We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. Click OK to use our website.

Data Protection Commission contacted 6,000 times in month GDPR transposed

14 Dec 2018 / data law Print

DPC contacted 6,000 times in month GDPR transposed

The Data Protection Commission (DPC) has described the first five months of 2018 as a “truly extraordinary” time.

The DPC annual report reveals that, in the first five months of the year, there were 1,046 complaints resolved, a total of 1,198 breach notifications handled, and a range of audits and inspections concluded.

Over 9,900 emails and 10,200 telephone calls were received during the period — an increase of around 30% on the preceding six months, and a total of 22,000 contacts.

May, the first month of the transition of the General Data Protection Regulation (GDPR), saw 6,000 contacts made and an average of 270 per working day.

The office of the Data Protection Commissioner ceased to exist with the implementation of the GDPR in Ireland, in May 2018.

The new DPC was created under the Data Protection Act 2018, which also gave effect to the GDPR.

In April 2018, arising from proceedings initiated by the DPC in May 2016, the Irish High Court issued its reference case for a preliminary ruling to the Court of Justice of the European Union, seeking its judgment in relation to the validity of Standard Contractual Clauses (SCCs) to legitimise transfers of EU personal data to the United States.

Case law

In a range of other Circuit Court and High Court litigation, the DPC contributed to the growing body of case law, interpreting data protection principles and provisions.

The DPC’s total staff cohort now numbers 110. Commissioner Helen Dixon describes as “extremely encouraging” the genuine efforts of organisations to deliver on GDPR standards.

She describes as a huge success a 23 January event at Dublin Castle, when global firms such as HP and MasterCard, with multi-million-euro data protection and privacy programmes, demonstrated in very pragmatic ways how they are implementing the accountability provisions of the GDPR.

The commissioner says in the annual report that the seminar led to higher levels of practical knowledge in Ireland regarding what the GDPR requires.

Transparency

She cautions, however, that the world’s most innovative companies have yet to come up with equally innovative solutions to deliver real personal data transparency and useful information to users, while delivering a positive user experience.

With regard to Facebook’s misuse of personal data, the commissioner said that many people now understood the basic revenue model of free internet services that rely on collecting data for targeted advertisements, but were shocked to discover that their data could end up in the hands of third parties seeking to influence election outcomes.

She described the need to find an effective means to be truly transparent with users as “critical”.

“We are focusing on Facebook’s ability to govern and oversee, in a comprehensive and effective manner, the activities of app developers, especially their capacity to swiftly identify and respond to ‘bad actors’ and misuse of personal data.

“The controversy surrounding the use of Facebook user data by third parties also highlighted the need for better user awareness on how to take control of settings available on social media platforms that curtail the collection and use of user data,” the report says.

Systemic issues

The Data Protection Commission also identified ‘systemic issues’ with online CV platform LinkedIn and is auditing the tech business over its security around non-member data and its retention of such data.

The move follows a complaint to the DPC by a non-LinkedIn user concerning the site’s use of the complainant’s email address for the purpose of targeted advertising on Facebook.

The DPC probe revealed that LinkedIn Ireland, through their US parent, had, without instruction, processed the hashed [anonymised] email addresses of 18 million non-LinkedIn members, and targeted these individuals on Facebook.

The DPC’s annual report reveals that “the audit identified that LinkedIn Corp was undertaking the pre-computation of a suggested professional network for non-LinkedIn members.

“As a result of the findings of our audit, LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to cease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018,” the report states.

1,249 complaints

The DPC received 1,249 complaints during the first five months of 2018, with 45% of those (or 571) concerning access rights to data.

The majority of complaints were resolved amicably but 12 formal decisions were issued. And 1,198 valid data security breaches were recorded.

And 41 new complaints were probed under e-privacy regulations in respect of various forms of electronic direct marketing. Of these, 24 related to email, 16 to text message, and one to telephone marketing.

District Court prosecutions

A total of 62 direct marketing investigations were completed, with three leading to successful District Court prosecutions in respect of 46 e-privacy offences.

These prosecutions resulted in convictions on four samples charges, and the application of the Probation of Offenders Act in relation to three charges.

Of the 1,249 complaints received in the first five months, 14 related to accuracy, 18 to excessive data, 19 to internet search-result delisting, 21 to a right of rectification, 22 to failure to secure data, and 85 to electronic direct marketing. One complaint related to biometrics, and 168 to unfair processing of data.

The DPC’s Special Investigations Unit (SIU) was established in 2015, primarily to carry out investigations on its own initiative, as distinct from complaints-based investigations.

Personal information

In January 2018, the SIU was represented at a prosecution at Letterkenny Circuit Court at which the defendant, a former civil servant at the Department of Employment Affairs and Social Protection, was accused of a number of offences of receiving corrupt payments between 2008 and 2010 from two private investigators, in exchange for supplying them with personal information held on the computer database of his then employer, the Department of Employment and Social Protection.

At the hearing, the defendant pleaded guilty to 12 sample counts out of a total of 41 charges relating to breaches of section 1(1) and (4) of the Prevention of Corruption Act 1906, as amended by section 2 of the Prevention of Corruption Act 2001. [MARY – UNLINK ‘the’.]

The Court sentenced the defendant to two years’ imprisonment on each of the 12 counts, to run concurrently, with the final year suspended. The DPC welcomed the outcome of this case, which followed separate investigations by An Garda Síochána and the DPC.

From 1 January to 24 May, the DPC received 1,250 data-breach notifications under the Personal Data Breach Code of Practice — of which 52 cases (4%) were classified as non-breaches.

Therefore, a total of 1,198 valid data security breaches were recorded by the DPC out of a total of 12,795 valid data-breach notifications.

The report says that, while many organisations have effective ICT security measures, SMEs in particular do not take proactive steps to review these measures, or train staff to ensure awareness of evolving threats.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland