The Data Protection Commission (DPC) has published its annual report for 2020, which shows significant change and momentum in data protection regulation. For the first time, the annual report includes details of significant fines issued for breaches of data protection legislation. The report summarises several key ongoing investigations and decisions and unsurprisingly discusses the impact of and measures taken by the DPC in response to the global COVID-19 pandemic. It was another year of personnel (and expertise) growth for the DPC with the addition of five new officers and a higher financial budget for 2021. Another notable trend is that data security is becoming a more significant issue for organisations year on year.
Administration of Fines
The DPC issued its first administrative fines under the GDPR, with four separate fines issued to TUSLA, the child and family state agency, for personal data breaches. These fines, totalling €200,000, were issued between April and August 2020.
In December 2020, the DPC issued its first cross-border fine to Twitter for €450,000 for failure to notify a data breach. This case involved the first major-scale co-operation procedure decision in the EU under Article 60 of the GDPR, whereby considerations from other EEA Supervisory Authorities are required before a regulatory decision can be finalised or a fine imposed. This co-operation procedure has also been invoked by the DPC in actions against Ryanair, WhatsApp and Groupon.
A draft decision on the WhatsApp inquiry is currently progressing through the co-operation procedure at EU-level, examining mainly whether WhatsApp has discharged its GDPR transparency obligations. This WhatsApp inquiry is being closely watched because it may herald an era of much higher GDPR fines.
The landmark Schrems II case concluded during the summer of 2020, resulting in confirmation that Privacy Shield is not a valid transfer mechanism under the GDPR but that standard contractual clauses may still be used, provided certain conditions are met by the laws and regulations of the data-importing jurisdiction. In total there were 14 litigation matters involving the DPC in 2020, many of which completed. These included the well-documented case taken by Peter Nowak who was seeking access to accountancy exam scripts and another involving the Department of Employment Affairs and Social Protection. Cases involving the Courts Service and Doolin (a case about the use of CCTV footage in the context of a disciplinary hearing) are both subject to further appeal. In addition, the final order for costs in the Schrems II has not yet been perfected.
The DPC has 83 ongoing statutory inquiries, including 27 cross-border inquires. Among those are 12 involving Facebook (including Instagram), three involving Apple, three inquiries into Twitter, two for WhatsApp and Google and one inquiry into LinkedIn. While there is clearly a focus on large tech companies, 56 statutory inquiries were also under way into a range of domestic companies and organisations including Yelp, An Garda Síochána, Bank of Ireland, TUSLA, the Catholic Church, the Irish Prison Service and the University of Limerick
The common trends reflected in these inquiries include the lawfulness of data processing, transparency, rights of access and data breach investigations. The report specifically notes that "another phenomenon [the DPC has] continued to see in 2020 was that of both organisations and individuals attempting to misuse the GDPR to obfuscate or pursue other agendas".
- The DPC handled a total of 10,151 cases during 2020, an increase of 9% on 2019. Unsurprisingly, there were a significant number of COVID-19 related queries from individuals and organisations.
- During 2020, the DPC received 4,660 complaints from individuals under the GDPR. 4,476 complaints were concluded during the year. As is now common, the largest source of complaints related to data access requests (1683) followed closely by complaints in relation to fair processing of data (1623) with other complaints relating to disclosure, direct marketing and the right to erasure.
- The DPC was (validly) notified of 6,628 data security breach notifications, which is an increase of 10% on 2019. These notifications included:
- 5837 incidents of unauthorised disclosure of personal information;
- 146 notifications of hacking;
- 275 incidents where paper was lost or stolen;
- 48 instances where mobile devices were lost or stolen (only 19 were protected by encryption);
- 146 instances of unauthorised access;
- 61 notifications of unintended online publication;
- 32 reports of ransomware attacks; and
- 74 incidents of phishing (including social engineering).
- The majority of breaches were as a result of human error as opposed to any systemic issues. This highlights the importance of ensuring robust internal organisational, as well as technical, procedures and controls are in place for staff. This is particularly since most organisations have made the move to more frequent, if not exclusive, remote working.
- The DPC concluded 147 electronic direct marketing investigations and prosecuted 6 companies for sending unsolicited text messages or e-mails to individuals, including Three (Ireland), Ryanair and the AA.
2020: Brexit and COVID-19
The DPC was also faced with new challenges from Brexit and the negotiations between the EU and the UK, which added more uncertainty to international personal data transfer rules. The final position reached at the end of 2020 by the EU and UK to allow a short-term initiative for free data flows between the EU and the UK eased this uncertainty somewhat and reports from the EU Commission on the progress of an adequacy decision in favour of the UK are also now very promising. UK adequacy, however, is not referenced in the DPC report.
Lastly, the DPC provided instrumental advice and consultation in respect of the COVID-19 efforts across the country, having engaged with the public health authorities on the COVID-19 contract-tracing app and the challenging issues around how COVID-19 PCR test results were communicated.
A Look Ahead to 2021...
The DPC has increased resources with a 145 strong team of officers, which is likely to continue to grow and an increased annual budget of EUR19.1m.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.