Out-Law / Your Daily Need-To-Know
The number of complaints made to Ireland's data protection regulator increased by 75% last year, while number of data breach notifications nearly doubled, according to its annual report.
The Data Protection Commission (DPC) said that it received 7,215 complaints in 2019, up 75% from the 4,113 complaints it received the year before. The watchdog was also notified of 6,069 valid personal data breaches last year, up from 3,542 in 2018.
"The DPC has outlined that at least 40% of its resources are dedicated to handling individual complaints rather than large-scale more systemic investigations," said Dublin-based data protection law expert Andreas Carney of Pinsent Masons, the law firm behind Out-Law. "This is interesting as it emphasises the large volume of complaints that the DPC receives and the resources that it has to assess these complaints."
The DPC said there is a trend showing an increasing number of complaints being made by individuals about data breaches, with 207 such complaints submitted to its office last year. Many of the complaints concerned breaches caused by human error, including emails and letters being sent to the wrong people, administrative processing errors and lost paperwork. Carney said that the DPC's experience chimes with what his team are seeing in practice.
On data breach notifications, the DPC said there had been an "increase in the number of repeat breaches of a similar nature by a large number of companies", particular from those operating in the financial services sector.
The DPC said a "core priority" in 2020 will be to engage with financial institutions and other businesses operating in the sector, recognising in particular that certain EU payment services laws involve "the sharing of account information and personal data".
Carney said: "This flags that this is an area that the DPC will focus on, which makes sense since Ireland already has a well established financial services sector and is increasingly becoming a hotbed for fintech start-ups and international players setting up operations here."
In its report, the DPC also highlighted that much of the litigation that it has faced revolves around employee and employer disputes, where individuals are challenging a decision made by DPC regarding their data protection rights.
Carney said: "In Ireland the Workplace Relations Commission and the Labour Court cannot order discovery in employment claims. This places reliance on data subject access requests which are adjudicated by the DPC. This is emphasised in the DPC's report as it said it received almost 48,500 points of contact in total and that one of the most common trends involved employee access requests. This comes as no surprise, but perhaps highlights what should be an open question on a topic that attracts some controversy - whether data protection rights should be used as a discovery tool in employment disputes."
In 2019 the DPC was also involved in bringing prosecutions under the current e-Privacy regime in the country, which governs electronic direct marketing activities among other things. The watchdog said it opened 165 new direct marketing cases and that four prosecutions were concluded before the district courts. New EU e-Privacy laws were anticipated following the introduction of the General Data Protection Regulation (GDPR), but a lack of consensus on the reforms has seen the initiative stall. The European Commission is expected to table fresh proposals for consideration by EU law makers.
The DPC also reflected on the progress of investigations it has ongoing, which includes two cases against major technology companies that the regulator expects to issue a decision on this year. It also addressed criticism which has been raised about cross-border enforcement under the GDPR, which depends on the cooperation of national data protection authorities in different jurisdictions within the EU.
Only three cross-border cases have resulted in fines since the GDPR took effect, but the DPC said the need to respect "due process" trumps calls for "expediency".
As of 31 December 2019, the DPC had 70 statutory inquiries on hand, including 21 cross-border inquiries. The number of cross-border cases sitting with the DPC reflects the fact that many large technology and financial services institutions have their European headquarters in the country, meaning that it is the lead authority for investigating cross-border cases of alleged non-compliance with the GDPR. Its report provided an insight into the amount of consultation that is required under the GDPR's 'one-stop-shop' system of cross-border enforcement.
"In the past year, a significant number of complex cross-border complaints were transferred to the DPC by other data protection supervisory authorities," the DPC said. "In addition, the DPC continued and commenced several large-scale inquiries that were initiated on the DPC’s own volition and that relate to cross-border processing. Although the DPC has primary supervisory responsibility, we must consult extensively with the other data protection supervisory authorities and keep them updated throughout our complaint handling and investigatory processes. In particular, we must take due account of their views and seek their consensus on our draft decisions on these cross-border cases, under the GDPR’s cooperation mechanism… The lead supervisory authority must share its draft decision with all concerned supervisory authorities and consult with, and consider their views, in finalising the decision."
The DPC's important role in the regulation of data protection in the EU is also emphasised by the fact that it saw an increase in the number of applications for binding corporate rules (BCRs) in 2019 – there were 19 BCR applications from 12 different companies, up from 11 applications the previous year. BCRs are commitments companies can agree with data protection regulators regarding the intra-group transfer of personal data to countries outside of the EU.
Carney said: "The report states that the DPC has been contacted by a number of companies in relation to moving their lead authority from the UK to the DPC for the purposes of their BCRs, so it expects the number to increase in 2020 after Brexit takes effect and those companies with BCRs approved by the UK's information commissioner look for a new BCR lead authority."
The DPC also highlighted legal procedural issues that have occupied some of its time. These include consideration of how best to balance competing rights and entitlements in relation to access to documents, deal with claims of legal privilege, and manage issues of confidentiality and commercial sensitivity. It said 2020 should see many of the complex issues reconciled in practical terms as the first wave of GDPR cases reach resolution. "This is comforting in some ways, as I think it demonstrates that assessing data protection rights, their exercise and enforcement in practical terms is not a binary exercise for the DPC, which is in line with my own experiences and I'm sure those of others dealing with data issues", Carney said.
The DPC's budget was increased in the last financial year. This enabled it to increase its staff numbers from 110 at the beginning of 2019 to 140 at the end of the year, including the recruitment of two new deputy commissioners and additional regulatory lawyers, legal researchers, technologists and investigators. However, the DPC was reportedly disappointed at its latest budget allocation amidst its growing workload. Other data protection regulators in the EU have also highlighted resourcing concerns of their own.
The DPC has introduced case management procedures in an attempt to focus its resources on the cases of highest priority, but the DPC said it is anticipating an increase in its activity as a consequence of the increased use of technology. The DPC said: "With automated personal data processing in particular now as ubiquitous as blinking and, with hundreds of thousands of processing entities under the supervision of each [national data protection authority in the EU], the volume of activity is only going to grow."
The DPC said it hopes to be able to spend more time looking into the concept of 'data protection by design' in 2020 to "ensure the next generation of technologies we all use does not suffer from the problems we sleep-walked into over the last two decades".
The DPC expects to set out a strategy implementation and measurement plan later this year.
Contact an adviser
