knowledge 6 December 2018 |

Highlights of the Annual Report of the Data Protection Commissioner 2018

Key issues and developments described in the Report include:

Update on the ODPC

The ODPC’s funding has been raised significantly (€1.7 million to €11.6million in the past five years), acknowledging the expanding role it plays as one of the leading data protection authorities in the EU. The primary objectives of the ODPC for this period included further developing the capabilities of the ODPC, collaborating with EU and international data protection authorities and other regulatory bodies, driving better awareness and compliance and ensuring effective oversight and enforcement.

During this period, the Special Investigations Unit of the ODPC (which is empowered to carry out investigations of its own initiative rather than waiting for complaints), focused on the private investigations sector, the Public Services Card and Tusla Child and Family Agency. It also investigated the processing of patient sensitive data in Irish hospitals and its published report was disseminated to every hospital in the State¹.

Complaints

While the number of individual complaints was in line the corresponding period in 2017, the ODPC expects there will be an increase with total number of complaints for 2018. The largest single category of complaints related to data subject access requests (45% of complaints). The ODPC investigated 41 new complaints under the Irish e-Privacy Regulations² in relation to electronic direct marketing (such as email, text message and telephone marketing etc.). A number of these investigations led to 46 successful prosecutions against three separate companies in the District Court. Other complaints related to CCTV footage, unfair processing of data, retention of data and the failure to secure data. The majority of complaints were resolved amicably, however, the ODPC issued 12 formal decisions on foot of such complaints.

Data Breach Notifications

The ODPC recorded 1,200 valid data breach notifications in the period (made under the Code of Practice that applied as part of the pre-GDPR regime), the majority of which related to unauthorised disclosures. Other typical examples of data breaches notified include loss of personal data held on smart devices e.g. laptops, USB keys etc. and compromised network security or website security breaches e.g. ransomware, hacking, phishing etc.

In the Report, the ODPC paid special attention to breaches involving a cloud-based environment and identified a number of common factors in such breaches. The ODPC also recommended a number of steps which should be taken by controllers employing cloud-based environments. These common risk factors and recommended steps will be of interest to both controllers and processors operating in cloud-based environments.  

Multinationals

The ODPC has been heavily involved in preparing to assume the role of Lead Supervisory Authority for multinational companies that have their “main establishment” in Ireland, in accordance with the GDPR. Such preparations were focused particularly on large-scale personal data processing by global multinational companies with EU headquarters in Ireland, such as Facebook, LinkedIn, Google, Microsoft, Twitter, Oath EMEA, Ancestry and SurveyMonkey. This engagement focused primarily on the implementation of GDPR obligations and concepts and the Report indicates that such engagement resulted in some technology-based multinationals altering and updating their approach to GDPR compliance in light of input from the ODPC.

Supervision

• Facebook - the ODPC has been actively supervising Facebook, particularly since the issue of third party access to Facebook user data came under the spotlight in early 2018. The ODPC has been monitoring Facebook’s governance of the activities of app developers and their capacity to swiftly identify “bad actors”. The ODPC has also been keen to ensure that Facebook is mindful that its proposed facial recognition feature is a form of biometric data and therefore a special category of personal data under the GDPR. The ODPC is continuing its examination of the facial recognition facility.
• LinkedIn – the ODPC concluded its audit of LinkedIn following a complaint concerning LinkedIn’s obtaining and use of email addresses for the purposes of targeted advertising on Facebook. The ODPC investigation identified that LinkedIn US, acting as processor for LinkedIn Ireland (the controller), processed hashed email addresses of approximately 18 million non-LinkedIn members and targeted them without instruction from LinkedIn Ireland. The wider systemic issues identified concerned the ODPC, which commenced an audit (notwithstanding the initial complaint being resolved). The audit found that LinkedIn US was processing a suggested professional network for non-LinkedIn members and, as a result, LinkedIn Ireland instructed LinkedIn US to cease all such processing and to delete all associated data.     
• WhatsApp - the ODPC has been supervising WhatsApp’s cooperation with Facebook on an on-going basis, particularly in respect of its data sharing with the social networking company.
• Oath (EMEA) Limited (“Oath”) - the ODPC concluded its investigation of a data breach at Oath (previously Yahoo! EMEA Limited) which involved the unauthorised copying of material relating to 500 million user accounts. The ODPC found that Oath’s oversight of the data processing performed by its processor did not meet the standard required by EU data protection law.

Audits

The ODPC carried out 23 audits in respect of compliance with data protection legislation. In carrying out audits, the ODPC seeks to balance on-going monitoring of high-risk, large scale processing and specific issues which arise and warrant further scrutiny.

The ODPC built on work in 2017 in relation to the Credit Register through focused audits of Bank of Ireland and Drumcondra Credit Union. There were also a number of audits of letting agents in response to complaints regarding the level of personal data requested by letting agents and landlords in the residential sector, e.g. photo ID and PPSNs. The ODPC concluded that there is no basis for requiring such data at the pre-tenancy stage in the absence of a legitimate business reason, but there may be grounds at the contract stage. In respect of bank statements, the ODPC was of the opinion that it is reasonable for landlords or agents to request documentation evidencing the individual’s capacity to pay rent. However, the ODPC also indicated that details of specific account transactions (including narratives) will generally not be necessary and running balances should be sufficient to demonstrate capacity to pay.

The ODPC identified several themes arising from its 2018 audits, including retention of data, CCTV policies, the collection of PPSN, data sharing agreements and cookies. It is worth noting that, in respect of cookies, the ODPC stated that consent which is required to be obtained for the purposes of the Irish e-Privacy Regulations (which transpose the ePrivacy Directive in Ireland) should be construed as GDPR-compliant consent.

Update on Litigation

The DPC continued to contribute to a range of Circuit Court and High Court litigation related to data protection principles and provisions. The following cases are particularly worthy of note:

• Nowak v Data Protection Commissioner and Institute of Chartered Accountants in Ireland³: Mr Nowak, having failed an examination set by the Institute of Chartered Accountants in Ireland (“CAI”), sought access to his examination scripts. CAI refused on the grounds that it was not personal data. The ODPC agreed with this decision. The case was ultimately referred to the Supreme Court, which in turn referred a question to the Court of Justice of the European Union (“CJEU”). The CJEU found that written answers submitted by a candidate at a professional examination, and any comments made by an examiner with respect to those answers, constitute personal data. In separate, related proceedings, the High Court held that a controller is obliged to communicate the relevant information to a data subject, not in its original form, but rather in an “intelligible form”. This gives discretion to the controller to decide the form in which the data is communicated as long as it is sufficient to allow the data subject to become aware of the data.
• Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems⁴: In April, the High Court issued a request for a preliminary ruling from the CJEU in the context of a complex case about the validity of standard contractual clauses that allow for the transfer of personal data from the EU to the US. Facebook sought a stay on the reference to the CJEU pending an appeal of the making of the reference itself. The appeal against the reference is due to be heard by the Supreme Court in January 2019, however, the reference to the CJEU has not been stayed in the interim and is pending before the CJEU.

Binding Corporate Rules

Binding Corporate Rules (“BCRs”) aim to ensure organisations employ a global approach to data protection where the organisation consists of several subsidiaries located around the world. The ODPC acted as lead reviewer in 13 applications for BCRs and has given final approval to four of these applications, namely Workday Limited; Docusign Limited; VMware International Limited; and Twilio Ireland Limited. The ODPC also assisted as co-reviewer on five sets of BCRs during this period. It is considering a number of further BCR applications.

Notification System

In response to the requirement under the GDPR for controllers to notify the ODPC of their Data Protection Officers (“DPOs”), the ODPC implemented an online form available via dataprotection.ie to facilitate organisations notifying the ODPC of their DPO.