On 20 February 2020, Ireland’s data protection supervisory authority, the Data Protection Commission (DPC), published its annual report for 2019 (Report). The Report is the second report under the General Data Protection Regulation (GDPR) and is the first report based on a full calendar year under the GDPR.
The Report reveals 2019 has been an exceptionally busy year for the DPC. It contains a number of interesting statistics, in particular:
Complaints: 7,215 complaints received; 75% increase from 2018; 29% in “access rights” category; 5,496 complaints concluded, and 457 cross-border processing complaints received through the One-Stop Shop mechanism
Breaches: 6,069 valid data breach notifications received; 71% increase from 2018 and 83% related to unauthorised disclosures
Inquiries: 70 inquiries as of 31 December 2019; 21 cross-border inquiries, and 49 domestic inquiries
Direct marketing: 165 new complaints investigated; 77 related to email marketing; 81 related to SMS marketing; seven related to telephone marketing, and prosecutions concluded against four entities
General consultation queries: 1,420 queries received; 44% from the private/financial sector, and 33% from the public sector
Data Protection Officers: 712 new Data Protection Officer notifications, bringing the total number to 1,596 at year end
Contacts: 22,300 emails; 22,200 telephone call, and almost 4,000 items of post.
Staff: increase from 110 at the end of 2018 to 140 at the end of 2019
Communications and guidance: 33 guidance documents, 18 blogs, 8 podcasts, 20,000 social media followers
Binding Corporate Rules: lead reviewer in 19 Binding Corporate Rules applications
Summary of key sections
There has been a significant increase in the number of complaints received. As in previous years, access requests complaints were identified as the highest complaint-type received by the DPC between in 2019 - 2,064 complaints. A high proportion of these related to the failure of organisations to respond to an access request, or failure to release all the appropriate data on foot of an access request.
The DPC is the lead supervisory authority for a broad range of multinationals and the Report sets out that 457 cross-border complaints were transferred to the DPC by other data protection supervisory authorities in 2019.
Some of the trends and issues related to breaches identified in the Report include:
Difficulty in assessing risk ratings
Failure to communicate the breach to individuals
Repeat breach notifications
There has been an increase in the number of repeat breaches of a similar nature by a large number of companies, particularly in the financial sector, where the majority of breaches appear to be related to unauthorised disclosures.
Investigations into big tech companies continued to progress in 2019 with the first two inquiries moving from the investigative stage to the decision-making phase. The Report states that it is going to take time to implement the new legal frameworks under the GDPR but assures readers that “intensive work is underway”. The Report anticipates that 2020 will involve the reconciliation of many such complex legal issues which will flow from the conclusion of its first waves of statutory inquiries and the crystallisation in practical terms of many theoretical legal and procedural issues which have been raised during those first novel inquiries.
The Report informs us that the DPC is now finalising its guidance document on children’s data protection rights and the processing of children’s data having carried out an extensive consultation on the processing of children’s personal data. In tandem with the guidance, the DPC will publish a separate child-friendly guide which will explain to children their rights under data protection law and the risks that may arise when they disclose their personal data online.
Regulatory Strategy 2020-2025
Among the DPC’s key projects in the Report is its Regulatory Strategy 2020-2025. The DPC commenced consultations last year to understand people’s views on data protection rights, the role of the DPC, how compliance with data protection law should be encouraged, facilitated, and maximised, and how non-compliance should be regulated. The draft Regulatory Strategy is being developed and will be subject to a further open public consultation during 2020.
Case studies and litigation
The Report contains various case studies and details of litigation the DPC is involved in. The case studies cover matters including data subject rights data and data breaches. The Report also contains summaries of the data protection elements of significant judgments delivered by the European Court of Justice (CJEU) during 2019, the litigation concerning standard contractual clauses in the Irish courts and the CJEU and the DPC’s investigation in relation to the public services card.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.