by Laura Fannin , John Deignan March-09-2021

Overview of Issues Arising in 2020

On 25 February 2021, the Data Protection Commission (“DPC”) published its Annual Report for 2020. The publication of the DPC’s annual report came against the backdrop of a number of significant milestones for the DPC which occurred during the course of 2020, including:

  • Issuing its first fines pursuant to the GDPR in domestic cases;
  • Issuing its first fine in a cross-border case;
  • Concluding a number of statutory inquiries;
  • Publishing new guidance in relation to the use of cookies and tracking technologies and conducting an extensive public awareness on the subject.
  • Receiving 354 cross-border processing complaints through the One-Stop-Shop mechanism.
  • Issuing an Article 60 Draft Decision to all other EU Data Protection Authorities.
  • The conclusion of the “Schrems II” proceedings concerning international data transfers following the decision of the Court of Justice of the EU in July 2020.

In the Executive Summary to the Annual Report, the DPC provides a snapshot of some of the facts and figures behind its extensive workload for 2020. During this period, the DPC:

  • Handled 10,151 cases, an increase of 9% on 2019 (9,337).
  • Received 4,660 complaints from individuals under the GDPR.
  • Concluded 4,476 complaints, 1,660 of which were received prior to 2020.
  • Was notified of 6,628 valid data security breaches.
  • As of 31 December 2020, 83 statutory inquiries were ongoing. 
  • Published 40 pieces of guidance, including blogs and podcasts.
  • Handled 37 Law Enforcement Directive complaints. 

The DPC’s Annual Report, which runs to a total of 98 pages, can be accessed here.

 

Breakdown of Issues Arising in 2020

The Annual Report analyses the work undertaken by the DPC on various fronts over the course of 2020. Below, we set out a summary of some of the main findings contained within the Annual Report under different headings (numbered 1-3). The below summary is an overview of some of the issues arising under those headings given the level of detail contained in the Annual Report.

 

1. Complaints and Notifications to the DPC

The single biggest issue giving rise to complaints in 2020 was Data Access Requests, a trend which is consistent with previous years. This area represented 30% of cases concluded in 2020.  The next highest category of concluded cases involved Fair Processing (19%), followed by Disclosure (15%).

The DPC received 6,628 breach notifications under Article 33 of the GDPR in 2020, an increase of 10% on 2019. As in other years, a very high number of data breaches notified under the GDPR were classified as Unauthorised Disclosures (86%). One such example referred to in the Annual Report is an incident where a customer of a financial institution requested details of their BIC and IBAN. Following that request, deviating from approved practices for handling such requests, a member of staff in the organisation sent the bank account details via WhatsApp. However, it transpired that the BIC and IBAN were sent to the wrong customer.  The DPC issued a number of recommendations in light of this personal data breach. (see page 40 of the Annual Report).  In this regard, the Annual Report contains a number of helpful case studies which outline breach notifications and the outcome of those notifications.

 

2. Inquiries and Fines

As of 31 December 2020, the DPC had 83 ongoing statutory inquiries. Of these, 27 were cross-border inquiries; nine involving Facebook, three each into Instagram, Twitter and Apple, two into both Google and WhatsApp and one into LinkedIn. Similarly, 56 statutory inquiries were being conducted into domestic bodies, the majority of which relate to the use of surveillance technologies by local authorities and An Garda Síochána. 

  

Private Companies

In December 2020, the DPC issued its first fine in a cross-border inquiry, fining Twitter International Company €450,000 arising from a personal data breach. The personal data breach - which reportedly affected around 90,000 EU and EEA based users from September 2017 until January 2019 - arose from a bug in the Twitter mobile app for Android which caused a number of users to have their “protected” tweets, usually only visible to their “followers”, made publicly accessible. The decision found that Twitter had infringed Article 33(1) and 33 (5) of the GDPR.

Under the GDPR One-Stop-Shop mechanism, the DPC has authority for a high number of cross-border cases due to the large number of international companies domiciled in Ireland. Where an amicable resolution cannot be achieved, Article 60 of the GDPR is engaged which encompasses a lengthy cooperation procedure between the concerned supervisory authorities. One such decision found that Ryanair had infringed articles 12 and 15 GDPR by failing to provide the UK complainant with a copy of a recording of a call following a subject access request and subsequently failing to provide the complainant with updates on the matter. This incident is outlined in some detail on page 31 of the Annual Report.

Article 60 is also engaged where a regulator (in this case the DPC) adopts a decision on foot of an inquiry into a multinational company. The decision must then be submitted to the concerned supervisory authorities for approval. One such example, though not finalised in 2020, is the long-running investigation into WhatsApp’s compliance with its transparency obligations under articles 12 to 14 of the GDPR (see page 45 of the Annual Report). Pursuant to Article 60, the draft decision is currently progressing through the cooperation procedure at EU level. This is only the second time this mechanism has been triggered. The first time being the Twitter inquiry, resulting in the €450,000 fine referred to above. 

 

State Bodies

In 2020, the DPC issued its first fines for non-compliance with the GDPR. Three of which were issued against one Irish state agency, Tusla in the light of a number of personal data breaches (see page 50 of the Annual Report). On each occasion Tusla was found to have breached articles 32(1) and 33(1) of the GDPR. Tusla was fined €75,000, €40,000, and €85,000 on the three respective occasions.

In March 2020, the DPC issued a decision to Kerry County Council in respect of unlawful use by the Council of CCTV technology, imposing a temporary ban on Kerry County Council’s processing of personal data in respect of certain CCTV cameras. A similar decision was issued in October 2020 to Waterford City and County Council, in which the council’s use of dash cams and covert cameras to detect littering and dumping was found to have no lawful basis in litter and pollution legislation . Both of these decisions are discussed on page 49 of the Annual Report.

Separately, the DPC is carrying out inquiries into video surveillance technologies employed by the state for law enforcement purposes (for example, CCTV and body-worn cameras). The DPC is in the process of conducting a large-scale inquiry into the use of such technologies by local authorities. For further information on this please see page 54 of the Annual Report.

 

3. Guidance

Cookies

In April 2020, the DPC published new guidance in relation to the use of cookies and tracking technologies. This arose following a cookies sweep carried out on a sample of websites between August 2019 and December 2019. The sweep examined the websites’ compliance with the ePrivacy Regulations, which require that consent be obtained before placing any information on a user’s device, or accessing information already stored on their device. Out of the 40 websites examined, 20 were found to be in breach of the ePrivacy Regulations. Notably, 2020 saw an increase in the number of complaints received from the public in relation to the use of cookies and tracking technologies. For further background information on this matter, please see our previous article.

 

GDPR and Children

In 2020, the DPC opened a public consultation on its draft guidance on the rights of children as data subjects (Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing) (page 75). The guidance addresses a wide range of issues affecting children such as the rules governing the processing of children’s personal data for marketing or profiling purposes. The DPC emphasises that the best interests of children should be a primary consideration in all decisions relating to the processing of their personal data. The public consultation concludes on 31 March 2021.

 

COVID-19

Over the course of 2020, the DPC published guidance notes setting out recommended measures in relation to data protection issues thrown up by the pandemic. In particular, in March 2020 the DPC published guidance notes in relation to (1) Data Protection and COVID-19 and (2) Protection of personal data when working remotely. A summary of these guidance notes is available in our previous article on those issues here.

The DPC also engaged in consultation with the public sector on a broad range of legislative and public policy issues, including the development of the Covid-19 Contact Tracing App. 

 

Conclusion

The above summary provides a snapshot of the breadth of work being undertaken by the DPC.  In this regard, it is worth noting the comments of The Commissioner for Data Protection, Helen Dixon, who stated:

“The progress the DPC has made in 2020 provides a solid platform on which to build across our enforcement and complaint-handling functions in particular. The GDPR must be understood as a project for the now, but equally for the longer-term. The DPC intends to continue as a leader in its full implementation.”

It is therefore more important than ever for organisations to be mindful of their data protection responsibilities and to have adequate procedures and safeguards in place to ensure compliance with exigencies of the GDPR and related legislation.

For further information, please contact Laura Fannin: lfannin@hayes-solicitors.ie  or John Deignan: jdeignan@hayes-solicitors.ie

 

Back to Full News