The EU-wide implementation of the GDPR on 25 May 2018 also marked the commencement in Ireland of the Data Protection Act 2018 and the establishment of a new Data Protection Commission. The DPC’s first annual report was published on 28 February 2019, covering the period 25 May to 31 December 2018.
Whilst the GDPR is the main focus of the annual report, it also deals with the DPC’s supervisory role under the Law Enforcement Directive (2016/680), which was transposed into Irish law by the 2018 Act, and the e-Privacy Regulations (S.I. No. 336 of 2011), in respect of the processing of personal data in the context of electronic communications.
The DPC has been busy post-GDPR, receiving nearly 31,000 communications during the report period. This was anticipated, and the DPC significantly tooled-up well before May 2018. Its resource allocation in 2016, when the GDPR was first adopted, was broadly €4.7 million funding and 52 staff, compared to €15.2 million funding for 2019 and a current headcount of 135, with further recruitment planned in 2019.
2,864 complaints were received by the DPC during the report period. Consistent with previous years, complaints regarding ‘access requests’ make up the largest compliant type. Complaints relating to unfair processing and disclosure were also high, followed by complaints made under the ePrivacy Regulations in respect of various forms of electronic direct marketing.
32 new complaints were investigated under the ePrivacy Regulations, some of which concluded with District Court prosecutions. This will become a key area for complaints and enforcement once the long awaited EU-wide ePrivacy Regulation is finalised and becomes enforceable.
The DPC’s newly formed LED Complaints Unit handled seven complaints in relation to the Law Enforcement Directive (“LED”), six of which concerned An Garda Síochána as controller.
The DPC handled 48 data security breach complaints during the reported period. However, the interesting, but not unexpected statistic, is the 3,542 valid data security breaches notified to the DPC during the report period. In total, 4,740 valid data security breaches were notified in the 2018 calendar year representing a 70% increase on the total number of valid data security breaches recorded in the full year of 2017. This is not surprising, as the mandatory obligation for controllers to report certain types of data security breaches only commenced on 25 May 2018. Prior to this, most reported data security breaches were made on a voluntary basis further to a non-binding DPC code.
The DPC received 92 valid data breach notifications under the ePrivacy Regulations, and 12 LED breach notifications.
The report notes that the number of cyber security compromises notified, such as phishing, malware and ransomware attacks, increased from 49 cases in 2017 to 225 in 2018. Also, there was a reported increase in the use of social engineering and phishing attacks to gain access to ICT systems.
Under the one-stop-shop mechanism (“OSS”), the DPC is the ‘lead supervisory authority’ for a large number of high-profile multinationals, whose main establishment is in Ireland. During the report period, the DPC received 136 cross-border processing complaints through the OSS mechanism that were originally submitted by individuals with other EU supervisory authorities. Cross-border processing complaints regarding consent was the largest type, followed by the rights to erasure and access.
The report highlights: “the DPC is no longer a data protection authority with a purely national focus; it has become a supervisory authority with an EU-wide remit, responsible for protecting the data privacy rights of millions of individuals across the EU.” The DPC notes the consequent need for close cooperation and information exchange between it and relevant EU supervisory authorities. In this regard, its OSS Operations unit use the EU IMI system to share information on cross-border cases with other EU supervisory authorities.
Investigations and enforcement
Whilst prosecutions were taken by the DPC under the ePrivacy Regulations in respect electronic direct marketing, the DPC is yet to issue any administrative fines or other sanctions under the GDPR.
By the end of 2018, the DPC had 15 statutory inquiries open in relation to multinational technology companies’ GDPR compliance. 9 of these inquiries commenced in response to complaints, while the remainder were commenced at the DPC’s own volition. The DPC anticipates that some of these statutory inquiries will conclude in 2019 and contribute to answering some of the complex privacy issues related to the ad tech sector.
Some things to note for 2019
The above is a snap-shot of some of the key issues and work-streams identified by the DPC. If you would like to know more on the issues contained in the annual report and how these may impact your business in 2019, please contact a member of our IP/IT team.