In its second full year overseeing and regulating the GDPR in Ireland, the Data Protection Commission (DPC) has published its 2020 Annual Report, highlighting key observations, emerging guidance, and large scale inquiries and decisions of 2020.
Primary areas of focus for the DPC in 2020 included enforcement (under both GDPR & ePrivacy), breach notifications, data transfers (including an increase in BCR applications) and increased focus on the lead supervisory authority (or ‘One-Stop Shop’) regulatory mechanism.
Breach Notifications
Breach notifications to the DPC increased by 10% in 2020, reaching a total of 6,628 valid notifications. 90% of the recorded breach cases were concluded in 2020. In contrast, only 70 valid data breach notifications were received under the ePrivacy Regulations and 25 notifications under the Law Enforcement Directive.
Around 60% of the data breaches notified occurred in the private sector. Unauthorised disclosure of personal data continues to be the leading reason for breach notifications. Security vulnerabilities including hacking, unauthorised access, malware, phishing and ransomware attacks totalled 462 breach notifications. The DPC noted that there are insufficient proactive measures being taken by organisations beyond their initial implementation of IT systems. The DPC recommends that organisations:
- undertake periodic reviews of their IT security measures;
- implement a comprehensive training plan for employees; and
- support with refresher training and awareness programmes.
Enforcement
The report showcases the extensive enforcement work completed by the DPC in 2020. The DPC handled 10,151 cases in 2020 and had 83 statutory inquiries ongoing, comprising 56 domestic inquiries and 27 cross-border inquiries. This was a year of firsts for the DPC – it issued its first fine under the GDPR and its first decision under the GDPR’s Article 60 consistency mechanism; it also became the first supervisory authority to trigger the GDPR’s Article 65 dispute resolution mechanism. While a total of 11 decisions were issued this year, we anticipate that the DPC will keep up the momentum and issue decisions in several high-profile cross-border statutory inquiries as well as further domestic inquiries during 2021.
Decisions on New Surveillance Technologies
Two decisions issued during 2020 focussed on surveillance technologies including CCTV systems which lacked appropriate transparency measures and a lawful basis. State sector surveillance (through body worn cameras and drones), as well as local authorities’ use of CCTV cameras, was also a key focus. Nine local authorities were involved in statutory inquiries in 2020 and significant concerns around their lack of compliance including the discharging of their obligations as data controllers were highlighted by the DPC.
ePrivacy Enforcement – Website Cookies & Marketing
Following a high-profile cookies investigation sweep in early 2020 and the release of refreshed guidance on cookies in April, the DPC gave organisations a 6 month period until October 2020 to bring their websites and apps into compliance. Seven organisations have since received Enforcement Notices, mainly in relation to invalid consent collection and non-compliance with transparency obligations. In addition, the DPC concluded 149 electronic direct marketing investigations in 2020, after receiving 144 new complaints this year. Six companies were prosecuted for direct marketing infringements, mainly for failing to obtain the valid consent required to send direct marketing communications by email and SMS. The prosecutions highlight the importance of ensuring that CRM systems capture all opt-out updates. The majority of the organisations in question failed to honour customer opt-outs due to technical failures in their systems or failure to provide a means to unsubscribe.
First Large Fine Against a Multinational Tech Company
The DPC imposed its largest fine of $550,000 (approx. €450,000) against a multinational technology company in connection with failures to report and document a personal data breach. This case is particularly notable as it was:
- the DPC’s first draft decision to be submitted under Article 60 GDPR ;
- the first time a supervisory body triggered the EDPB’s Article 65 Dispute Resolution Mechanism;
- the first draft decision in a “big tech” case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities (CSAs); and
- the DPC’s first fine imposed in a cross-border case.
Emphasis continues to be placed on the amicable resolution of complaints without the involvement of the DPC. Organisations have been reminded to take seriously and provide evidence to individuals that complaints are being properly investigated, as well as having in place the key data protection policies and safeguards to address any issues. Looking to the future, this will include having in place appropriate codes of conduct and certification to demonstrate at the very least a base-line level of compliance with the principles of the GDPR.
Data Transfers, BCR Applications & One-Stop Shop
The DPC, in common with supervisory authorities across Europe, has been reacting to the landmark Schrems II decision issued by the Court of Justice of the EU in July 2020 and the EDPB’s controversial draft recommendations which were published in November. As the authority that initiated the Schrems II proceedings, the DPC has been particularly active following the decision, having launched an inquiry into Facebook’s transfers to the US following on from the judgment and being involved in further litigation with both Facebook and Max Schrems.
In 2020 the DPC acted as lead reviewer in relation to Binding Corporate Rules (BCRs) applications from 28 organisations. The DPC also co-reviewed as a CSA and participated as part of drafting teams for Article 64 Opinions on 5 BCRs. The DPC reported that the workload in this area has increased following Brexit, with companies looking to transfer their lead supervisory authority for BCR purposes to the DPC under the GDPR’s ‘One-Stop-Shop’ (OSS) mechanism.
The OSS Mechanism facilitates organisations being subject to regulatory oversight for cross-border processing by one data protection authority in an EU member state where they have a ‘main establishment’. In determining whether Ireland could be considered a company’s main establishment, key questions regularly asked by the DPC include the following:
- Where are decisions about the purposes and means of the processing given final ‘sign off’?
- Where is the Director (or Directors) with overall management responsibility for the cross border processing located?
- Where is the controller or processor registered as a company, if in a single territory?
In reviewing the answers to these and further queries, the DPC noted that organisations must be able to demonstrate effective and real exercise of management activities in Ireland that determine the main decisions as to the purposes and means of processing through stable arrangements.
In 2020, the DPC received 354 cross-border processing complaints through the OSS mechanism that were lodged by individuals with other EU data protection authorities.
Financial Services Sector Focus
The DPC proactively engaged with Irish companies and data protection officers in the FS sector. The DPC expressed concerns about excessive collection, processing and automated profiling of customer data by companies in pursuit of regulatory compliance. Those that process substantial quantities of customer data for AML purposes should undertake a data protection impact assessment (DPIA) to assess and minimise data protection risks. The DPC engaged in extensive consultations on the establishment of new databases under the 4th and 5th AML Directives. During 2020, the DPC also surveyed companies in Ireland’s rapidly evolving fintech sector and raised questions on topics such as international transfers and data subject rights.
Processing Children’s Data
Following the publication of its draft guidance on processing children’s data, the DPC has indicated a focus on children’s data protection rights, age verification processing, direct marketing/advertising to children and the issue of parental consent. Organisations processing children’s data such as those in fintech, social media, or state-sectors should note the key recommendations from the DPC in this guidance, known as the ‘Fundamentals’. The DPC is encouraging the development of Codes of Conduct for various sectors that process children’s data including ISPs & education sector providers.
Data Protection Officers
The DPC noted 570 DPO registrations during 2020. Building on its DPO Network which was established in 2019, the DPC is continuing its engagement with public bodies in particular, 77 out of 250 of which were identified as being potentially non-compliant with DPO requirements. The DPC noted that it will expand its compliance and monitoring activities in this area, and will take a sector-based approach to such monitoring.
DPC Strategy for 2021
Funding to the DPC continues to increase. 2020 saw an increase of €1.6 million on its 2019 budget. This will go towards increasing staff headcount and implementing IT infrastructure to help manage caseloads, workflow and reporting.
As well as continuing to monitor and enforce compliance with regard to cookies, business can expect enforcement on DPOs and data transfers to pick up. Several big tech investigations by the DPC will be finalised in 2021 and corrective measures are expected not to be limited to monetary fines, with enforcement notices and corrective powers also likely to be deployed in some cases – such sanctions can prove even more costly if business activities are put on hold.
John Magee, Caoimhe Bourke, Eilís McDonald & Hannah Gardiner, DLA Piper
If you have any questions, please contact your usual DLA Piper contact or the authors of this article.