Dublin-based Ann Henry and Nicola Barden of Pinsent Masons were commenting after the DPC’s annual report 2022 (46-page / 7MB PDF) revealed that the authority had concluded 245 cases last year in which it considered data protection complaints of a cross-border nature. It upheld 125 of those complaints as valid.
There were some cases of a cross-border nature among the 17 large-scale inquiries that the DPC concluded last year. Across those cases, the DPC issued multiple reprimands and compliance orders and imposed fines totalling more than €1 billion.
The volume of cross-border cases that comes before the DPC reflects the fact that Ireland is the favoured jurisdiction of many major multinational businesses for establishing European headquarters. Under the EU General Data Protection Regulation (GDPR), responsibility for leading investigations into compliance with the GDPR in cases where data subjects in multiple EU countries are allegedly impacted by a business’ practices rests with the national data protection authority in the country in which the business has its main establishment in the EU, or, failing that, where its EU representative is based.
The GDPR provides a mechanism for other national data protection authorities to feed into investigations and decision-making by the lead supervisory authority, and for umbrella body the European Data Protection Board (EDPB) to intervene and issue binding decisions in cases where there is a lack of consensus on the findings or action the lead supervisory authority intends to take. The European Commission has outlined plans to streamline the cooperation process.
A table published on page 32 of the report highlights the cross-border ‘Article 60’ cases in which other data protection authorities across the EU objected to findings or actions the DPC proposed in 2022.
Nicola Barden said: “The DPC has received a lot of commentary about its leniency and this table demonstrates that the DPC’s draft Article 60 decisions do not receive as many objections from other data protection authorities as reports would appear to suggest. It shows that in all draft decisions in 2022, the majority of DPAs agreed with the DPCs approach. This may be a point that the DPC is trying to make in light of the recent Meta decisions and its direction from the EDPB to carry out a further investigation into Meta’s processing.”
In 2022, the DPC said it participated in over 300 EDPB meetings, a figure that will reflect cross-border cooperation with other data protection authorities on issues beyond mere enforcement of the GDPR.
The DPC also said its supervisory action brought about the postponement or revision of seven scheduled internet platform projects, and its report revealed that it had made observations on over 30 pieces of new legislation provided to the Irish government and national parliament.
Barden said case studies cited by the DPC in its annual report provide valuable guidance for organisations on everyday data protection compliance matters.
“The first case study confirms that a subject access request can be complied with without providing copies of every document containing the individual’s data,” Barden said.
The case study said: “An access request may be fulfilled by providing the individual with a full summary of their data in an intelligible form. The form in which it is supplied must be sufficient to allow the applicant to become aware of the personal data being processed, check they are accurate and being processed lawfully.”
Barden said the case studies highlight the DPC’s preferred first approach in cases is to seek an amicable resolution, except where it has previously prosecuted a controller for issues or breaches of data protection laws which the controller repeats, as demonstrated in case studies 10 and 11.
Case study 14 examined whether a bank had made an unwarranted disclosure of personal data to a solicitor who was acting on behalf of a joint account holder of the person whose data was disclosed. Barden said the case confirms that controllers can rely on a written confirmation from a solicitor on headed paper as acceptable proof that they are authorised to act on behalf of a data subject “based on the fact that a solicitor has professional duties as an officer of the court and as a member of a regulated profession”. According to Barden, the case also confirms that providing bank statements to one holder of a joint bank account is permitted if this aligns with the signing instructions on the account, i.e. that one account holder is entitled to administer the account.
Case studies 18 and 19 also provide guidance to controllers on requesting data to enable account users to be identified before responding to their requests to exercise their data subject rights.
“The cases highlight that controllers should always consider if they have a lawful basis for requesting ID from a data subject in order for them to act on a request to exercise data protection rights,” Barden said. “In both cases, the companies requested ID but then acted on the request without ID, demonstrating that there was indeed alternative, less data-intense, approaches they could take to prove the identity of the individuals. The DPC found that both controllers were in breach of the GDPR’s data minimisation principle and that neither had a lawful basis for seeking a copy of the users’ IDs in order to process their requests.”