knowledge 4 March 2022 |

Highlights of the Data Protection Commission’s 2021 Annual Report

The Data Protection Commission (“DPC”) recently published its 2021 annual report (the “Report”) covering its regulatory activities between 1 January 2021 and 31 December 2021. The Report highlights that the DPC concluded a number of large-scale inquiries in 2021 resulting in decisions on infringements and in many cases the imposition of corrective measures. 2021 also saw a high volume of complaints and data breaches, a trend we can expect to continue in 2022.

Notable highlights include:

• 7,469 queries and 3,419 complaints received under the GDPR (an increase of 7% on 2020 figures).

• 49 complaints under the Law Enforcement Directive handled.

• 6,549 valid data breach notifications received with 95% of total recorded breach cases concluded in 2021.

• 138 electronic direct marketing investigations concluded and 2 prosecutions of telco companies for persistently contacting customers who had opted out of correspondence.

• 5 large-scale inquiries concluded.

• €225 million fine imposed on WhatsApp Ireland Ltd in addition to an order for WhatsApp to bring its processing into compliance with the GDPR.

• DPC staff numbers increased to 190 and the DPC’s budget increased to €19.1 million (with a further increase to €23.2 million for 2022).

Complaints

Access requests continue to be the largest category of complaints to the DPC in 2021 (42%) followed by fair processing (19%), disclosures (10%), the right to erasure (9%) and direct marketing (4%). The Report notes that the DPC intends to increase its enforcement in the area of access requests in 2022 and target non-responses and inadequate responses from controllers.

The DPC concluded 150 electronic direct marketing investigations in 2021, with 84 complaints relating to email messages and 43 complaints relating to text messages.

Of the 3,564 complaints concluded by the DPC in 2021, 463 of those complaints were concluded by fast-track amicable means. According to the Report, the DPC will seek to resolve data protection issues through rapid direct intervention rather than launching an inquiry, where immediate action is required.

Cookies Investigations

The DPC continued to tackle issues around the setting of tracking and advertising cookies without consent, the use of cookie banners that obscured the text of cookies and privacy notices on websites and the use of pre-ticked boxes or toggles to signal consent for cookies. Investigations and enforcement in this area will continue to be a key element of the DPC’s activities in the coming years, particularly in anticipation of the implementation of the long-awaited ePrivacy Regulation.

Data Breaches

The DPC received a total of 6,549 valid notifications of personal data breaches in 2021. In line with previous years, the highest category of data breaches notified in 2021 was in relation to unauthorised disclosures, which accounted for 71% of total breach notifications. The DPC received 38 valid data breach notifications under the ePrivacy Regulations and 51 notifications in relation to the Law Enforcement Directive.

Statutory Inquiries

The Report highlights 5 inquiries concluded in 2021 that resulted in a significant sanction or corrective measure. These inquiries involved the Irish Credit Bureau, MOVE Ireland, Limerick City and County Council, the Teaching Council and WhatsApp. In particular, the inquiry concerning WhatsApp Ireland, which concluded in September 2021, resulted in a fine of €225 million along with an order directing WhatsApp to bring its processing into compliance with the GDPR. Our analysis of this decision can be accessed here.

The DPC also issued a significant decision to Limerick City and County Council considering a broad range of issues pertaining to surveillance technologies deployed by the Council. The DPC found that certain CCTV systems operated by the Council were unlawful and imposed a temporary ban on the Council’s processing of personal data in respect of certain CCTV cameras and an administrative fine of €110,000.

Ongoing Inquiries

At the end of December 2021, the DPC had 81 open statutory inquiries, 30 of which were cross-border inquiries. The inquiries are either complaint-based or own volition inquiries. Some of the high-profile cross-border inquiries include:

• Apple –There is a complaint-based inquiry into Apple examining whether Apple has a lawful basis for processing personal data in the context of targeted advertising in connection with the unique Apple “Identifier for Advertising”. 

• Facebook – There are 10 separate inquiries into Facebook Ireland Limited (now known as Meta Platforms Limited) which examine a range of issues including Facebook’s compliance with the transfer restrictions under Chapter V of the GDPR in light of the Schrems II decision by the CJEU. On 21 February 2022, The DPC issued a revised preliminary decision in respect of this inquiry which seeks to suspend the data transfers in question. Facebook has 28 days to make submissions on this preliminary decision. Once these are received, the DPC will prepare a draft Article 60 decision for consideration by the other concerned supervisory authorities.

• Google – There are 2 inquiries into Google Ireland Limited. One of these examines whether Google has a valid legal basis for the processing of location data of its users and the other concerns Google’s compliance with legal obligations as a controller in operating its proprietary “Authorised Buyers” real time bidding advertising technology system.

• LinkedIn – There is a complaint-based inquiry into LinkedIn examining whether it has discharged its obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.

• Yahoo – The DPC is conducting an inquiry into Yahoo’s compliance with the requirement to provide transparent information to data subjects under Articles 12-14 GDPR.   

• Twitter – The DPC is conducting an inquiry into Twitter which was commenced in response to a large number of breaches notified to the DPC since 25 May 2018, with the DPC examining whether Twitter has discharged its obligations to implement appropriate technical and organisational measures to secure the user personal data.

• TikTok - The DPC commenced two inquiries into the activities of TikTok in 2021, one relating to the legality of data transfers from the EU to China and the other relating to the company’s handling of the personal data of users aged under 18.

Fundamentals for a Child-Oriented Approach to Data Processing

In December 2021, the DPC published its final guidance on Fundamentals for a Child-Oriented Approach to Data Processing with immediate application and operational effect.

Data Protection Officers (DPOs)

The DPC concluded the most recent stage of its DPO enforcement programme aimed at improving compliance with Article 37(7) of the GDPR, which mandates that specific categories of data controller, such as public bodies, are required to appoint a DPO and notify the DPO’s details to the relevant Supervisory Authority. The Report notes that the initial phase of the enforcement programme raised the public sector’s compliance rate from 69% to near 100%.

In 2021, the DPC expanded the project to include the private sector, identifying several sectors likely to meet the threshold to appoint a DPO such as private hospitals and out-of-hours GP Services, banking entities, and credit unions. This initiative has resulted in 170 additional organisations now complying with their Article 37(7) obligations.

The DPC’s commitment to supporting DPOs as part of its DPO Network is reiterated in its Regulatory Strategy 2022 – 2027. In addition, a series of online webinars supporting SMEs in their compliance efforts is due to commence in the first quarter of 2022.

Binding Corporate Rules

A key focus of the DPC in the area of international transfers is the assessment and approval and Binding Corporate Rules (“BCR”) applications from multinationals seeking to take a uniform approach where it has subsidiaries on a global scale transferring data between them. In 2021, the DPC was lead reviewer in 33 applications from 19 different companies and acted as co-reviewer or on drafting teams for Article 64 Opinions on 13 BCRs in this period.

What’s next?

In December 2021, the DPC published its Regulatory Strategy for the next 5 years which focuses on regulating consistently and efficiently; safeguarding individuals and promoting data protection awareness; the protection of children and other vulnerable groups; bringing clarity to stakeholders; and supporting organisations to drive compliance.

The Report indicates that the DPC will continue its focus on cookies investigations and enforcement actions throughout 2022, having regard to proposed reform in this area in the form of the European Commission’s proposed Digital Services Act, Digital Markets Act and the long-awaited e-Privacy Regulation.

Also contributed by Ruth Hughes