This week (on 20 February 2020) the Data Protection Commission launched its annual report for 2019.
The report highlights the activities of the Data Protection Commission (DPC) in the past year, the first full year since the GDPR commenced. Some highlights of interest include topics such as complaints made, Data Subject Access Requests, direct marketing activities, data breaches, statutory enquiries, cookies, consultations, Data Protection Officers, case studies and litigation.
Some highlights and points to note on the report are as follows:
A total of 7215 complaints were received by the DPC in 2019. Access Requests was the highest complaint-type received by the DPC (29%). Complaints relating to unfair processing of data (16%) and disclosure (19%) were also received in high volumes.
Data Subject Access Requests
During 2019, the DPC received 2,064 complaints relating to the right of access, a high proportion of which dealt with the failure of data controllers to respond to an access request, or failure to release all the appropriate data on foot of an access request.
The right of access is an important fundamental right. However, it is not an absolute right. Article 23 of GDPR prescribes a mechanism to permit restrictions to the right. This enables member states to introduce their own exemptions in national legislation. In Ireland, exemptions were provided in Section 60 of the 2018 Data Protection Act.
The DPC notes in its report that any restriction relied upon by data controllers must respect the essence of the fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest. This issue will be examined by the DPC in any case where exemptions are relied on. This means that organisations must be able to demonstrate their robust internal processes to balance the rights of the various parties when considering whether an exemption applies.
The right of access is a fundamental right, so there is a presumption in favour of disclosure on the part of controllers. It is critical that organisations implement appropriate processes to manage access requests. Particularly, given that this is the most likely way that an organisation will have a complaint made about it to the DPC.
Read more about Pembroke Privacy’s Data Subject Rights Services.
6,069 valid data security breach notifications were recorded, with the largest single category being “Unauthorised Disclosures” which made up 83% of all breaches. However, perhaps more importantly, trends indicate a significant rise in the number of breach complaints being made by individuals. In 2019, the DPC handled 207 data-breach complaints, in comparison to the 48 data-breach complaints between 25 May 2018–31 December 2018.
The majority of complaints related to unauthorised disclosures, predominantly:
- emails/letters to incorrect recipient;
- administrative processing errors;
- verbal disclosures;
- papers lost or stolen; and
- unauthorised access to personal data in the work- place.
The DPC noted increased correspondence from individuals expressing dissatisfaction with the way organisations who control, or process personal data have communicated with them, particularly regarding data breaches and the subsequent remedial actions the controller has taken. Greater adherence to the amicable resolution process set out in Section 109(2) of the Data Protection Act 2018 would lead to earlier resolutions in many such instances and a reduction in the number of queries being brought forward to the DPC.
Some of the trends and issues identified in terms of data breaches include:
- late notifications;
- difficulty in assessing risk ratings;
- failure to communicate the breach to individuals;
- repeat breach notifications; and
- inadequate reporting.
It is clear that data controllers need to improve their processes for managing data breaches so that a breach does not result in data subjects complaints. While breaches can and do happen, the problem is often exacerbated by ad hoc and ineffective breach notification processes.
Breaches can lead to formal statutory inquiries by the DPC and litigation. Some examples are given in the report:
- HSE South – where a data breach led to statutory inquiry. The inquiry related to the discovery of hospital records by a member of the public. Hospital documents containing personal data (name, date of birth, clinical details, and treatment) of 56 patients were found by a member of the public at a recycling facility in Cork. Previously, there had been seven similar breaches reported to the DPC for the same HSE Area. The DPC launched a formal statutory investigation, which is ongoing. A statutory inquiry can result in fines and administrative sanctions being imposed by the DPC.
- It is also important to note that data controllers and processors may be liable under Section 117 of the Data Protection Act 2018 to an individual for damages if they fail to observe the duty of care they owe in relation to the personal data in their possession. An example of this is provided in relation to a complaint and litigation arising out of a data breach in a HSE Hospital. In that case, a hospital porter (who was a contractor to the hospital) released data relating to a patient’s attendance at early pregnancy unit. The case was ultimately settled between the patient and the hospital. This case reminds us of the importance of ensuring that third parties engaged by a data controller must be properly vetted and appropriate agreements put in place and that data protection training must be undertaken by all staff so that all employees and contractors understand their data protection obligations. A failure to manage this appropriately can result in in data breaches, sanctions, fines and litigation.
More on our data breach response services.
The DPC received 712 Data Protection Officer notifications, bringing the number to 1,596. The DPC also notes that the statutory inquiry into the treatment of the DPO at the Department of Social Protection is ongoing. The new DPO’s Network will be launched on 31 March 2020 with a conference addressing issues and concerns facing DPOs. Kate Colleary, director of Pembroke Privacy will be speaking at the conference and chairing a session on Data Subject Rights.
Cross Border investigations
As Lead Supervisory Authority for many large tech companies with their place of main establishment in Ireland, the DPC has been busy undertaking investigations and statutory inquiries in that sector. We are now starting to see some trends in the investigations being undertaken. The DPC is currently assessing the lawful basis for data processing and transparency of processing in relation to behavioural analysis and targeted advertising on Apple, Facebook, Instagram, WhatsApp and LinkedIn and ad tech company, Quantcast. In an investigation into Google, the DPC is looking at the processing of personal data in the context of the ‘Real-Time Bidding’ (RTB) process facilitated by Google’s proprietary Authorised Buyers mechanism. Again, the Google inquiry looks at lawful basis, retention and transparency. These themes crop up again and again in investigating the large tech companies.
The standard of consent that controllers must obtain from data subjects must now meet the GDPR level of consent, i.e. it must be freely given, specific, informed and unambiguous and controllers must be able to demonstrate that it was an active indication of the data subject’s wishes. This has also been considered by the CJEU (Court of Justice of the EU) in the Planet 49 case. In that case, the CJEU confirmed that only active behaviour can fulfil the requirement of consent as only active behaviour, such as actively ticking a box, can dispel ambiguity. Secondly, the CJEU found that consent cannot be presumed and noted that the requirement of active behaviour is also confirmed by the GDP. The definition of consent is even more stringent in the GDPR than in previous legislation as the GDPR expressly requires active consent and expressly excludes the possibility of using pre-ticked boxes for the collection of valid consent. Applying this definition of consent, the CJEU held that consent is not valid if cookies are permitted to be placed by way of a pre-checked checkbox which the user must de-select to refuse consent.
It is crucial that organisations review their cookie polices to ensure that they accurately reflect the cookies actually used; correctly categorise those cookies and embed privacy by design into cookie tools so that all cookies except those that are strictly necessary, are only implemented when a user actively consents to their use by eg ticking a box or using a consent sliding tool.
Read more about cookies and their importance here
It is clear from the 2019 Annual Report that the DPC’s office has had a busy year. This was to be expected in the first full year since GDPR took effect; and particularly given the DPC’s role as lead supervisory Authority for many of the large tech companies based in Ireland. However, the report shows that the DPC is balancing its international regulatory obligations with the regulation of local organisations. In all, the annual report covers a wide swathe of processing activities in varied sectors. It’s a useful indication of the DPC’s concerns and priorities moving into 2020.
If you have any questions about our services please contact us at firstname.lastname@example.org.