Helen Dixon
DPC opens 31 inquiries into State citizen surveillance
Data Protection Commissioner (DPC) Helen Dixon is heartened by the enormous public appetite for understanding and controlling use of their personal data.
In her report for the May-December 2018 period, she writes that public interest in the topic reflects “anything but apathy and fatalism”.
A rise in complaints and queries made to her office demonstrates a “new level of mobilisation” to tackle data misuse.
Access rights
Helen Dixon’s view is borne out by the figures, which show a total of 2,864 complaints received in the period, with the largest single category (977) being access rights. There were 1,928 GDPR complaints, with 868 concluded so far.
The majority of complaints were handled informally, but 18 formal DPC decisions were issued. Of these, 13 complaints were upheld, and five were rejected.
A total of 32 new complaints were investigated under SI 336 of 2011 in respect of various forms of electronic direct marketing. Of these, 18 related to email marketing, 11 related to text marketing, and three concerned telephone marketing.
There were successful District Court prosecutions against five entities in respect of 30 offences under e-privacy regulations.
A total of 3,542 valid data breaches were recorded with ‘unauthorised disclosures’ the largest single category.
Tech
A total of 38 of these data breaches related to 11 multinational tech companies.
The DPC special investigations unit opened 31 inquiries into surveillance of citizens by the State for law-enforcement purposes, with the use of tech such as CCTV, body cameras, automatic number plate recognition, and drones.
And 15 statutory inquiries were opened into big-tech firms in relation to GDPR compliance.
The DPC also reports a strong response from both industry and the voluntary sectors as they seek to put their houses in order.
Over 1,000 data protection officers have been appointed across Ireland, to embed effective protection policies across their organisations.
Over 4,000 data protection breaches have been notified to the commission.
THE annual report details strong engagement with DPC guidelines for mitigating losses for affected individuals, and learning from the breaches.
The commissioner writes that emerging case law, together with long-term dialogue and evolving societal norms, will lead to new context-based solutions and a better data protection environment for all.
Optimistic
Helen Dixon says that the principles-based nature of GDPR often requires clarification, but that she is optimistic at the level of take-up in improved data-handling practices.
The DPC continues to assign large-scale resources to examining the Public Services Card (PSC), its registration system, and the mandatory requirement to produce it for certain State services – to the exclusion of other forms of ID.
DPC probes into data handling at tech giants Facebook, Apple, Twitter LinkedIn, WhatsApp and Instagram will be concluded this year, the commissioner pledges.
The analysis and conclusions will set the precedents for better implementation of the GDPR across key aspects of internet and ad tech services, Helen Dixon says.
The DPC is also examining the question of how and when minors can exercise their own rights, independently of parents and guardians, by signing up for free apps, and how their stated age should be verified by service providers.
When a ‘best-practice’ code is produced, industry sectors will be asked to adopt this as a code of conduct.
Salient case law
Helen Dixon anticipates much salient case law from the Court of Justice of the EU (CJEU) this year.
“The Advocate General’s opinion and CJEU ruling in the Planet49 case are eagerly awaited to provide guidance on cookie-based transparency and consent,” she writes.
“Equally, it is anticipated that the High Court reference case from Ireland on the validity of standard contractual clauses (SCCs) will also be heard and decided this year.”
This refers to the DPC’s High Court litigation on the validity of SCCs as a transfer mechanism in respect of EU-US data transfers.
Facebook
In July, the Supreme Court granted leave to Facebook, allowing it to bring its appeal against the judgments delivered by the High Court in favour of the DPC on 3 October 2017 (as revised on 12 April 2018).
During late 2018, there were several procedural hearings in the Supreme Court in preparation for the hearing of the appeal proper, which took place in January.
The Supreme Court judgment has not yet been delivered.
The DPC now has 135 staff and expects to recruit 30 more this year.
GDPR CASE STUDY
The DPC fully exonerated the Department of Foreign Affairs and Trade (DFAT) in a complaint made against it in relation to data handling.
The DPC’s annual report details an allegation made against the DFAT Cairo (Egypt) mission that a complainant’s personal data had been shared with a third party (his employer) without his knowledge or consent.
The case concerned a short-term visa application to sit an exam in Ireland, which was then processed for accuracy, completeness, and the validity of supporting documents.
Validity
The complainant’s employer, an Egyptian government agency official, was contacted to verify the validity of a document he had allegedly signed.
The employer confirmed that he would need to see the document to verify it, but that, as he did not have an official email address, the only way to receive it was via WhatsApp.
DFAT then carried out a local risk assessment and concluded that, in light of the end-to-end encryption on WhatsApp, this was the most secure means of transmission available.
Many government officials and civil servants in Egypt do not have access to official email ac-counts/systems and often use services such as Gmail, Hotmail, WhatsApp and Viber to carry out official business.
Cairo mission
The Cairo mission official was ultimately informed that the documents were fraudulent and the visa application was denied.
The complainant then informed the DPC that he was seeking €3,000 in compensation from the DFAT, as the lost cost of sitting the exam in Ireland.
When the DPC informed the complainant that it did not have the power to award compensation, the complainant requested a formal decision from the DPC on whether a contravention of the GDPR had occurred.
Investigated
The DPC investigated and was satisfied that it was necessary for the DFAT to share the complainant’s personal data in order to verify the information supplied.
The DPC was also satisfied that, given the lack of any other secure means to contact the official in question, the transmission via WhatsApp was necessary to process the documents and that the complainant had been put on notice that supporting documentation could be shared with third parties to verify authenticity.
Local risk
The DPC also took account of the fact that the local risk assessment carried out by DFAT had established that, in the circumstances, sending the personal data via WhatsApp was the most secure means of transmission.
Accordingly, the DPC found that DFAT had complied with the acts.
“In this case, the key data-protection principles of necessity and proportionality, applied against the unique context of the processing in question, resulted in the DPC reaching a finding of compliance with the acts,” the DPC concluded
Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland