1. EU Directive on representative actions for the protection of the collective interests of consumers 2020/1828
The object of this European Directive is to ensure that a representative action mechanism is available to protect consumer interests in all Member States while providing safeguards to avoid abusive litigation. The Directive applies to infringements by traders of any one of 66 regulations or directives contained in Annex 1, one of which is the GDPR. The Directive allows ‘qualified entities’ to seek relief on behalf of consumers. Relief includes injunctive measures and redress, which includes compensation.
This Directive will dramatically change the litigation landscape in Ireland where there is currently no means of bringing a collective action for compensation.
It is also important to note that the Directive makes provision for third party litigation funding. Member States are not required to allow such arrangements, but if they are permitted under national law, the Directive specifies a number of safeguards to ensure the integrity of the litigation. Third party funding is currently prohibited in Ireland under the rules of champerty and maintenance. While there is no indication yet, it is possible that we will see a change to the law in this area, precipitated by the EU Directive.
We may see a rise in “class action” style litigation in the privacy and data protection sphere with the coming into effect of this piece of legislation in 2023.
The Directive was published on 4th December 2020. Member States must adopt implementing measures by 25 December 2022 with the legislation becoming applicable on 25th June 2023. On 15 March 2021, the Department of Enterprise Trade and Employment launched a public consultation seeking submissions as to how certain aspects of the Directive should be transposed into Irish law. Further legislative activity is expected in 2022.
2. Data Sharing and Governance Act 2019
The object of the Data Sharing and Governance Act 2019 is to allow data sharing between public bodies. The Act allows for a more efficient and cost-effective service delivery by public bodies by providing a clear legal basis for the sharing of personal data in certain circumstances. The aim is to reduce the administrative burden associated with the need for individuals to provide their personal data to numerous public bodies.
2022 will see the commencement of the final sections of the Data Sharing and Governance Act 2019. The legislature adopted a phased commencement with all sections commenced except Section 6(2) and Section 6(3) which will commence 31st March 2022. Section 6 deals with the Act’s interaction with the Data Protection Acts and the GDPR. When these last sections are commenced in 2022, Section 38 Data Protection Act 2018 can no longer be relied upon as a legal basis for the sharing of data by one public body to another with public bodies having to rely on the provisions of the Data Sharing and Governance Act to facilitate such sharing.
3. DPC’s Regulatory Strategy 2022-2027
The DPC’s published its Strategy which sets out its vision for a crucial five years for data protection law. The DPC emphasises the need to take careful account of the needs of diverse stakeholders, and the fast-paced and non-traditional sectors it regulates. All strategic goals set out in the Strategy have been proposed as a means of “doing more, for more”. As the DPC has finite resources it will prioritise complaints of systemic importance and will seek a collective approach to enforcement throughout Europe.
The Strategy outlines five strategic goals. These are:
- Regulate consistently and effectively.
- Safeguard individuals and promote data protection awareness.
- Prioritise the protection of children and other vulnerable groups.
- Bring clarity to stakeholders.
- Support organisations and drive compliance.
We look forward to the DPC publishing the following guidance in 2022:
- quarterly case studies based on common complaint issues;
- guidance on complaint handling processes
- Updates on the development of codes of conduct and certifications to enable sectoral best practice
4. Children Front and Centre: Fundamentals for a Child-Orientated Approach to Data Processing (the Fundamentals)
The DPC published the final version of the Fundamentals, in 2021. This is the culmination of an intensive project over 3 years involving 3 separate stakeholder consultation processes (including a direct consultation with children), engagement with experts in the area of child rights, expansive research and a two-stage drafting process. With the publication of the Fundamentals, 2022 could see a new age in the processing of children’s data in Ireland, with controllers and processors more aware of their enhanced obligations and the issue stated as being a priority for enforcement by the DPC.
5. The DPC’s Budget for 2022
The DPC received additional funding of €4.1 million for 2022. This brings the total allocation for the DPC to €23.2 million. The funding will facilitate the recruitment of over 40 new staff, with specialised skill-sets in areas such as investigation, technology and legal. Tis further strengthens the DPCs capabilities with a likely increase in investigations and enforcement activity in 2022.
6. WhatsApp Appeal
On 2nd September 2021, the DPC concluded the investigation it conducted into WhatsApp Ireland Ltd, finding that WhatsApp had failed to discharge its GDPR transparency obligations with regard to the provision of information to both users and non-users of WhatsApp’s service. A fine of €225 million was imposed along with a reprimand and an order for WhatsApp to take a range of remedial actions.
WhatsApp launched an appeal in September 2021, initiating both a statutory appeal against the decision and judicial review. WhatsApp claims that the fine is unconstitutional and a contravention of the European Convention on Human Rights (ECHR). WhatsApp contends that the fine constitutes a criminal sanction and is an interference with WhatsApp’s constitutional property rights. In addition, WhatsApp claims that its right to fair procedures have been breached. Firstly, the Data Protection Act, 2018 does not provide for a full rehearing or a right of appeal in respect of all the DPC’s findings against it. Rather, it only allows the company to challenge the administrative fine. Secondly, the DPC which made the decision to open the investigation into WhatsApp, made the final decision. WhatsApp claims that the DPC does not constitute an independent and impartial tribunal as required under Article 6 ECHR.
Separate to this action, WhatsApp initiated judicial review proceedings against the DPC, Ireland and the Attorney General seeking an order to quash the decision to fine the company and an order that certain provisions of the Data Protection Act, 2018 are invalid and unconstitutional and incompatible with ECHR. The High Court granted WhatsApp leave to bring the challenge on 8th November 2021, with the judge adjourning the matter to a date in December. We await further developments in 2022.
7. DPC Launches TikTok Investigation
On 14th September 2021, the DPC commenced two own-volition inquiries in relation to TikTok’s compliance with requirements of the GDPR. The first inquiry will examine TikTok’s compliance with the GDPR’s data protection by design and default requirements as they relate to the processing of personal data in the context of platform settings for users under 18 and age verification measures for persons under 13. This inquiry will also examine whether TikTok has complied with the GDPR’s transparency obligations in the context of the processing of personal data of users under 18. The second inquiry will focus on transfers by TikTok of personal data to China and TikTok’s compliance with the GDPR’s requirements for transfers of personal data to third countries.
We expect to see further progress being made in 2022.
8. Instagram Inquiry
In September 2020, the DPC commenced an inquiry in relation to the processing of personal data of children by Instagram. On 3rd December 2021, the DPC submitted a draft decision under Article 60 GDPR to other Concerned Supervisory Authorities (CSAs) across the EU.
Inquiry Number 1 focused on Facebook’s reliance on certain legal bases for the processing of children’s personal data and its compliance with transparency requirements in its provision of Instagram to children. Inquiry Number 2 focused on Instagram profile and account settings and the appropriateness of these settings for children. In particular, the inquiry considers Facebook’s adherence with its data protection by design and default obligations under the GDPR in relation to Facebook’s responsibility to protect the data protection rights of children as vulnerable persons.
The CSAs have one month to send their ‘reasoned and relevant objections’ to the DPC. If the CSAs have no objection to the draft decision, then the draft decision will be binding. However, if the CSAs object, and the DPC intends to follow the relevant and reasoned objections made, a revised draft decision will be submitted to the other CSAs for their opinion. If it is the case that the other CSAs have dissenting views on the draft decision which cannot be reconciled, as was the case in the WhatsApp inquiry, then the decision moves to the European Data Protection Board (EDPB) for binding dispute resolution under the Article 65 process.
We await the views of the other CSAs in early January 2022 to determine what the next steps will be.