TUSLA becomes the first organisation to be fined for breaches of the GDPR
In May 2020, TUSLA, the Irish Child and Family Agency was issued with multiple fines for breaches of the GDPR. The announcement of the first fine of €75,000, which related to three incidents, was confirmed mid-May with a further fine announced the following week.
A series of inquiries were launched by the DPC into TUSLA following notifications received from TUSLA relating to disclosure of personal data of children and their families to unauthorised parties. TUSLA processes personal data necessary to support and promote development, welfare and protection of children, and the effective functioning of families. This includes the processing a large volume of special category data, i.e. health and welfare data, as well as criminal history information. This category of personal data is subject to stricter protections under the GDPR.
The reported breaches relate to three separate incidents. The first involved TUSLA accidentally disclosing contact and location data of a mother and child to their alleged abuser. Another incident reported involved the accidental disclosure of contact, location and school information of children in foster care to a grandparent, allowing the grandparent to contact the foster parent about the children. A further breach which has been investigated involved the accidental disclosure of the address of children in a foster family to their father who was in prison.
The confirmatory mechanism
Section 142 of the Data Protection Act 2018 (DPA 2018) permits the data controller or processor who is subject to an administrative fine to appeal to the court against the decision. TUSLA has indicated that it accepts its responsibilities and it does not intend to appeal the DPC’s decision. The DPC has, as is required under Section 143 of the DPA 2018, made a summary application to the Circuit Court for confirmation of its decision. The Circuit Court will then confirm the decision unless there is good reason not to do so.
If an administrative fine is appealed, appeals will be heard by the Circuit Court where the fine does not exceed €75,000 and by the High Court in any other case. The Circuit Court has jurisdiction to confirm an administrative fine of any amount where no appeal is brought.
DPC inquiries into TUSLA remain ongoing. The agency reported a number of other personal data breaches, which include inappropriate systems access, inappropriate disclosure by email and post, and security of personal data.
It is clear from these fines that the DPC will not hesitate to use its enforcement powers where there are serious failures by public authorities, whether acting as ‘Controllers’ or ‘Processors’, to comply with the provisions of the GDPR.
Other inquires by the Data Protection Commission
More decisions from the DPC are expected to be issued shortly:
- Twitter: the DPC confirmed that it has concluded its investigation into Twitter. This inquiry stemmed from a complaint made to the DPC in November 2018 relating to the handling of a data breach. The DPC launched an inquiry into Twitter’s disclosure of the breach and its records of processing activities. As the ‘lead Supervisory Authority’ for Twitter, the DPC is required to liaise and cooperate with other ‘concerned Supervisory Authorities’ on cross border decisions before issuing enforcement action under the GDPR. The purpose of this process is to promote consistency of data protection regulation across Europe. Since the Twitter decision will be subject to consultation by all the appropriate concerned regulatory authorities, it may take some time before agreement is reached on the appropriate sanction for these GDPR infringements. The DPC submitted a draft decision to other supervisory authorities in May. These regulators have four weeks to comment on the draft decision and if there are no objections, the DPC will issue a final decision.
- WhatsApp: Another preliminary draft decision has been sent to WhatsApp Ireland Limited for its final submissions before the DPC prepares its decision.
- Facebook: The DPC’s inquiry into Facebook has moved to the decision-making phase, the DPC having confirmed that the investigation phase of its inquiry into Facebook Ireland’s obligations to establish a lawful basis for personal data processing is complete.
‘Big Tech’ GDPR decisions on the horizon
The issuance of fines supplements the DPC’s focus on driving internal change through engagement with companies, and in setting precedents for other companies to follow in terms of how the GDPR should be applied. The ‘Big Tech’ decisions will set the bar in terms of assessing the level of financial penalty and the corrective measures which should be applied as a deterrent to technology companies who breach the GDPR. Further updates will be published on the William Fry website once the outcome of these investigations is released.
We are available to advise businesses with any data protection issues they face. Please contact any member of the Technology team or your usual William Fry contact with any queries.
Contributed by Michelle Clancy & Nicole Fitzpatrick