Highlights of the Data Protection Commission’s 2020 Annual Report

The Data Protection Commission (“DPC”) recently published its 2020 annual report (the “Report”) covering its regulatory activities between 1 January 2020 and 31 December 2020. The Report highlights that the DPC concluded a number of large-scale inquiries in 2020 resulting in decisions on infringements and in many cases the imposition of corrective measures. Those subject to corrective measures included Kerry County Council, TUSLA, Waterford City and County Council, Ryanair, UCD, HSE, Groupon and Twitter. In May 2020, the DPC used its fining powers for the first time levying two fines against TUSLA and it issued its first fine in a cross-border case against Twitter for €450,000 in December 2020. At the end of 2020, the DPC had 83 statutory inquiries open (27 of which were cross-border).

Notable highlights include:

  • 4,660 complaints received under the GDPR. The largest volume related to access requests (27%).
  • 354 cross-border processing complaints received through the GDPR’s One-Stop-Shop.
  • 83 statutory inquiries (27 of which were cross-border inquiries in relations to multinational technology companies’ compliance with the GDPR).
  • 147 complaints received regarding electronic direct marketing (66 relating to email marketing; 73 relating to SMS marketing; and 5 relating to telephone marketing).
  • 6 companies prosecuted for sending unsolicited text messages or emails in breach of the ePrivacy Regulations 2011. The companies were: Three Ireland Services (Hutchinson) Ltd, Mizzoni’s Pizza and Pasta Company, AA Ireland, Three Ireland (Hutchinson) Ltd, Ryanair and Windsor Motors.
  • 6,783 data breach notifications received with 6,673 recorded as valid personal data breaches (10% increase since 2019). Unauthorised disclosure accounted for 86% of all breach notifications.
  • €450,000 fine issued to Twitter International Company – the first fine in a cross-border inquiry.
  • In May 2020, the DPC sent Europe’s first major Article 60 Draft Decision to all other EU Data Protection Authorities.
  • Staff numbers increased to 145 and the DPC’s budget has increased to €16.9 million for 2021, reflecting the DPC’s increased workload.

Complaints

The DPC received 4,660 complaints from individuals under the GDPR and 50 complaints relating to its previous regime, the Data Protection Acts 1988 and 2003 (as amended). Overall, there was a decrease in the number of complaints received since 2019. Access requests continue to be the largest category of complaints (30%) followed by fair processing (27%) and disclosures (26%). The DPC stressed the importance of having a clear organisational policy on how to handle access requests so as to assist organisations in avoiding costly and time consuming repetition work. 

In relation to access requests, the DPC noted that controllers often invoke legal professional privilege to justify withholding personal data in response to an access request, pursuant to s 162 of the Data Protection Act 2018 (the “2018 Act”). The DPC commented that when assessing whether privilege applies, it will require considerable information including an explanation as to the basis upon which privilege is asserted and it will essentially seek a narrative in respect of each document and, where litigation privilege is claimed, information as to when litigation was threatened or contemplated.

The Report includes case studies which shed further light on the DPC’s complaint-handling functions, including details of cases which were amicably resolved and a case in which the DPC handled an Irish data subject’s complaint against the German based e-commerce platform Cardmarket under the One-Stop-Shop mechanism.

Data Breach Notifications

The DPC received 6,683 data breach notifications in 2020, of which 6,673 were recorded as valid personal data breaches under the GDPR. This represents a 10% increases on 2019. Unauthorised disclosures accounted for 86% of all breach notifications. The DPC noted that it saw an increase in the use of social engineering and phishing attacks. It made the point that while many organisations initially put in place effective ICT security measures, they are not taking proactive steps to monitor and review these measures or to train staff on evolving threats.

Statutory Inquiries and Decisions

At the end of December 2020, the DPC had 83 open statutory inquiries 27 of which were cross-border inquiries. The inquiries are either complaint-based or own volition inquiries. Some of the high-profile cross-border inquiries include:

  • Apple –There are 3 separate complaint-based inquiries into Apple. One such inquiry examines whether Apple has a lawful basis for processing personal data in the context of behavioural analysis and targeted advertising.
  • Facebook – There are 8 separate inquiries into Facebook Ireland and one involving Facebook Inc. These inquiries examine a range of issues including Facebook’s compliance with the transfer restrictions under Chapter V of the GDPR in light of the Schrems II judgment.
  • Google – The DPC has 2 own-volition inquiries into Google. One of these examines whether Google has a valid legal basis for the processing of location data of its users.
  • Instagram - There are 3 separate inquiries into Instagram (2 of which are own-volition inquiries). One of these examines Instagram’s legal basis for the processing of personal data relating to Instagram users under the age of 18 in connection with account settings.
  • LinkedIn – There is a complaint-based inquiry into LinkedIn examining whether it has discharged its obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.
  • WhatsApp – There are 2 separate inquiries into WhatsApp with one examining whether WhatsApp has discharged its transparency obligations with respect to the processing of information between WhatsApp and other Facebook companies.
  • Twitter – The DPC has 3 separate inquiries into Twitter (2 of which are own-volition inquiries). One of these was commenced in response to a large number of breaches notified to the DPC since 25 May 2018, with the DPC examining whether Twitter has discharged its obligations to implement appropriate technical and organisational measures to secure the user personal data.

2020 was a significant year for the DPC as it issued its first cross-border inquiry fine against Twitter for €450,000 in respect of its handling of a personal data breach. The DPC also had a number of domestic inquiries which were all own-volition inquiries. Some of those subject to domestic inquiries included: An Garda Síochána, Bank of Ireland, the Catholic Church, Department of Social Protection, HSE, Teaching Council, various universities, TUSLA and the Irish Credit Bureau.

Cookies Investigations Sweep and Enforcement

In April 2020, the DPC published guidance in relation to the use of cookies and tracking technologies. Organisations were given a six month window in which to bring cookies used on their websites or platforms into compliance with the law and the DPC ran a public awareness campaign during this time. At the conclusion of that window, the DPC wrote to 20 organisations in late 2020 warning them that enforcement notices would be issued if non-compliance was not addressed within 14 days. Seven organisations were ultimately served with enforcement notices. The DPC noted that it began seeing more complaints from the public about cookies and tracking technologies in 2020, and that trend is expected to continue, together with enforcement.

Legal proceedings

The Report notes that 2020 was a busy year for litigation with 14 judgments delivered and/or orders made in proceedings to which the DPC was a party. The Report also discusses the proceedings in DPC v Facebook Ireland & Schrems (“Schrems II”) in which the CJEU gave judgment on 16 July 2020 in response to a preliminary reference from the Irish High Court in 2018 arising from proceedings initiated by the DPC in 2016 when it sought a reference in relation to the use of Standard Contractual Clauses (“SCCs”) for personal data transfers from the EU to the US. The CJEU upheld the validity of the SCCs but it provided a detailed ruling in relation to transfers based on Article 46 of the GDPR and also declared the EU-US Privacy Shield decision to be invalid.  Following this, the DPC initiated an inquiry into Facebook’s transfers of personal data to the US and this inquiry was the subject of a judicial review by Facebook in 2020.

COVID-19

In the context of Covid-19, the DPC engaged with the Government in relation to areas such as the National Return to Work Safety Protocol and the Covid-19 contact tracing app (including providing an in-depth report on the data protection impact assessment for the app), with this activity expected to continue in 2021. The DPC consulted with the public sector in the context of the Leaving Certificate Covid-19 arrangements.

Binding Corporate Rules

A key focus of the DPC in the area of international transfers is the assessment and approval and Binding Corporate Rules (“BCR”) applications from multinationals seeking to take a uniform approach where it has subsidiaries on a global scale transferring data between them. The DPC was lead reviewer in 42 applications, and has had contact from a number of companies inquiring about transferring their lead authority for BCR purposes to the DPC. This was identified as significantly increasing the DPC’s workload in 2020.

Processing of Children’s Data

In December 2020, the DPC published its ‘Fundamentals for a Child-Oriented Approach to Data Processing with submissions open until 31 March 2021. In 2021, a core initiative of the DPC will be facilitating a project to draw up Codes of Conduct in relation to the processing of children’s data.

What’s next for 2021?

  • Of the 27 open cross-border statutory inquiries, the DPC expects to share between six and seven Article 60 draft decisions with other EU Data Protection Authorities this year. Those draft decisions are expected to concern inquiries into Facebook, Instagram, WhatsApp, Google and Verizon, among others.
  • The establishment and approval of Codes of Conduct for Code Owners in a specified sector pursuant to Articles 40 and 41 of the GDPR is expected to progress, with the DPC expecting to receive the first official draft Code early in 2021.
  • The DPC indicates that it will continue its focus on cookies investigations and enforcement actions throughout 2021, having regard to proposed reform in this area in the form of the European Commission’s proposed Digital Services Act and Digital Markets Act.
  • The Report identifies that complaints concerning employment law disputes have been heavily represented in 2020. Given the continued impact of the Covid-19 pandemic on employers and data protection implications around employee monitoring and return to work protocols, this can be expected to continue into 2021.

Also contributed by Catherine Walsh.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.