Key Takeaways: The Data Protection Commission’s Annual Report for 2019
By Sarah Slevin & Maeve Lowry
25 February, 2020
The Data Protection Commission (“DPC”) recently published its 2019 Annual Report (the “Report”), marking the end of the first full calendar year of the General Data Protection Regulation (“GDPR”).
Complaints made to the DPC
The Report begins, as usual, with an overview of the complaints made to the DPC during 2019. A review of the “quantity and quality” of complaints made is always a revealing undertaking as it demonstrates levels of public engagement with data protection, the nature of bodies against which complaints are being made and the areas in which compliance issues are arising. It reveals that a total of 7,215 complaints were made, a 75% increase on the number of complaints made during the same period in 2018.
6,904 of the complaints made to the DPC were made under GDPR, while the remainder of the complaints came under its predecessors, the Data Protection Acts 1998 and 2003. In terms of the complaints made under GDPR, the Report details that 1,252 of these were being actively assessed at the year-end, 1,098 were proceeding to complaint-handling, and 4,554 complaints (66%) had been concluded within the year.
As has been the trend in recent years, the majority of complaints received by the DPC related to denied access to records. The Report sets out the top five categories of complaints, as shown here:
The Report advises, in relation to its most offending issue, that “it is important for controllers to remember that the right of access is a fundamental right, so there is a presumption in favour of disclosure on the part of controllers.”
Data breach notifications
The introduction of GDPR brought about mandatory data breach notification obligations for all data controllers. 2019 saw a total of 6,6069 valid data breaches reported to the DPC, representing an increase in 71% on the number of notifications in 2018.
The Report states that “[t]he DPC has observed an increase in the number of repeat breaches of a similar nature by a large number of companies. This is most apparent in the financial sector, where the majority of breaches appear to be related to unauthorised disclosures.” Indeed, unauthorised disclosures overwhelmingly represent the highest classification of notified breach, accounting for 83% of all reported breaches.
Beyond the financial sector, unauthorised disclosures made by Tusla, the Child and Family Agency have generated media headlines in the wake of the Report. Tusla were the subject of three DPC statutory inquiries, with one inquiry relating to three separate incidents of unauthorised disclosures. It is reported that in one breach, Tusla accidentally disclosed the location of a woman and child to their abuser, while in another breach Tusla disclosed information on children in the care of the state to their imprisoned father, allowing him to contact them.
The Report advises that controllers can take simple steps to mitigate the number of breaches relating to unauthorised disclosures. Examples provided in the Report include: staff training; stringent password policies; multifactor authentication processes for remote access; and habitual updates of anti-virus and anti-malware software.
The DPC conduct two types of statutory inquiries: a complaint-based inquiry; and an inquiry of the DPC’s own volition. The purpose of either inquiry is to make a formal decision as to whether there was an infringement under GDPR, and, where there is an infringement, to determine whether corrective measures such as fines should be applied. As of the year-end, the DPC were conducting 70 statutory inquiries.
In addition to the DPC’s inquiries into Tusla, the Report has made headlines, as 21 of the 70 statutory inquiries involve multinational technology companies, many of which have their European headquarters in Dublin and thus for which the DPC is their lead supervisory authority under the GDPR’s “one stop shop” mechanism. The subject of the inquiries into these tech giants varies from access request issues in the case of Apple Distribution International to a security incident concerning the storage of passwords in the case of Facebook Ireland Limited.
Other ongoing statutory inquiries of note include an inquiry into 31 local authorities and An Garda Síochána regarding the use of CCTV, body cameras and other recording technology, and an almost concluded investigation into Independent News and Media concerning potentially unlawful disclosure of data to third parties.
At present, Ireland stands as one of only seven countries which has yet to apply a corrective measure as a result of inquiries. This fact has led to criticism being levelled at the DPC from privacy activists and allegations of being ‘overwhelmed’ coming from the authority’s German counterparts. The merits or otherwise of this commentary, although part of an interesting and deeper analysis of the (potential) success of the GDPR as a guardian of data rights, is a discussion for another forum. Although widely anticipated given that a number of inquiries will be coming to a close this year, it remains to be seen whether the DPC will utilise this power in 2020.
Supervision, consultation and communication
On a more positive note, the supervisory and consultancy work of the DPC during 2019 is something with which Ms Dixon is clearly and correctly pleased as it aims to promote good practices and increase public awareness of rights and obligations under GDPR.
The Report details that preparations for Brexit made up a considerable body of this work for 2019, with the DPC having issued guidance to help prepare for both “deal” and “no deal” scenarios, given talks to a range of sectors, provided direction of government departments and agencies and assisted a broad range of organisations seeking to establish in Ireland.
The DPC received 1,420 general consultation queries during 2019. Queries were received from a variety of sectors, though interestingly 44% of all queries received came from the “private/financial” sector.
There is a mandatory obligation under GDPR to consult with the DPC on legislative proposals involving the processing of personal data. The Report provides a non-exhaustive list of the legislation advised on by the DPC during 2019, including the Adoption (Information and Tracing) Bill 2016 and the Housing (Regulation of Approved Housing Bodies) Bill 2019.
The DPC’s 2019 Annual Report draws the first full calendar year of GDPR to a close. The Report marks a year of successes for the DPC and clearly demonstrates the application of GDPR throughout the country and across all sectors. However, the Report also indicates that there is much more to be done by the DPC and controllers alike in 2020 and beyond. Persistent questions regarding the DPC in the context of its investigation of, and relationship with, multinational technology and social media companies, the adequacy of its funding and staffing and its output quality and responsiveness are unlikely to abate in 2020.
Looking to the future, Ms Helen Dixon writes that “2020 is going to be an important year” as “[m]uch more remains to be done in terms of both guiding on proportionate and correct application of this principle-based law and enforcing the law as appropriate.”
GDPR is due to turn two on 25 May 2020 and a review of the regulation is anticipated for the anniversary. This review will focus further attention on the DPC, the work it has done and the work it has yet to do.