DPC annual report: review of 2019 and focus for future – Newsletters


Introduction
Data protection complaints
Data breach notifications
Data compliance investigations
Cookies and adtech
Data protection enforcement and prosecutions
Supervision
OSS for data protection complaints
Brexit and international aspects of data protection compliance
Future focus

Comment

Introduction

The Data Protection Commission (DPC) recently published its annual report for 2019, the first full calendar year since the EU General Data Protection Regulation (GDPR) came into force.

The report provides a number of interesting insights into the DPC’s activities over the past year. This article highlights the key trends and issues identified in the report and the areas on which the DPC is likely to focus in 2020. It is clear from the report that as compliance with the GDPR continues to be a significant area of focus for organisations, the DPC is intensifying its efforts and expanding its operations. As such, organisations can expect an increase in the DPC’s supervisory, compliance and enforcement activities.

Data protection complaints

The number of complaints received by the DPC in 2019 increased by 75% (7,215 in total). Of these, 29% related to subject access rights, although in proportion to other categories of complaint, this figure is dropping. The report reiterates that there is a presumption in favour of disclosure on the part of data controllers when handling subject access requests. Complaints relating to disclosure and fair processing made up the next highest proportion of complaints at 19% and 16% respectively.

Telcos and banks remain the most complained about sectors, with many complaints focusing on the issue of account administration and charges. The DPC has expressed frustration that these consumer protection issues are being addressed via complaints to the DPC rather than being dealt with within those sectors. Over the past year, there has been an increase in the number of complaints about internet platforms, with the key focus being on the management of an individual’s accounts and the right to erasure once individuals leave the platform.

Disputes between employees and employers or former employers remain a significant theme of complaints to the DPC. The report states that “this is undoubtedly driven by the fact that neither the [Workplace Relations Committee] or the Labour Court can order discovery in employment claims”. Arguably, the absence of discovery powers means that subject access requests often play a central role in employment claims.

Data breach notifications

There were 6,069 valid data breaches notified to the DPC in 2019, an increase of 71% from 2018. Unauthorised disclosures made up 83% of the breaches and there was an increase in the number of repeat breaches of a similar nature by many organisations (predominantly in the financial sector). The DPC recommends that data controllers take steps to mitigate the risk of data breaches, such as:

  • undertaking staff training;
  • running awareness programmes;
  • implementing stringent password policies and multifactor authentication for remote access; and
  • regularly updating anti-malware software.

Data compliance investigations

In 2019 the DPC had 70 ongoing statutory inquiries, including 21 cross-border inquires. In the technology sector, the DPC is currently involved in six statutory inquiries relating to several high-profile multinational tech companies. These inquiries relate to several areas of compliance with the GDPR, including:

  • the lawful basis for certain data processing activities;
  • compliance with the transparency principles;
  • compliance with access rights; and
  • the implementation of organisational and technical measures to secure and safeguard personal data.

Investigations into big tech companies progressed in 2019, with two inquiries moving from the investigative stage to the decision-making stage. The decisions from these inquiries are expected in 2020. The DPC highlights some of the complexities that it faces in dealing with legal procedural issues raised during the inquiry processes (eg, the application of legal privilege). The report indicates that many of these issues will be resolved following the conclusion of the first wave of statutory inquiries.

Cookies and adtech

One area of growing focus in the data protection sphere is the use of cookies and adtech. In August 2019 the DPC started to examine the use of cookies and similar technologies on websites across a range of sectors to establish whether organisations are complying with data protection principles (particularly user consent requirements). Under the GDPR, user consent must be obtained by means of a clear, affirmative act and be freely given, specific, informed and unambiguous. The DPC noted that many organisations use pre-checked boxes or default settings for consent to cookies and some organisations rely on the user’s implied consent to cookies – neither of which are valid under the GDPR. The DPC has said that it will produce updated guidance on cookies and other technologies to consider recent European Court of Justice (ECJ) decisions and will place a strong focus on compliance in this area. Organisations that use this technology should review how it is being used and take any necessary action.

Data protection enforcement and prosecutions

Although the DPC acknowledges that the new legal framework under the GDPR will take time for organisations to implement, it notes that intensive work is underway in relation to compliance and prosecutions. As such, the number and level of fines imposed for non-compliance is expected to increase. An example of this can already be seen with regard to direct marketing offences. Offences in this area were pursued rigorously in 2019 and 165 new complaints were investigated (77 related to email marketing, 81 related to SMS marketing and seven related to telephone marketing). Prosecutions were concluded against four entities in respect of nine offences under the E-Privacy Regulations, with penalties ranging from a criminal conviction and fine for repeat offenders to court-ordered charitable donations in lieu of a conviction or fine for more minor breaches.

Supervision

In its supervisory role, the DPC received 1,420 general consultation queries during 2019. In the public sector, the DPC consulted with government departments on legislative proposals involving the processing of personal data, including parental leave and gender pay gap data. Recurring concerns for private sector organisations emerging from the DPC supervisory function include:

  • personal data transfers following a no-deal Brexit;
  • direct marketing rules under the E-Privacy Directive;
  • dealing effectively with data subject access requests;
  • use of technologies in the workplace, such as biometric clocking, GPS vehicle tracking and CCTV;
  • transfer of employee data in mergers and takeovers;
  • discrepancies in privacy policies in multinationals;
  • media reports outlining security issues, such as human review of voice recordings; and
  • new technologies and their impact on a controller’s data protection obligations, particularly in the fintech and payments sector. The DPC anticipates that this will gather momentum in 2020 and the sharing of account information and personal data will be a core priority for the DPC’s consultation engagement with the private and financial sector.

Linked to its function as a supervisory authority, the DPC’s information and assessment unit was contacted almost 48,500 times in 2019, including 22,200 times by phone and 22,300 times by email. In 2019 the DPC published more online guidance to assist in interpreting the GDPR and the Data Protection Act 2018 and it intends to produce more guidance in 2020, particularly case studies illustrating the practical application of data protection principles. Notwithstanding the increased level of guidance published by the DPC in 2019, it is nowhere near the level produced so far by the UK Information Commissioner’s Office (ICO).

The DPC received 712 new data protection officer (DPO) appointment notifications from organisations in 2019 (577 in the private sector), bringing the total to 1,596. The DPC intends to mobilise its DPO network in 2020 to foster peer-to-peer engagement and knowledge sharing. The first initiative for the network was supposed to be a DPO conference scheduled for 31 March 2020, which has been postponed due to the coronavirus pandemic.

OSS for data protection complaints

The DPC is the lead supervisory authority for numerous multinationals whose main establishment is in Ireland. This means that under the one-stop-shop (OSS) mechanism introduced by the GDPR, it has jurisdiction to manage and address data protection complaints relating to multinationals in other member states. Under the OSS system, the DPC must consult extensively with other data protection supervisory authorities when handling regulatory matters through the OSS and must share draft decisions regarding complaints referred or inquiries conducted under the OSS with all concerned supervisory authorities and consider their views before finalising the decision. In 2019 the DPC received 457 cross-border processing complaints under the OSS which were lodged by individuals via other EU data protection authorities.

Brexit and international aspects of data protection compliance

Brexit preparation constituted a considerable amount of work for the DPC throughout 2019. The DPC spent significant time engaging with stakeholders to provide information on Brexit, particularly in relation to Irish companies transferring personal data to the United Kingdom. In international transfers of data, a key area of focus for the DPC has been assessing and approving binding corporate rules (BCRs) which were introduced for organisations that needed a global approach to data transfer on a large scale. In 2019 the DPC acted as lead reviewer in relation to 19 BCR applications for 12 different companies. The DPC expects this number to increase in 2020 during the post-Brexit implementation period when organisations with BCRs approved by the ICO will look to have these approved by an EU member state’s data protection authority. In 2019 the DPC also continued to take part in various projects and programmes for international engagement and cooperation on data protection issues with other supervisory data protection authorities and stakeholders.

Future focus

The DPC regulatory strategy for 2020 to 2025 will be published later in 2020. In advance of this, the DPC has engaged in focus groups with the public to establish their expectations and awareness of the DPC. The findings highlighted that many people were confused about their rights and would welcome more real-world examples to understand how they apply in practice. In response, the DPC intends to produce more case studies to highlight issues from a consumer or controller point of view.

Other future areas of focus for the DPC include:

  • continuing to prepare for the implementation of the GDPR’s certification approval mechanisms, which are intended to provide accountability mechanisms to demonstrate an organisation’s data protection compliance efforts to individuals;
  • publishing guidance for controllers in processing children’s personal data and encouraging big technology platforms to sign up to a code of conduct on children’s data processing;
  • continuing to expand operations – in 2019 the DPC’s staffing level increased from 110 to 140 and it is likely that this number will continue to grow in 2020;
  • awaiting the ECJ decision on the legitimacy of a standard contractual clause as a sufficient safeguard for the transfer of personal data;
  • issuing first draft decisions on big technology companies; and
  • developing sector specific codes of conduct for data processing and compliance with data protection principles.

Comment

The DPC’s annual report illustrates how the application of data protection principles is continuing to evolve to respond to developments in technology, business, social and legal practices. As such, all organisations will need to ensure that their compliance with the GDPR is kept under review. Helpfully, an increase in the amount of guidance is expected in 2020 as a result of DPC consultations and publications and the outcome of investigations and enforcement proceedings.

The report includes several case studies and contains detailed information on the outcome of a statutory investigation carried out by the DPC. These provide useful guidance for organisations and practical insights into how the DPC is interpreting and applying data protection principles in real-life scenarios.(1)

For further information on this topic please contact Linda Hynes at Lewis Silkin Ireland by telephone (+353 1566 9876) or email (linda.hynes@lewissilkin.com). The Lewis Silkin Ireland website can be accessed at www.lewissilkin.com/en/ireland.

Endnotes

(1) The full report is available here.

The materials contained on this website are for general information purposes only and are subject to the disclaimer.

ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here