On 20 February 2020, Ireland’s data protection supervisory authority, the Data Protection Commission (DPC), published its annual report for 2019 (Report). The Report is the second report under the General Data Protection Regulation (GDPR) and is the first report based on a full calendar year under the GDPR.

2019 statistics

The Report reveals 2019 has been an exceptionally busy year for the DPC. It contains a number of interesting statistics, in particular:

  • Complaints: 7,215 complaints received; 75% increase from 2018; 29% in “access rights” category; 5,496 complaints concluded, and 457 cross-border processing complaints received through the One-Stop Shop mechanism

  • Breaches: 6,069 valid data breach notifications received; 71% increase from 2018 and 83% related to unauthorised disclosures

  • Inquiries: 70 inquiries as of 31 December 2019; 21 cross-border inquiries, and 49 domestic inquiries

  • Direct marketing: 165 new complaints investigated; 77 related to email marketing; 81 related to SMS marketing; seven related to telephone marketing, and prosecutions concluded against four entities

  • General consultation queries: 1,420 queries received; 44% from the private/financial sector, and 33% from the public sector

  • Data Protection Officers: 712 new Data Protection Officer notifications, bringing the total number to 1,596 at year end

  • Contacts: 22,300 emails; 22,200 telephone call, and almost 4,000 items of post.

  • Staff: increase from 110 at the end of 2018 to 140 at the end of 2019

  • Communications and guidance: 33 guidance documents, 18 blogs, 8 podcasts, 20,000 social media followers

  • Binding Corporate Rules: lead reviewer in 19 Binding Corporate Rules applications

Summary of key sections

Complaints

There has been a significant increase in the number of complaints received. As in previous years, access requests complaints were identified as the highest complaint-type received by the DPC between in 2019 - 2,064 complaints. A high proportion of these related to the failure of organisations to respond to an access request, or failure to release all the appropriate data on foot of an access request.

The DPC is the lead supervisory authority for a broad range of multinationals and the Report sets out that 457 cross-border complaints were transferred to the DPC by other data protection supervisory authorities in 2019.

Breaches

Some of the trends and issues related to breaches identified in the Report include:

  • Late notifications

  • Difficulty in assessing risk ratings

  • Failure to communicate the breach to individuals

  • Repeat breach notifications

  • Inadequate reporting

There has been an increase in the number of repeat breaches of a similar nature by a large number of companies, particularly in the financial sector, where the majority of breaches appear to be related to unauthorised disclosures.

Inquiries

Investigations into big tech companies continued to progress in 2019 with the first two inquiries moving from the investigative stage to the decision-making phase. The Report states that it is going to take time to implement the new legal frameworks under the GDPR but assures readers that “intensive work is underway”. The Report anticipates that 2020 will involve the reconciliation of many such complex legal issues which will flow from the conclusion of its first waves of statutory inquiries and the crystallisation in practical terms of many theoretical legal and procedural issues which have been raised during those first novel inquiries.

Cookies

In 2019, the DPC examined the use of cookies and similar technologies on a selection of websites across a range of sectors, including media and publishing, the retail sector, restaurants and food ordering services, insurance, sport and leisure and the public sector. The Report states that the quality of information provided to users in relation to cookies varied widely and confirms that during 2020, the DPC will produce updated guidance on cookies and other technologies. The Report notes that the DPC will place a strong focus on compliance in this area.

Children

The Report informs us that the DPC is now finalising its guidance document on children’s data protection rights and the processing of children’s data having carried out an extensive consultation on the processing of children’s personal data.  In tandem with the guidance, the DPC will publish a separate child-friendly guide which will explain to children their rights under data protection law and the risks that may arise when they disclose their personal data online.

Regulatory Strategy 2020-2025

Among the DPC’s key projects in the Report is its Regulatory Strategy 2020-2025. The DPC commenced consultations last year to understand people’s views on data protection rights, the role of the DPC, how compliance with data protection law should be encouraged, facilitated, and maximised, and how non-compliance should be regulated. The draft Regulatory Strategy is being developed and will be subject to a further open public consultation during 2020.

Case studies and litigation

The Report contains various case studies and details of litigation the DPC is involved in. The case studies cover matters including data subject rights data and data breaches. The Report also contains summaries of the data protection elements of significant judgments delivered by the European Court of Justice (CJEU) during 2019, the litigation concerning standard contractual clauses in the Irish courts and the CJEU and the DPC’s investigation in relation to the public services card.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.