“When EU competition-law rules were first introduced in 1962, it was a further number of years before the first significant decision in the Grinding case issued, and a number of years beyond that again before the first fine was issued.
“Equally, EU competition investigations [the fining regime in the GDPR is based on EU competition law], on average, take a number of years to complete,” Dixon says.
“As a responsible regulatory body, we are wary of demands for quick-fix solutions and calls for the summary imposition of heavy penalties on organisations for data-protection infringements, at least some of which may be based on the application of principles on which there is not always consensus,” the data protection commissioner says.
“While acknowledging that the administrative fines’ mechanism represents an important element of the drive toward the kind of meaningful accountability heralded by the GDPR, we must also recognise that, like any other part of our laws, data-protection principles operate within a broader legal context and so, for example, the application and enforcement of such principles by a statutory regulator will always be subject to the due process requirements mandated by our constitutional laws and by EU law,” Helen Dixon says.
“These are constraints that cannot (and should not) be set to one side in some arbitrary fashion or for the sake of expediency.”
The report details a range of important EU developments, including instructive CJEU judgments (such as Fashion ID and Planet49), the Advocate General’s opinion on the SCCs data-transfer litigation, and the world’s largest data-privacy financial penalty (the $5bn imposed by the Federal Trade Commission on Facebook).
1,500 DPOs notified to DPC
In Ireland, 1,500 data protection officers (DPOs) were notified to the DPC in 2019, all within public-sector and large data-processing organisations, ensuring that data subjects’ rights are considered in all projects.
The DPC says that, across Europe, smaller SMEs are asking for more help to identify reasonable and appropriate implementation measures, and for a stronger sectoral focus on the guidance issued.
At least 40% of DPC resources are devoted to the handling of individual complaints rather than on large-scale, more systemic investigations.
Disputes between employees and employers or former employers are a significant theme of complaints lodged with the DPC, often around a disputed access request.
Litigation by individuals against DPC decisions that their data-protection rights were not, in fact, breached at all make up a significant proportion of the litigation the DPC is subject to in the courts today, the annual report states.
This is driven by the fact that neither the Workplace Relations Commission nor the Labour Court can order discovery in employment claims, which makes reliance on access requests as adjudicated by the DPC central to many of these cases.
Telcos and banks remain among the most complained-about sectors to the DPC, with complaints essentially focussing on account administration and charges.
Given that these sectors are heavily regulated in Ireland, the DPC says that it is disappointing that core consumer-protection issues cannot be sorted out internally, without the need for consumers to lodge complaints with the DPC.
Complaints against internet platforms have also grown in volume, mainly about management of individuals’ accounts and, in particular, their rights to data erasure when they leave a platform.
Dixon says that many people feel confused about their rights with regard to their personal data.
The DPC intends to increase its efforts to produce more case studies, and to draw out the lessons from a consumer point of view, but the commissioner says that she is encouraged that people are broadly aware of their rights under GDPR, and keen to know how to exercise them.
The DPC is also engaged heavily with expert stakeholders in the area of children’s digital rights, and will continue to encourage big-tech platforms to sign up to a code of conduct on children’s data processing.
“We aim by the end of 2020 to have facilitated the progression of big tech towards a code of conduct to better protect children online,” the DPC says.
“The drive in the US to implement more and more privacy legislation is a sign that ‘enough is now enough’ in terms of tolerating unnecessarily invasive data-privacy practices and technologies,” the commission warns.
The annual report reveals the following:
- 7,215 complaints were received, representing a 75% increase on the total number of complaints (4,113) received in 2018,
- 5,496 complaints in total were concluded in 2019,
- 6,069 valid data security breaches were notified, representing a 71% increase on the total number of valid data security breaches (3,542) recorded in 2018,
- Almost 48,500 contacts with the DPC included 22,200 telephone calls and 22,300 emails,
- By year-end 2019, the DPC had 70 statutory inquiries in hand, including 49 domestic inquiries,
- Six statutory inquiries were opened in relation to multi-national technology companies’ compliance with the GDPR, bringing the total number of cross-border inquiries to 21,
- 165 new complaints were investigated under statutory instrument no 336 of 2011, in respect of various forms of electronic direct marketing: 77 related to email marketing; 81 to text-message marketing; and seven to telephone marketing. Prosecutions were concluded against four entities in respect of nine offences under the ePrivacy Regulations.
- 6,904 complaints were dealt with under GDPR, and 311 complaints under the Data Protection Acts 1988 and 2003,
- The DPC issued 29 ‘section 10’ statutory decisions under the Data Protection Acts 1988 and 2003. Of these, 13 decisions fully upheld the complaint, seven rejected the complaint, and nine partially upheld the complaint,
- 207 data-breach complaints were handled by the DPC from affected individuals, and
- 6,069 valid data security breaches were recorded, with the largest single category being ‘unauthorised disclosures’.
The DPC dealt with concerns relating to the role and use of the Public Services Card, the use of CCTV, particularly in the context of neighbour disputes and the application of the domestic exemption (see this month’s cover story), and access requests on behalf of children.
Some requests related to closed medical practices (often due to the death of a practitioner), with patients unable to establish who was now in control of their personal data.
HR/employment disputes, specifically workplace surveillance, but also concerns about the sharing of information in the context of disputes, and the redaction of third-party data in response to employee-access requests, were also received.
The DPC also dealt with concerns about exam information — in particular queries relating to examiner’s notes and photography consent, publication, and artistic exemptions.
Access requests accounted for 1,971 cases (or 29%), disclosure for 1,320 (19%), fair processing 1,074 (16%), marketing complaints 532 (8%), and the right to erasure 353 (5%).
In 2019, the DPC was consulted on, among other matters:
- The Adoption (Information and Tracing) Bill 2016,
- Future funding of public service broadcasting,
- Body-worn cameras for An Garda Síochána,
- Amendments to the Electoral Act 1992, to allow for the establishment of the Citizens Assembly 2019 and the Dublin Citizens Assembly,
- The Civil Registration Bill and the Defence Forces (Evidence) Bill 2019,
- Disabled drivers and disabled passengers’ fuel grant,
- Registrar of Beneficial Ownership of Companies and Industrial and Provident Societies,
- Gender Pay Gap Information Bill 2019,
- Housing (Regulation of Approved Housing Bodies) Bill 2019,
- Judicial Council Act 2019, and
- Microchipping of dogs regulations.
“Given the pervasive nature and scope of online tracking, and the inextricable links between such tracking and cookie technologies and ad-tech, we will place a strong focus on compliance in this area,” the annual report says.