The Data Protection Commission (“DPC”) recently published its 2022 annual report (the “Report”) covering its regulatory activities between 1 January 2022 and 31 December 2022.
The Report highlights that the DPC concluded a number of large-scale inquiries in 2022 resulting in decisions on infringements and in many cases the imposition of corrective measures. 2022 also saw the value of fines issued exceed 1 billion euro, which equates to two-thirds of the total fines issued by data protection supervisory authorities across the EEA and the UK last year.
Notable highlights include:
Ongoing trends and comments
Data breach notifications
The Report identifies public sector bodies, financial institutions, insurance firms and telecom companies in the top twenty organisations for data breach notifications. It mentions decisions and reprimands against Bank of Ireland, An Garda Síochána and Limerick County Council in relation to this issue.
The Report noted in particular that, following the publication of its decision against Bank of Ireland, the DPC saw an upswing in reports from other financial institutions. It attributed this trend to organisations applying “the learnings from the Bank of Ireland decision to their own processing operations and proactively seeking to address any gaps in their operating practices”.
The Report gives a unique insight into how the DPC currently experiences significant frustration in the deployment of the One-Stop-Shop mechanism (“OSS”) and the handling of cross-border complaints. Only 48% of complaints which were lodged with the Irish DPC and which related to a company established in another EU member state (and thus forwarded to their respective supervisory authority) were resolved.
An example is given of a case that began in 2019, in which an Irish citizen lodged a complaint to the DPC against a German company in respect of an alleged unauthorised disclosure of their personal data, which was referred by the DPC to the competent German authority. Translating communications in English and German, the back and forth between the supervisory authorities and the transmission of personal data “around an unnecessarily large number of investigative staff in various EU data protection authorities” led to significant delay in a decision ultimately being reached by the German authority. The Commissioner commented that “this issue requires examination by legislators to improve the timeliness and appropriate handling of decisions for EU citizens”.
The DPC noted that six of its fines, ranging from 1,500 to 17 million euro, were confirmed by the Dublin Circuit Court and the collected fines were transferred to the Irish exchequer. However, a number of the large-scale fines (amounting to over 1 billion euro) are subject to appeal and judicial review proceedings through the Irish courts. These appeals may also entail references to the Court of Justice of the European Union over matters of interpretation of the GDPR. Accordingly, between the OSS and various means of cooperation between EU supervisory authorities in finalising decisions, the GDPR has “created something of a legal maze that requires constant navigation, building an ever more complex landscape for litigators”.
Areas of focus
In terms of immediate direct intervention, the DPC prioritised in 2022:
The DPC also noted that it is particularly aware of the issues certain sub-groups of the population are facing in ensuring their data protection rights are upheld, including the elderly, non-native speakers and the homeless.
The GDPR requires the DPC to continuously engage with other supervisory authorities and the European Data Protection Board (“EDPB”). In 2022, this resulted in contributions to over 300 EDPB meetings. Similarly, staff from the DPC presented at 88 events, contributed to over 30 pieces of proposed legislation and received 322 consultation requests from a variety of stakeholders.
The Report notes that the DPC has brought about the postponement or revision of multiple scheduled internet platform projects. It references the engagement it had in TikTok’s announcement of a change to its legal basis for providing personalised advertising, the online publication of planning data and the migration of customer data from KBC to Bank of Ireland in this regard.
Building on the publication of its final guidance on Fundamentals for a Child-Oriented Approach to Data Processing, the DPC issued three new guides aimed at informing and educating children on their data protection rights and safety online. It also participated in EUCONSENT, an EU funded project to create a framework for age verification and parental consent controls.
The DPC concluded 17 large scale inquires over the course of 2022. These included reprimands issued against Slane Credit Union, Twitter and Airbnb.
In terms of notable fines issued by the DPC:
The DPC may conduct two different types of statutory inquiry under section 110 of the Data Protection Act 2018. These may be commenced on foot of a complaint received from a member of the public, or via the DPC’s own volition. In a national context, the DPC has disclosed details of a number of inquiries currently ongoing:
Ongoing cross-border inquiries
Whilst the DPC concluded over 100 cross-border cases in 2022, it has 22 large-scale inquiries ongoing. These inquiries require consultation with other concerned European supervisory authorities, and consequently, can be subject to significant delay if faced with objections. Some of the cross-border inquiries currently being progressed by the DPC include:
What’s next for 2023?