2023 was not short of significant supervisory authority action and legislative change in the ever-changing world of data protection. We expect to see further progress on the issues outlined below in 2024.
1. TikTok Appeal and Judicial Review Challenge
In September 2023, Ireland’s Data Protection Commission completed its inquiry into TikTok, finding the platform failed in its obligations as a controller of children’s data under the GDPR. In doing so, the DPC examined TikTok’s data processing in relation to: Platform Settings for children (including public-by-default and the family-pairing setting), Age Verification and Transparency Information for Children.
TikTok was issued with a reprimand, an order to bring processing into compliance within three months, and a 345 million euro fine, the largest TikTok has received from regulators.
TikTok has commenced an appeal to the Irish High Court. We await further developments on this in 2024 and on other statutory appeals against decisions of the DPC following DPC/EDPB decisions.
2. The Courts and Civil Law (Miscellaneous Provisions) Act 2023
The Courts and Civil Law (Miscellaneous Provisions) Act 2023 was recently enacted, allowing the DPC to bar publication of information relating to its proceedings.
Specifically, the DPC can issue notice to a person requiring that they do not disclose information provided to them. These confidentiality obligations are limited under Section 26A(1) which states the DPC may issue a written notice to a “relevant person” t providing them with confidential information, directing the person not to disclose the information unless required by law or authorized by the commission.
We are likely to see notices issued in 2024, particularly where there are large scale inquiries being carried out. These notices may be subject to legal challenge by those impacted.
3. e-Privacy Regulations
Also in 2023, the DPC successfully prosecuted several organizations for breaching European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations (“e-Privacy Regulations”) related to electronic marketing.
The violations included sending unsolicited marketing communications, including phone calls, emails and messages, without consent or valid opt-out options. Consequences included 500 euro fines and the discharging of the DPC’s legal costs.
The DPC has warned organizations should remain cognizant of these regulations as it will continue to prosecute those that fail to comply, so this is likely to be an area of further enforcement in 2024.
We recommend that all clients take lessons from 2023 data protection decisions and legislative changes. This includes an increased awareness of the sensitivity of processing children’s data, enhanced powers of the DPC and meeting the consent requirements in line with the e-Privacy Regulations in business marketing communications. Pembroke Privacy is here to assist in this process and can provide you with advice on enhancing compliance in your organisation.