Two-thirds of European fines
“Two-thirds of the fines issued across Europe last year, including the EU, EEA and UK, were issued by the DPC on foot of detailed and comprehensive investigations, a fact that underlines both the outsized role, and exceptional performance, of the organisation in effectively holding those guilty of non-compliance to account,” Dixon added.
Such fines show the regulator’s willingness to use its corrective powers to avoid transgressions and improve corporate behaviour, the report states.
Such comprehensive enforcement action has brought clarity to the many novel and complex issues that arise under the GDPR, the report continues.
17 large-scale inquiries
The DPC concluded 17 large-scale inquiries and, as at 31 December 2022, four draft decisions were in the EU co-decision making process (Article 60 GDPR) and one was in the EU dispute-resolution mechanism (Article 65 GDPR).
In 2022, the DPC:
- Processed 9,370 new cases (6,660 queries and 2,710 complaints),
- Concluded 10,008 cases (6,875 queries and 3,133 complaints), including 1,920 complaints received prior to 2022,
- Received 125 valid cross-border complaints (as lead supervisory authority) and concluded 246 cross-border complaints,
- Received a total of 5,828 valid breach notifications,
- Brought about the postponement or revision of seven scheduled internet-platform projects with implications for the rights and freedoms of individuals.
In November 2022, the DPC had its decisions to impose administrative fines ranging between €1,500 and €17 million, confirmed in the Dublin Circuit Court.
All of these fines have been collected and transferred to the central exchequer in Ireland.
Direct-marketing investigations
A total of 207 electronic direct-marketing investigations were concluded in 2022, while two telco companies were successfully prosecuted for four separate charges of sending unsolicited marketing communications without consent.
Last year, the DPC received 5,828 personal data-breach notifications. A total of 5,695 valid GDPR data breaches were recorded, representing a 13% decrease (854) on the 2021 figure.
Unauthorised disclosures
In line with previous years, the highest category of data breaches notified related to unauthorised disclosures, with 62% concerning a small number or one individual.
Of the 5,828 breach notifications, 3,014 related to the private sector, 2,568 to the public sector, and the remaining 246 came from the voluntary and charity sector.
The DPC received a total of 105 valid data-breach notifications, an increase of 176% on the 2021 figure, under the ePrivacy Regulations, which accounted for just under 2% of total valid breach cases notified for the year.
The number of breaches notified under the ePrivacy Regulations increased significantly in 2022, due to changes in e-privacy legislation. The 105 valid data breaches notified to the DPC in 2022 represents a three-fold increase on the previous year’s figures.
Regulatory coherence
The DPC also became a founding member of Ireland’s first Digital Regulators Group, to help integrate communication with Government and drive regulatory coherence ahead of pending legislative changes at EU level.
It also produced seven pieces of substantial new guidance, including three short guides for children on their data-protection rights, and updated 11 pieces of existing guidance.
In March, Bank of Ireland was fined €463,000 and reprimanded under the GDPR, while, in September, Instagram received a whopping €405-million fine for breaches. Facebook was fined €265 million for data-scraping in November.
Data minimisation case
An inquiry into Airbnb Ireland followed a complaint that Airbnb had unlawfully requested a copy of ID in order to verify the complainant’s identity, where that person, as a registered member and host with Airbnb, had not previously provided ID to the firm.
The complaint was that Airbnb had failed to comply with the principle of data minimisation when requesting a copy of the individual’s ID in order to verify their account.
In its draft decision, the DPC agreed that a legitimate interest existed in Airbnb ensuring it had adequate safety and security measures in place to protect users of the platform, since they might actually meet in person.
The DPC took the view that the service operated by Airbnb was significantly different to a purely online service, such as a social-media platform.
The DPC found that, in a balancing test, the rights of the host were not prejudiced by this verification process.
CCTV surveillance concerns
In early 2022, the Data Protection Commission received a Data Protection Impact Assessment (DPIA) from a local authority seeking to implement an expansive CCTV scheme for 24/7 surveillance of certain high-crime areas. The proposed locations for the cameras were primarily open public spaces, but some could capture images from the upstairs windows of private dwellings.
The DPC raised a number of concerns about this planned data processing, emphasised the necessity for robust security measures, the need to respect the privacy rights of residents, and the responsibility on the local authority, as a data controller, to protect the public and mitigate the risks.
In response, the local authority decided to disable the auto-scan and roaming capabilities of all cameras, and also chose to turn off a number of the cameras, following a further ‘necessity’ analysis.
In response, the local authority implemented staff training, strict access controls, shortened retention periods, strict procedures to view and download footage, an oversight board, and other measures.
The local authority also revised its plans for 24/7 monitoring by default to monitoring only at the direct request of an Garda Síochána.