Ireland: New DPC Guidance & Launch of Regulatory Strategy Show Greater Emphasis on Privacy by Design & Default

By John Magee & Eilís McDonald

As 2019 drew to a close, it was a busy time for the Irish Data Protection Commission (DPC). With the traditional end of year rush, as well as a significant amount of focus in data protection circles on the Advocate General’s opinion in the Schrems II case,  privacy professionals could be forgiven for missing out on three new publications issued by the DPC during December alone.

A common thread running through the new guidance is an increased focus from the DPC on the requirements of privacy by design and default.

  • The DPC’s Take on Digital Assistants: With many large technology multinationals supervised by the DPC under the GDPR’s one-stop shop regulatory mechanism, the DPC pays particularly close attention to emerging technologies such as voice enabled or controlled devices. The DPC placed an emphasis on the importance of embedding the data protection principles, as well as the principles of privacy by design and default, into the technology behind digital assistants such as Siri, Alexa and Cortana. The DPC is currently engaging with organisations to ensure that measures which implement data security are built into these technologies from the outset, rather than them being an afterthought during an investigation.
  • Public Consultation on the DPC’s Regulatory Strategy 2020-2025 – Consultation on Target Outcomes: The DPC looks back on some of the legislative change which has impacted the processing of personal data, in Ireland and internationally, while setting out a 5 year regulatory strategy. The strategy focuses on:1. consistency of regulation;
    2. clarity on the application of the law;
    3. organisations operating and innovating in an accountable, compliant, ethical and fair way in their processing or personal data;
    4. an increased understanding among data subjects as to how their data is used; and
    5. the increased protection of children’s personal data.The consultation demonstrates the DPCs desire to engage with organisations and includes a reminder for them to embed a culture of privacy by design within their operations. This first round of public consultation is open for submissions until 24 January 2020.
  • Guidance Note: Legal Bases for Processing Personal Data: This new guidance contains a thorough overview of all relevant legal bases under GDPR. The DPC commented on the potential benefits to organisations of relying on the legal basis of legitimate interests. The DPC encourages controllers not only to consider it as a potential alternative to relying on consent, but also to consider that for many situations, it both provides greater flexibility as well as an opportunity for to genuinely consider the balance of interests between their organisation and the rights and freedoms of data subjects. The DPC also reminded businesses that the legal basis of compliance with a legal obligation can include complying with common law requirements.

For any further information, please contact the authors or your usual DLA Piper contact.