A Lookback at Data Protection for 2020: The DPC Publishes the 2020 Annual Report
The Data Protection Commission has published another annual report on what has been a challenging a year, and certainly a year of firsts for the body.

 

The Data Protection Commission (DPC) has published its annual report for 2020, which shows significant change and momentum in data protection regulation. For the first time, the annual report includes details of significant fines issued for breaches of data protection legislation. The report summarises several key ongoing investigations and decisions and unsurprisingly discusses the impact of and measures taken by the DPC in response to the global COVID-19 pandemic. It was another year of personnel (and expertise) growth for the DPC with the addition of five new officers and a higher financial budget for 2021. Another notable trend is that data security is becoming a more significant issue for organisations year on year.

Administration of Fines

The DPC issued its first administrative fines under the GDPR, with four separate fines issued to TUSLA, the child and family state agency, for personal data breaches. These fines, totalling €200,000, were issued between April and August 2020.

In December 2020, the DPC issued its first cross-border fine to Twitter for €450,000 for failure to notify a data breach. This case involved the first major-scale co-operation procedure decision in the EU under Article 60 of the GDPR, whereby considerations from other EEA Supervisory Authorities are required before a regulatory decision can be finalised or a fine imposed. This co-operation procedure has also been invoked by the DPC in actions against Ryanair, WhatsApp and Groupon. 

A draft decision on the WhatsApp inquiry is currently progressing through the co-operation procedure at EU-level, examining mainly whether WhatsApp has discharged its GDPR transparency obligations.  This WhatsApp inquiry is being closely watched because it may herald an era of much higher GDPR fines.

Litigation

The landmark Schrems II case concluded during the summer of 2020, resulting in confirmation that Privacy Shield is not a valid transfer mechanism under the GDPR but that standard contractual clauses may still be used, provided certain conditions are met by the laws and regulations of the data-importing jurisdiction. In total there were 14 litigation matters involving the DPC in 2020, many of which completed. These included the well-documented case taken by Peter Nowak who was seeking access to accountancy exam scripts and another involving the Department of Employment Affairs and Social Protection. Cases involving the Courts Service and Doolin (a case about the use of CCTV footage in the context of a disciplinary hearing) are both subject to further appeal.  In addition, the final order for costs in the Schrems II has not yet been perfected.

Inquiries

The DPC has 83 ongoing statutory inquiries, including 27 cross-border inquires. Among those are 12 involving Facebook (including Instagram), three involving Apple, three inquiries into Twitter, two for WhatsApp and Google and one inquiry into LinkedIn.  While there is clearly a focus on large tech companies, 56 statutory inquiries were also under way into a range of domestic companies and organisations including Yelp, An Garda Síochána, Bank of Ireland, TUSLA, the Catholic Church, the Irish Prison Service and the University of Limerick.

The common trends reflected in these inquiries include the lawfulness of data processing, transparency, rights of access and data breach investigations.  The report specifically notes that "another phenomenon [the DPC has] continued to see in 2020 was that of both organisations and individuals attempting to misuse the GDPR to obfuscate or pursue other agendas".

The DPC has also been investigating organisations specifically for 'cookie' compliance.  Following the commencement of enforcement action in October 2020, the DPC wrote to 20 organisations regarding non-compliance issues, warning that enforcement notices would be issued without further notice if non-compliance issues were not addressed within a 14-day period.  Subsequently, seven such notices were issued for breaches, including failure to obtain valid consent for the use of cookies and failing to provide clear and comprehensive information about the use of cookies on websites.

Key Trends

  • The DPC handled a total of 10,151 cases during 2020, an increase of 9% on 2019. Unsurprisingly, there were a significant number of COVID-19 related queries from individuals and organisations.
  • During 2020, the DPC received 4,660 complaints from individuals under the GDPR.  4,476 complaints were concluded during the year. As is now common, the largest source of complaints related to data access requests (1683) followed closely by complaints in relation to fair processing of data (1623) with other complaints relating to disclosure, direct marketing and the right to erasure.
  • The DPC was (validly) notified of 6,628 data security breach notifications, which is an increase of 10% on 2019. These notifications included:
    • 5837 incidents of unauthorised disclosure of personal information;
    • 146 notifications of hacking;
    • 275 incidents where paper was lost or stolen;
    • 48 instances where mobile devices were lost or stolen (only 19 were protected by encryption);
    • 146 instances of unauthorised access;
    • 61 notifications of unintended online publication;
    • 32 reports of ransomware attacks; and
    • 74 incidents of phishing (including social engineering).
  • The majority of breaches were as a result of human error as opposed to any systemic issues. This highlights the importance of ensuring robust internal organisational, as well as technical, procedures and controls are in place for staff.  This is particularly since most organisations have made the move to more frequent, if not exclusive, remote working.
  • Almost 40 pieces of guidance were published by the DPC, including podcasts and blogs, most notably perhaps the guidance in relation to the use of cookies technology and the guidance issued surrounding the "Fundamentals to a Child-orientated Approach to Data Processing", following an extensive consultation process. The DPC has an increased social media presence making information more accessible. The DPC also has an additional website resource, which allows people to access decisions made by the DPC.
  • The DPC concluded 147 electronic direct marketing investigations and prosecuted 6 companies for sending unsolicited text messages or e-mails to individuals, including Three (Ireland), Ryanair and the AA.

2020: Brexit and COVID-19

The DPC was also faced with new challenges from Brexit and the negotiations between the EU and the UK, which added more uncertainty to international personal data transfer rules. The final position reached at the end of 2020 by the EU and UK to allow a short-term initiative for free data flows between the EU and the UK eased this uncertainty somewhat and reports from the EU Commission on the progress of an adequacy decision in favour of the UK are also now very promising. UK adequacy, however, is not referenced in the DPC report.

Lastly, the DPC provided instrumental advice and consultation in respect of the COVID-19 efforts across the country, having engaged with the public health authorities on the COVID-19 contract-tracing app and the challenging issues around how COVID-19 PCR test results were communicated. 

A Look Ahead to 2021…

The DPC has increased resources with a 145 strong team of officers, which is likely to continue to grow and an increased annual budget of EUR19.1m.

 
 

Contributed by Nicole Fitzpatrick & Roisin Culligan

 

Key Contacts

John O'Connor Partner

Leo Moore Partner

David Cullen Partner

Related Practice Areas

Related Industry