Table of Contents
- OVERVIEW
- INQUIRIES CONCLUDED IN 2022
- DRAFT DECISIONS
- LITIGATION
- SUPERVISION
- CHILDRENS DATA PROTECTION RIGHTS
- DATA PROTECTION OFFICERS
Overview
The Data Protection Commission has just published its report on its operations in 2022. Below you will find a summary of the major themes and issues which the report addresses.
Key Quote:
“…it is perhaps both the number – and value – of the fines levied by the DPC against big technology firms that have most visibly demonstrated the GDPR’s ability to enforce effective data protection.”
2022 Figures:
- Increase of +€4.1 mil in funding for the DPC.
- +9k new cases processed (this is a decrease of 14% on 2021 figures).
- 10k cases concluded.
- 5.8k valid breach notifications (down 12%).
- + €1 billion in punitive fines issued.
- 13 large-scale inquiries.
- 10,008 individual cases resolved.
- 4 successful prosecutions under ePrivacy legislation.
- Two-thirds of the fines issued across Europe last year were issued by the DPC.
- 88 Statutory Inquiries on-hand (as of 31 Dec 2022) – 22 of which are large scale cross-border inquiries.
- 125 valid cross-border complaints received.
- 322 consultation requests – with 41% from the Private Sector and 42% from the Public Sector.
- Guidance given on 30 proposed legislative measures in Ireland.
The most frequent GDPR topics for queries/complaints were:
- Access Requests
- Fair processing
- Disclosure
- Direct Marketing
- Right to be Forgotten
General points of note:
- The most frequent cause of breaches reported arose as result of correspondence being sent to the wrong recipients (62% in total).
- The DPC brought about the postponement or revision of 7 scheduled internet platform projects with implications for the rights and freedoms of individuals. In doing so, the DPC have showed a willingness to use other potentially more significant corrective powers e.g., orders.
- The DPC are hoping to reach a final decision on large-scale inquiries (such as the inquiry into Meta (Facebook)) in the coming months.
- Appeals against fines have caused a back log in fines not being collected. This can amount to a lengthy process.
- Volume of preliminary references from national courts to the CJEU on issues not considered “acte clair” under GDPR has increased – there are 45 cases currently pending decision at the CJEU.
- Compensation cases in the EU continuing on the same trend with only conservative awards being made.
- There has been a marked improvement in the response of public sector bodies to access requests.
- The DPC received a total of 40 FOI requests in 2022. Five were granted, three were partially granted and 29 were deemed out of scope. The DPC’s regulatory activity is exempted from FOI requests.
- The Operation of the One-Stop-Shop has generally not served individuals well when making complaints to the Irish DPC relating to the actions of companies in other EU member states. Additionally, this can sometimes involve the transmission of a complainant’s personal data around an unnecessarily large number of investigative staff in various EU DPA’s. The Commissioner has said this issue requires examination by legislators to improve the timelines and appropriate handling of decisions for EU citizens.
- DPC looks forward to working with other regulators, particularly in the area of protection of children online.
- Decisions to impose administrative fines on 6 different organisations confirmed in the Dublin Circuit Court – all of these have been collected since and the funds have been transferred to the central exchequer. This includes the €17mil fine on Meta (Facebook).
- DPC became a founding member of Ireland’s first Digital Regulators Group.
Inquiries Concluded in 2022
With fines imposed
Organisation | Issue | Fine Imposed |
Slane Credit Union | Personal data breach. | €5k |
Bank of Ireland plc | Unauthorised disclosures of customer personal data to the Central Credit Register and accidental alternations of customer personal data on the CCR. | €463k |
Meta (Facebook) | 12 personal data breaches. | €17mil |
Failure to implement appropriate technical and organisational measures designed to implement the purpose limitation principle and the integrity and confidentiality principle in an effective manner. | €265 mil | |
Complaint-based inquiry concerning the legal basis on which Meta relies to process the personal data of users of its platform and certain issues relating to transparency information provided by Facebook to its users. | €210mil | |
Meta (Instagram) | Processing of children’s data. | €405mil |
Complaint-based inquiry concerning the legal basis on which Meta relies to process the personal data of users of its platform and certain issues relating to transparency information provided by Instagram to its users. | €180mil | |
Virtue Integrated Elder Care Ltd (VIEC) | Personal data breach. | €100k |
Fastway Couriers | Personal data breach. | €15K |
Without fines imposed
- “A Consultancy Provider” – Personal data breach.
- PIAB – Personal data breach.
- Twitter – Complaint relating to right of erasure.
- Pre-hospital Emergency Care Council – Monitoring & enforcement issue – failed to appoint a DPO.
- Allianz plc – Several personal data breaches.
- Airbnb – Complaint relating to right of erasure.
- Ark Life Assurance Company DAC – Personal data breach.
- An Garda Síochána – Personal data breach.
Draft Decisions
Article | Organisation | Issue | Status |
65 | Complaint received from NOYB – concerned legal basis on which WhatsApp relies to process the personal data of users. | DPC sent a draft decision in this inquiry and received objected from other concerned SA’s. and was unable to reach a consensus with the CSA’s. DPC referred the objections to the EDPB. | |
60 | TikTok | Measures in relation to users underage 18. | Inquiry commenced in September 2021. The DPC submitted its Draft Decision to the Art 60 process in September 2022. Process is ongoing. |
Yahoo! | Examining Yahoo’s compliance with the requirements to provide transparent info to data subjects. | DPC issued a Draft Decision on October 2022. Process is ongoing. | |
Meta (FB) | This is an own volition inquiry into the lawfulness of data transfers from the EU to US in relation to Facebook. | The DPC circulated its draft decision in the own-volition matter to the CSA’s in July 2022, for the purposes of the co-decision making process outlined in Article 60 GDPR. In response a number of SA’s raised objections or made comments on the decision. The DPC issued a composite response to the objections in September 2022. A number of the CSAs maintained their objections. The DPC subsequently triggered the Article 65 dispute resolution process which is still ongoing. | |
Airbnb | Complaint that Airbnb had unlawfully requested a copy of ID in order to verify the Complainant’s identity, who had not previously provided her ID to Airbnb. Also, failure to comply with the principle of data minimisation when requesting a copy of the individual’s ID in order to verify their account. | Airbnb claimed legitimate interests pursued by Airbnb as the lawful basis for requesting a copy of ID to verify identity in order to protect the safety and security of the users of the Airbnb platform. The DPC agreed that a legitimate interest existed in Airbnb ensuring it had adequate safety and security measures in place to protect users of the platform. The DPC took the view that the service operated by Airbnb is significantly different to a purely online service such as a social media platform. Given that Airbnb members stay at the premises of a host “in the real world”, the DPC recognised the importance of verifying the identity of hosts to ensure that they are who they say they are. Given that other means of validating this host’s identity failed, the DPC found that it was necessary to process the photo ID in pursuit of the legitimate interest. The DPC found that in a balancing test, the rights of the host were not prejudiced by this verification process. The DPC did not receive any relevant or reasoned objections to the draft decision from the concerned supervisory authorities under Article 60(4). |
Litigation
Title | Type of action & venue | Outcome | Status |
Agnieszka Nowak v DPC | Statutory Appeal at the Court of Appeal | Appeal made on DPC’s decision to reject a complaint. Appeal rejected and costs were awarded to the DPC. | Concluded. |
Ellen Thorsch v DPC and WRC | Statutory Appeal Carlow Circuit Court | Appeal made in respect of the points on which the DPC rejected a complaint. Appeal dismissed on the basis that it was time-barred. | Concluded. |
Director of Corporate Enforcement v. DPC and another | Circuit Court (Dublin) | ODCE appealed decision made by DPC to uphold a complaint from a Data Subject. Court allowed part of the appeal – noting that the DPC had not applied fair procedures in arriving at its decision. | Concluded. |
2019/008215 | Statutory Appeal at Circuit Court (Dublin) | Appeal made on DPC’s decision to reject a complaint. CC rejected the appeal and costs were awarded to the DPC. | Further appeal has been launched in the HC on a point of law. |
Aimee Scott v DP Commissioner (2019/03674) | Statutory Appeal at Circuit Court (Dublin) | Ms Scott appealed to CC regarding the DPC’s decision on a complaint she had made. CC refused the appeal. | Further appeal has been launched in the HC on a point of law. |
The Data Protection Commissioner v Cormac Doolin and Our Lady’s Hospice and Care Services (Notice Party | Statutory Appeal at the Court of Appeal | Mr Doolin made an appeal on a decision made by the DPC regarding a complaint he had made. Overall, COA dismissed the DPC’s appeal and awarded costs to Mr Doolin. | Concluded. |
Aimee Scott v DP Commissioner (2021/04468) | Statutory Appeal at Circuit Court (Dublin | Ms Scott made a complained to the DPC alleging a barrister had unlawfully processed her personal data. The DPC found that the GDPR did not apply. The CC dismissed Ms Scott’s appeal against the DPC’s decision. | Appeal launched with the HC. |
Maximilian Schrems v Data Protection Commission (Notice Party – Facebook Ireland Limited) | High Court (Commercial) | Schrems brought his own judicial review proceedings challenging the DPC’s inquiry into Facebook’s EU-US transfers. | Concluded. |
Supervision
- Public Sector: Health, and Voluntary Engagement
- Online Publication on Planning Data- During 2022, the DPC engaged in multi stakeholder engagement to resolve issues arising from the online publication of personal data provided to local authorities in the course of the planning process.
- Housing Agency Collaboration on Owners’ Management Companies guidance – In 2022, the DPC published detailed guidance on the Data Protection Considerations Relating to Multi-Unit Developments and Owners’ Management Companies (OMCs), following extensive collaborative engagement with the Housing Agency.
- Public Sector: Law Enforcement and Social Protection
- Local Authority CCTV Scheme- The DPC received a DPIA from a local authority seeking to implement an expansive city-based community CCTV scheme. The DPC raised concerns about the justification for 24/7 surveillance and the intrusiveness of some of the camera’s ‘smart’ capabilities.
- Tech Multinational Engagement
- TikTok Legitimate Interest Assessment – tried to change lawful basis for personalised advertising to Legitimate interest, they have paused this in wake of DPC engagement.
- Chrome Privacy Sandbox engagement – Google engaged to inform about its Google Privacy Sandbox.
- Google Workspace Cloud Privacy Notice Recommendations – Several recommendations were made to Google to improve contextual transparency including in relation to the definition of terms use and retention periods.
- Apple Maps – Engagement around collection of data for apple maps continued. Apple agreed to reduce certain retention periods from 18 months to 12 months.
- Meta Emotional Health – Meta agreed to make a number of changes to the hub including making the help centre article more prominent.
- Combatting Child Sexual Abuse- Consistent engagement with Meta, LinkedIn, Microsoft, Google and Twitter, to review their polices and controls around this material.
- Private and Financial Sector Engagement
- KBC Bank and Bank of Ireland – DPC engaged with both to ensure appropriate porting of customer data.
Children’s Data Protection Rights
- In May 2022 the DPC published 3 short guides for children aged 13 and over on their data protection rights.
- Query from a public sector body received in September 2022 on targeting children with social media advertising.
- The DPC cannot give blanket endorsements of social media advertising tools and it is up to the organisations to decide on a case-by-case basis whether it can use such tools in a proportionate and privacy-preserving manner for a purpose that reflects the best interests of the child.
Data Protection Officers
- At the end of 2021 all but one public sector body had been brought into compliance with Article 37 of the GDPR. The remaining public sector body, the Pre-Hospital Emergency Care Council (PHECC), failed to respond to repeated efforts from the DPC querying the organisation’s designation of a DPO.
- The DPC finalised its Inquiry into PHECC in May 2022 and found that the failure to cooperate was without intent. However, no organization may fail to answer multiple attempts to monitor compliance with Data Protection Law
- In 2022, the DPC hosted 32 online webinars for members of the DPO Network.