another first for the DPC. It requested a formal Article 64 opinion from the European Data Protection Board (EDPB), the body that ensures the consistent application of GDPR across the EU. The request focused on the use of personal data for AI model development and deployment. Noting the lack of consensus on the fundamental points, the DPC referred a set of questions to the EDPB. The EDPB then worked intensively to publish the Opinion on the use of personal data for the development and deployment of Artificial Intelligence (“AI”) models in December 2024.

Boots-on-the-ground and other enforcement

Other notable actions by the DPC in 2024 included visits to old medical centres as part of an inquiry assessing the safety of sensitive health data retained and stored by the HSE. The inquiry originated from reports of medical files being discarded in public and video footage of health records stored at these facilities being published online. During a LinkedIn Live session following the release of the Annual Report, Deputy Commissioner Graham Doyle indicated site visits will continue to be considered on a needs basis and the increased staffing and resources of the DPC means they are well equipped to conduct these visits.

The DPC also launched a high-profile inquiry into Ryanair's use of biometric data to verify customers’ identities where they had booked via a third party site. While still ongoing, the outcome of this inquiry will be of interest to other companies seeking to introduce facial recognition technology.

On fines, after 2023’s record-breaking fines of €1.2 billion, 2024 saw a return to a more typical level of fines with the DPC imposing fines totalling €652 million. LinkedIn was subject to the highest fine imposed (€310 million) following an inquiry into the lawfulness, fairness and transparency of its behavioural analysis and targeted advertising processing.

DSARs, complaints, and breaches - human error at the core

Data subject access requests (DSARs) continue to dominate the complaints received by the DPC with one in three complaints (34%) filed with the DPC in 2024 involving DSARs. This is virtually unchanged from 2023 when 39% of all complaints related to DSARs. Personal data breach notifications increased 11% year-over-year and breach notifications under ePrivacy nearly tripled. Basic human error continues to be the main culprit. Half of all data breaches reported in 2024 were caused by sending correspondence to the wrong recipient. The Case Studies Booklet accompanying the Annual Report emphasises how increased staff training and awareness are important measures for organisations seeking to prevent data breaches and ensure DSARs are correctly processed.

Other activities in 2024

The DPC also participated in numerous engagements and activities focused on specific sectors in 2024. Children’s rights continued to be a focus for the DPC in 2024. Members of the DPC visited the CNIL to plan a joint initiative for 2025. The initiative will focus on "sharenting" - the practice of parents sharing their children's information, photos, and private moments online.

The DPC published a “Data Protection Toolkit for Schools". In addition, it undertook surveys of Irish sporting organisations and retailers with a view to understanding the landscape so as to develop useful tools for GDPR compliance in those sectors.

The DPC appointed two new Deputy Commissioners to enhance engagement with its European and International counterparts. Gráinne Hawkes is the Deputy Commissioner responsible for EDPB, International Affairs & the AI Act. Jennifer Dolan is the Deputy Commissioner responsible for Inter-Regulatory Cooperation & ePrivacy Prosecutions. An important part of the latter role will involve engagement with Ireland’s Digital Regulators Group. This group comprises the DPC, the Competition and Consumer Protection Commission, the Commission for Communications Regulation and An Coimisiún na Meán. The aim of the group is to encourage deeper collaboration and regulatory clarity across an increasingly complex digital landscape.

Conclusion

2024 was another busy year for the DPC and the activities on AI, children and specific sectors will be sure to keep the new Commissioners busy. It is clear the DPC will use supervision engagements to intervene and improve outcomes for data subjects before data processing commences. When necessary, it can be quick to use its substantial investigation and enforcement powers including on-site visits and an application to the High Court to prohibit processing.

For more information and expert advice, please contact a member of our Privacy & Data Security team.

People also ask

The content of this article is provided for information purposes only and does not constitute legal or other advice.