2021 was a busy year for the Data Protection Commission (DPC) across a number of fronts including resolving data subject complaints, processing breach notifications, progressing statutory inquiries, issuing guidance and exercising supervision. We look at some key takeaways from its recently published Annual Report for 2021.

Data subject queries and complaints

In 2021 the DPC received 10,888 queries and complaints from individuals. For the 3,389 GDPR complaints received, the main categories related to:

The Annual Report highlights that, where possible, the DPC will seek to resolve individual complaints amicably. This option is available to individuals throughout the lifetime of their complaint, regardless how far the complaint has progressed or escalated. Depending on the complaint the DPC may proceed down a “fast-track” Amicable Resolution process or undertake an iterative more intensive complaints handling process.

The most common complaints resolved via Amicable Resolution in 2021 related to controllers not responding to access requests or failing to adequately meet their GDPR obligations. Echoing statements from the previous Annual Report, the DPC is concerned that it has identified a pattern where controllers are not responding to subject access requests or are not responding adequately. When the DPC investigates these subject access complaints, it often transpires that the controller has either:

• Not performed an adequate search for the data
• Has not advised the individual they are withholding data and the exemption they are relying on to do this, or
• Will not respond within the required timeframe

The Annual Report indicates that in 2022 the DPC intends to increase its enforcement in this area by targeting non-responses or inadequate responses from controllers.

On requesting ID when data subjects seek to exercise their rights, the DPC stressed the importance of data minimisation. Seeking more information than what is already held as a means of proving identity is likely to be disproportionate. In a case study involving a hotel which requested the data subject provide a copy of a utility bill and a copy of a photo ID verified by the Gardaí, the DPC indicates that a request for official ID is only likely to be proportionate if:

• The category of information relating to that individual is sensitive in nature; and
• Where the official ID can be corroborated by information already held by the controller such as address or date of birth.

Issues of particular concern may give rise to ‘rapid direct intervention’ by the DPC. For example, during the pandemic, it was deemed that Savills Ireland sought ‘excessive personal data’ from persons seeking to view properties in Dublin. The information requested by Savills Ireland included proof of funds for the full purchase price including evidence of mortgage approval, bank statements, or evidence of savings or gifts. Savills Ireland sought to justify the collection of this information to help "triage" and identify ”qualified buyers” during Covid-19 restrictions. However, once the DPC reviewed the practice following media reports it was immediately discontinued.

Breaches

From January 2022, the DPC will deploy a new strategic approach to breaches notified to it under the GDPR. Previously, the DPC would conduct its own risk and impact assessment and engage with the controller on mitigation actions and matters relating to data subject notification in high-risk cases. Now the DPC will only provide an acknowledgement of receipt of the breach notification and will not issue recommendations or request further information in most cases. The new strategic approach to breaches is not to be construed as an indication of the DPC’s satisfaction with the notification itself, nor the controller’s assessment. Instead, the focus will be on prioritising enforcement cases. So, in breaches where the DPC receives complaints or deems the issues to warrant further information or a formal statutory inquiry, the DPC will proceed in that way.

Last year, the number of breaches reported under the ePrivacy Regulations accounted for just under 1% of the total number of breaches reported to the DPC. However, the DPC expects this number to increase going forward due to a significant change to the definition of an “electronic communications service”. Upon Ireland’s implementation of the EU Electronic Communications Code, the change in definition will require certain “over-the-top” services to notify breaches to the DPC under both Article 33 GDPR and the ePrivacy regime.

Inquiries and investigations

2021 was characterised by significant momentum gain, in particular, in relation to cases involving significant sanctions or corrective measures by the DPC. The significant decisions include:

However, Commissioner Dixon’s foreword strongly criticises a sole focus on quantity and size of fines levied. These metrics do not drive behaviour change and are not capable of delivering identifiable and meaningful improvements for individuals. If the collective goal is to ensure better protection of people from misuses of their personal data, Commissioner Dixon recommends that better metrics are needed to provide insight into how effective regulation and enforcement has been. The Annual Report indicates work is on-going at EU level with other supervisory authorities to develop a set of metrics to be used to measure regulatory outputs across the EU on a like-for-like basis.

At the end of 2021, the DPC had 81 statutory inquiries on-going, including 30 cross-border inquiries. In terms of those inquiries that remain ongoing, the DPC’s large-scale inquiry into Meta’s transfers of personal data to the USA continues to attract a lot of attention. Of interest to many stakeholders will be the interpretation and application of Article 83(3) of the GDPR. Article 83(3) concerns the calculation of administrative fines in cases involving multiple infringements, which is currently an issue before the General Court of the European Court of Justice to determine. However, as the Annual Report notes, it may be a number of years before a conclusion is reached.

On the cookies front, the DPC continued to carry out investigations in 2021. Issues targeted by the DPC during the year included:

• The setting of tracking and advertising cookies without consent
• The use of cookie banners that obscured the text of the cookies and privacy notices on websites, and
• The use of pre-ticked boxes or toggles to signal consent for cookies

While investigations and enforcement of the cookie rules will continue to be a key element of the DPC’s activities in 2022, the circuitous enforcement route means the relevant legislation needs to be urgently updated for enforcement that is more resource-efficient and effective.

Guidance and supervision

A consistent ask from stakeholders has been more guidance issued by the DPC. 2021 saw the completion of the DPC’s work on its regulatory strategy for the next five years and the publication of 10 substantive pieces of guidance including, the Fundamentals for a Child-Oriented Approach to Data Processing. As outlined in the DPC’s strategy, it intends to publish more guidance including more regular case studies of issues it has decided going forward. Recently the guidance has been published through various channels including its website and LinkedIn profile.

Through supervision action, the DPC has brought about the postponement or revision of seven scheduled big tech projects with implications for the rights and freedoms of individuals. The aim of supervision according to the Annual Report, is to offer guidance to stakeholders and to connect proactively as a regulator by open and regular communication with stakeholders.

For more information, please contact a member of our Technology team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.