Has the tide turned? - DPC Report 2022

The latest report from the Data Protection Commissioner (“DPC”) provides clarity on key privacy questions, demonstrates the DPC’s commitment to enforcement, and signals the office’s determination to ensure public and private organisations honour their obligations regarding individuals’ data rights.

The key takeaway from the DPC’s second annual report is best summed up in the words of Commissioner Helen Dixon;

“...the DPC has demonstrated that it does not shy away from enforcing the law and applying actions where warranted”.

Given the DPC’s remit is to drive GDPR compliance and to protect rights in Ireland and across the EU, as organisations and individuals become more familiar and experienced in the handling of personal data, the Commission has become more punitive in its punishments.

“Both the number – and value – of the fines levied by the DPC against big technology firms…have most visibly demonstrated the GDPR’s ability to enforce effective data protection”.

In fact, two-thirds of the fines issued across Europe last year, including the EU, EEA and UK were issued by the DPC. During 2022, the Commission concluded 17 large scale inquiries, with fines in excess of €1 billion. While the vast majority of these were levied against large technology companies, nearly three quarters of a million euro in fines was directed at non-technology firms as a result of non-compliance.

Prosecutions taken by the DPC demonstrate that while the Commission will issue reprimands and directions to ‘get your house in order’ on a first offence, if there is a subsequent breach or complaint, they will take enforcement action and issue significant fines.

Enforcement Action

In addition to multiple reprimands and compliance orders, the DPC instigated the postponement or revision of seven scheduled internet platform projects which impacted the rights and freedoms of individuals.

In line with its strategy to support vulnerable members of society, the DPC intervened in a number of issues it identified as giving rise to immediate data protection concerns for potentially large groups of individuals. One of these involved the DPC intervening where remote access to CCTV was being used in public and also as a substitute for onsite workplace supervision.

Breaches

The DPC received a total of 5,828 breach notifications in 2022. Of these, a total of 5,695 valid GDPR breaches were recorded, representing a 13% decrease on the breach numbers reported in 2021 and 15% on 2020. In line with previous years, the most frequent cause for breaches reported to the DPC are a result of correspondence inadvertently being misdirected to the wrong recipients, at 62% of the overall total.

RDJ’s 24/7 Cyber Incident Response service experienced a measurable reduction in cyber related breach notification in the immediate aftermath of the conflict in Ukraine. While this reduction might suggest an increased awareness around data security, the trend reversed abruptly in the third quarter of 2022. We are now experiencing a 30-50% increase in hacker attacks compared to previous years. Our experience in RDJ is being mirrored across the market and we expect 2023 to conclude with an increase in data breach notifications to the DPC arising from cyber related breaches.

Public Bodies and Banks continue to be the sectors with the highest number of breach notifications recorded against them, followed by Insurance and Telecoms companies. Similar issues to previous years continue to be reported in terms of notified breaches, particularly in financial institutions.

While the DPC is clear that it is up to controllers to ensure they have complied with their obligations, it monitors the breach reporting closely to inform trends, decide on whether inquiries and/or enforcement action is to be taken.

The DPC identified that near two thirds of the breach notifications in 2022 relate to misdirected correspondence. We anticipate the vast majority of those relate to misdirected emails. Data Loss Preventions (DLP) software tools that mitigate against personal data loss caused by email transmission are now generally accepted and proven in practice.

In accordance with the obligations under Article 32 GDPR to implement measures to ensure security and the obligation to have regard to the ‘state of the art”, it is likely that these tools will, if they have not already done so, soon be regarded as constituting the “state of the art” standard for data security. While organisations remain entitled to balance the cost of implementing DLP tools against the nature, scope and purpose of the personal data being processed by them, before long we expect to see more enforcement action from the DPC for organisations who have not implemented DPL tools but consistently experience personal data breaches.

Individuals’ rights

The DPC processed 9,370 new cases from individuals in 2022, a decrease of 14% from 2021. The DPC encourages resolution by amicable means where possible and more than two thirds of these queries were dealt with relatively expeditiously in that manner with the remainder escalating to a formal complaint-handling process according to the category of issues.

The Report indicates that complaints about access to individuals’ personal data remain the most frequent type of complaint that the DPC receives, making up two in every five of the complaints received in 2022. The Report also notes a marked improvement in the response of public sector bodies to access requests which they attribute to Data Protection Officers gaining experience in this area and to the implementation of improved procedures by these bodies.

The DPC also cites cases studies and examples where decisions of controllers were upheld by the DPC to restrict personal data on the grounds of privilege, and where a school had to balance the rights of the data subject with the rights of the child and custodial parent to redact personal data that could affect the rights of others in accordance with article 15(4). The DPC also affirmed that an access request may be fulfilled by providing the individual with a full summary of their data in an intelligible form provided that the format is sufficient to allow the applicant to become aware of the personal data being processed, check it is accurate and is being processed lawfully.

Prosecutions

There were 4 successful prosecutions under the ePrivacy legislation in respect of two telecom companies (Vodafone Ireland Limited and Guerin Media Limited) for sending unsolicited marketing communications without consent.

The DPC had previously prosecuted Vodafone a number of times for breaching Regulation 13 of the ePrivacy Regulations. In July 2021, the DPC received a complaint from an individual regarding an unsolicited marketing telephone call received from Vodafone, despite the customer having opted out of receiving marketing communications in March 2018. The individual concerned had been included in a marketing campaign as a result of human error. Vodafone pleaded guilty to one charge under Regulation 13(6) of the ePrivacy Regulations. These prosecutions show that while the DPC will issue reprimands and directions to get your house in order on a first offence, if there is a subsequent breach or complaint, they will take enforcement action.

Litigation

Of note, a judgment was made in the case of Aimee Scott v. Data Protection Commissioner (Dublin Circuit Court, 4 May 2022). Ms. Scott had submitted a complaint to the DPC alleging a failure by her employer to comply with an access request, contending that the employer was not entitled to rely on the assertion of legal professional privilege to withhold personal data from release in response to Ms. Scott’s access request. The DPC had concluded in May 2019 that the employer was entitled to the rely on the privilege as asserted. The Circuit Court refused the appeal, accepting the DPC’s position that the employer had made out its case in relation to its asserted entitlement to rely on privilege to withhold from releasing personal data that would otherwise need to be released in response to the Ms. Scott’s access request. No order as to costs was made. Ms. Scott has lodged an appeal on a point of law with the High Court.

The Dublin Circuit Court dismissed a separate appeal involving the same appellant on 17 November 2022. Ms. Scott had made a complaint to the DPC alleging that a barrister had unlawfully processed her personal data in the context of carrying out a potential conflict of interests search before accepting instructions to act in a case for Ms. Scott’s former employer. The DPC had found that the GDPR did not apply at all, on the grounds that Ms. Scott’s personal data had been the subject of verbal disclosure only. Without prejudice to that point, the DPC found that, even if the GDPR had applied, the complaint could not be upheld because Ms. Scott’s personal data was processed lawfully, by reference to the legitimate interests identified as being engaged in that case. The Circuit Court dismissed an appeal by Ms. Scott. Ms. Scott had lodged an appeal with the High Court.

Compensation cases

The Report notes the continuing trend for only conservative compensation rewards, if any at all, in EU cases that have progressed to hearing. The first compensation case under s.117 of the Data Protection Act 2018 to proceed to hearing in Ireland remained consistent with this trend. The case concerned the Service Industrial Professional and Technical Union (SIPTU) inadvertently sending an email with the names and addresses of the claimants to a group of 212 other SPTU members. The Circuit Court judge dismissed the case, ordering the claimants to pay their own costs. It was found that proof of more than minimal loss was necessary and that no evidence was presented of any actual loss suffered by the claimants resulting from the email distribution. See previous RDJ insight for further analysis on s 117 here.

Children’s Data Protection Rights

The DPC produced 3 short guides for children on their data protection rights. These are aimed at children aged 13 and over, as this is the age at which children can begin signing up directly for many forms of social media. The protection of children online is one of the main priorities of the DPC. It has engaged with regulators and large platform providers to review their policies and procedures to combat child sexual abuse and made recommendations in areas of transparency. That work continues and is a priority under the 2022-2027 regulatory strategy.

Consultation

The DPC provided guidance and observations on 30 proposed legislative measures in 2022. It also continued its engagement with DPOs, stakeholders, government departments, state agencies and advocacy groups across all sectors on a wide range of issues.

The DPC engaged in a multi-stakeholder engagement during 2022 to resolve issues arising from the online publication of personal data provided to local authorities in the course of the planning process. The DPC noted that the requirement to publish information relating to planning applications must be balanced with the legitimate privacy concerns and data protection rights of individuals, particularly where applicants submit special category data in support of their application. A set of principles was collectively developed by governmental bodies and the DPC to ensure that an appropriate balance is struck.

The DPC also consulted with various technology multinationals throughout 2022. The DPC undertook a high-level review of ‘Workspace’ Google Cloud Privacy Notice, and several recommendations were made to improve contextual transparency including in relation to the definition of terms used and retention periods as well as other transparency requirements.

In June 2022, TikTok announced that changes were being made to its Privacy Policy, including the change in lawful basis for personalized advertising from consent to legitimate interest. Following an intervention by the DPC, TikTok agreed to pause the change in lawful basis to allow for further assessment by the DPC and other supervisory authorities. The DPC subsequently raised a number of concerns with the company. In the view of the DPC and other supervisory authorities, TikTok had not sufficiently demonstrated that it could rely on a legitimate interest ground. Engagement with TikTok is ongoing.

Cross-border Complaints & the One-Stop Shop

The DPC received 125 valid cross-border complaints as Lead Supervisory Authority. Of these, 71% were concluded by the end of 2022.

Of the complaints lodged with the Irish DPC from individuals living in Ireland that relate to the actions of a company in another EU member State, 48% have had a resolution via other EU data protection authorities. Of complaints handled by the DPC redirected by other EU authorities, the DPC has resolved 71%.

The Commissioner notes that the One-Stop-Shop operation is not serving individuals well in relation to cross-border complaints. An example is given of a complaint lodged by an Irish citizen with the DPC in 2019 regarding a German company from which they were seeking a spare part. The company had passed on the complainant’s details, without their consent, to a UK supplier who had the part. The DPC referred the complaint to the relevant German authority. However, despite the simplicity of the issue, the matter took more than three years to resolve due to what the Commissioner describes as “the unnecessarily protracted process required by the operation of the One-Stop-Shop”. The Commissioner also noted that the One-Stop Shop involves the transmission of the complainant’s personal data around an unnecessarily large number of investigative staff in various EU data protection authorities. The issue, the Commissioner says, requires examination by legislators to improve the timeliness and appropriate handling of decisions.

Supervision

The DPC received 322 consultation requests during 2022. The Report describes the benefit of supervision as being two-fold. The first is that engagement with organisations, policy makers and legislators enables the DPC to understand the ways in which personal data is being processed by data controllers and processers. The second is that supervision enables the DPC to proactively identify data protection concerns. In the case of a new product or service, supervision also allows the DPC to ensure that organizations are aware of their compliance obligations in advance of the commencement of processing personal data.

What can be expected in 2023 and beyond?

The Commissioner recognises that 2022 saw the conclusion of various enforcement actions which are anticipated to bring clarity to the application and enforcement of the GDPR and Data Protection Laws. The Commissioner reports that 2023 will see the commencement of elements of the Data Services Act and Digital Marketing Act together with the Online Safety and Media Regulation Act in Ireland together with the entry of regulators of digital platforms.

The Commissioner acknowledges that “the road ahead is long” and that 2023 will bring with it more decisions from the DPC’s office, judgements from the Court of Justice of the European Union and litigation involving the DPC being heard in Ireland as “they continue to pursue the issues of greatest consequence for data subjects, drive compliance, and, most importantly, safeguard individuals’ rights”.

This article first appeared in Legal Island. For further information, visit www.legal-island.com.