knowledge 9 March 2023 |

Highlights of the Data Protection Commission’s 2022 Annual Report

The Report highlights that the DPC concluded a number of large-scale inquiries in 2022 resulting in decisions on infringements and in many cases the imposition of corrective measures. 2022 also saw the value of fines issued exceed 1 billion euro, which equates to two-thirds of the total fines issued by data protection supervisory authorities across the EEA and the UK last year. 

Notable highlights include:

• 2,700 complaints received under the GDPR. Continuing the trend of previous years, access requests remain the largest category of complaints to the DPC (42%), followed by fair processing (14%), right to erasure (10%), direct marketing (9%) and disclosure (7%). 

• 5,828 personal data breach notifications received, down 12% on 2021.

• 125 cross-border complaints received.

• 17 large scale inquiries concluded.

• 88 statutory inquiries ongoing, including 22 large-scale cross-border inquires.

• 38 complaints under the Law Enforcement Directive received, and 58 concluded.

• 2 companies successfully prosecuted for sending unsolicited marketing communications.

• 204 complaints received regarding electronic direct marketing (118 relating to email marketing; 52 complaints relating to SMS marketing; 28 complaints relating to cookies and 6 complaints relating to marketing over phone calls).

• 51 new members of staff, along with a 4.1 million euro increase in funding.

• The DPC co-founded the Digital Regulators Group, a group of Irish governmental bodies engaged in technology and communication issues, with a view to liaising on messaging to Government and driving regulatory coherence in light of upcoming legislative developments.

Ongoing trends and comments

Data breach notifications

The Report identifies public sector bodies, financial institutions, insurance firms and telecom companies in the top twenty organisations for data breach notifications. It mentions decisions and reprimands against Bank of Ireland, An Garda Síochána and Limerick County Council in relation to this issue.

The Report noted in particular that, following the publication of its decision against Bank of Ireland, the DPC saw an upswing in reports from other financial institutions. It attributed this trend to organisations applying “the learnings from the Bank of Ireland decision to their own processing operations and proactively seeking to address any gaps in their operating practices”.

Cross-border complaints

The Report gives a unique insight into how the DPC currently experiences significant frustration in the deployment of the One-Stop-Shop mechanism (“OSS”) and the handling of cross-border complaints. Only 48% of complaints which were lodged with the Irish DPC and which related to a company established in another EU member state (and thus forwarded to their respective supervisory authority) were resolved.

An example is given of a case that began in 2019, in which an Irish citizen lodged a complaint to the DPC against a German company in respect of an alleged unauthorised disclosure of their personal data, which was referred by the DPC to the competent German authority. Translating communications in English and German, the back and forth between the supervisory authorities and the transmission of personal data “around an unnecessarily large number of investigative staff in various EU data protection authorities” led to significant delay in a decision ultimately being reached by the German authority. The Commissioner commented that “this issue requires examination by legislators to improve the timeliness and appropriate handling of decisions for EU citizens”.

Fines

The DPC noted that six of its fines, ranging from 1,500 to 17 million euro, were confirmed by the Dublin Circuit Court and the collected fines were transferred to the Irish exchequer. However, a number of the large-scale fines (amounting to over 1 billion euro) are subject to appeal and judicial review proceedings through the Irish courts. These appeals may also entail references to the Court of Justice of the European Union over matters of interpretation of the GDPR. Accordingly, between the OSS and various means of cooperation between EU supervisory authorities in finalising decisions, the GDPR has “created something of a legal maze that requires constant navigation, building an ever more complex landscape for litigators”.

Areas of focus

Supervision

In terms of immediate direct intervention, the DPC prioritised in 2022:

• census data collection practices;

• excessive data collection in the residential property sector;

• excessive data collection amongst mobile home parks;

• CCTV in cinemas, school toilets, fast food outlets, nursing homes and medical centres; and

• remote access to CCTV as a substitute for onsite workplace supervision.

The DPC also noted that it is particularly aware of the issues certain sub-groups of the population are facing in ensuring their data protection rights are upheld, including the elderly, non-native speakers and the homeless.

Engagement

The GDPR requires the DPC to continuously engage with other supervisory authorities and the European Data Protection Board (“EDPB”). In 2022, this resulted in contributions to over 300 EDPB meetings. Similarly, staff from the DPC presented at 88 events, contributed to over 30 pieces of proposed legislation and received 322 consultation requests from a variety of stakeholders.

The Report notes that the DPC  has brought about the postponement or revision of multiple scheduled internet platform projects. It references the engagement it had in TikTok’s announcement of a change to its legal basis for providing personalised advertising, the online publication of planning data and the migration of customer data from KBC to Bank of Ireland in this regard.

Building on the publication of its final guidance on Fundamentals for a Child-Oriented Approach to Data Processing, the DPC issued three new guides aimed at informing and educating children on their data protection rights and safety online. It also participated in EUCONSENT, an EU funded project to create a framework for age verification and parental consent controls.

Large-scale inquiries

Concluded inquiries

The DPC concluded 17 large scale inquires over the course of 2022. These included reprimands issued against Slane Credit Union, Twitter and Airbnb.

In terms of notable fines issued by the DPC:

• Bank of Ireland was fined 463,000 euro for unauthorised disclosure of personal data to the Central Credit Register;

• Instagram was fined 405 million euro in September for its failure to implement appropriate safeguards in relation to children’s data, and 180 million euro in December for its reliance on contract as a legal basis and lack of transparency;

• Facebook was fined 17 million euro in March for failures in data breaches, 265 million euro in November for data scraping infringements, and 210 million euro in December for reliance on contract as a legal basis and a failure to comply with its transparency obligations.

Ongoing inquiries

The DPC may conduct two different types of statutory inquiry under section 110 of the Data Protection Act 2018. These may be commenced on foot of a complaint received from a member of the public, or via the DPC’s own volition. In a national context, the DPC has disclosed details of a number of inquiries currently ongoing:

• Catholic Church (Archbishop of Dublin) – a draft decision has been issued into how the Catholic Church facilitated the right to rectification and erasure for data subjects choosing to leave the Church, and their respective entries on the Baptism Register.

• Department of Social Protection – originally commencing in 2021, this inquiry is examining the use of biometric facial templates used by the Department in its Public Services card.

• Department of Health – this relates to the processing of personal data by the Department in its special needs education files.

• Centric Health – the DPC is drafting its final decision regarding how Centric Health dealt with a ransomware attack affecting personal data belonging to its patients.

• Permanent TSB – after receiving three data breach notifications where a malicious actor attempted to access bank accounts via the bank’s call centre, the DPC is currently preparing a draft decision in relation to the bank’s compliance.

Ongoing cross-border inquiries

Whilst the DPC concluded over 100 cross-border cases in 2022, it has 22 large-scale inquiries ongoing. These inquiries require consultation with other concerned European supervisory authorities, and consequently, can be subject to significant delay if faced with objections. Some of the cross-border inquiries currently being progressed by the DPC include:  

• TikTok – TikTok is currently subject to two inquiries. One inquiry relates to the processing of personal data for users under 18 and age verification measures for users under 18, whilst the other concerns data transfers from the EU to China.

• Meta – The DPC is currently investigating the lawfulness of Facebook’s data transfers to the US, the data breach concerning Facebook’s user tokens in September 2018, the security measures surrounding same data breach, and a security incident in 2019 where Facebook passwords were stored in plaintext.

• Twitter – Twitter is currently subject to a two inquiries in relation to data breaches it has suffered in 2018 and collated datasets of user personal data appearing online in December 2022.

• Google – Google’s processing of location data of its users and the legal basis relied upon in its processing of personal data for use in its real time bidding system for advertisers are both under investigation.

What’s next for 2023?

• The Report acknowledges that the data protection landscape continues to develop, considering the 45 cases concerning the GDPR currently pending before the Court of Justice of the European Union. The Commissioner commented that “it may take some further time before points of legal certainty are reached on interpretations of key articles”.

• The ability to claim compensation under the GDPR continues to see low awards being issued at EU level. Section 117 of the Data Protection Act 2018 was tested for the very first time in the Irish courts but the claim was dismissed on account of the claimants failing to prove any actual loss. Cases in this area should continue to be monitored.

• New legislation continues to alter the technology landscape, with the Digital Services Act and the Online Safety and Media Regulation Act coming into force. The DPC notes that it contributed to more than 30 legislative projects from a data protection perspective. However, with the entry of new regulators “onto the pitch”, the DPC will no longer be alone in taking enforcement action against big-tech. The establishment of the Digital Regulators Group should assist the DPC and other relevant bodies in cooperating in driving compliance and communicating clear messaging to stakeholders.

• The publication of decisions being drafted by the DPC, and which will be subject to input from other European supervisory authorities and the EDPB, are eagerly awaited. In light of the apparent disagreement amongst the authorities in the latest decisions against Facebook, Instagram and WhatsApp (see our briefing here), it will be interesting to see if European authorities continue to differ in their interpretations of other provisions of the GDPR.

Also contributed to by Ruth Hughes