At the end of February 2019, Ireland’s Data Protection Commission (DPC) released its first post-General Data Protection Regulation (GDPR) Report. The Report covers the period from 25thMay to 31stDecember 2018. In this piece, we take a look at some of the highlights and key takeaways in the Report. The Report gives an indication of the types of issues of interest to the DPC. This is very useful for organisations as they seek to prioritise their data protection initiatives.
The Report in numbers
The Report has a number of interesting statistics:
- 2, 864 – the number of GDPR complaints that were made to the DPC.
- 35 percent – the portion of complaints relating to Data Subject Access Rights. Access rights continue to be a key area of activity but make up a smaller portion of overall complaints compared to 2017.
- 3,542 – the number of breaches that were notified to the DPC.
- 18 – the formal decisions issued by the DPC. 13 upheld the complaint, with 5 rejecting the complaint.
- 11 – the number of Binding Corporate Rules (BCR) applications with the DPC as lead regulator.
- 900 – the number of Data Protection Officer (DPO) notifications received by the DPC.
These numbers are reflective of an increase in individuals’ awareness and exercise of data protection rights, and the increased engagement between the DPC and the business community.
The Report confirms the DPC’s role as a central jurisdiction for cross-border data protection complaints. The Report sets out the DPC’s views on the new complaint-handling mechanism under the Irish Data Protection Act 2018. Where an amicable resolution is not possible, the DPC is no longer legally obliged to make a formal, statutory decision. Instead, the DPC has a range of tools including providing advice to the complainant, issuing statutory notices to controllers or processors, and opening statutory enquires.
The Report underlines the cross-border element of the DPC’s role. In anticipation of the DPC’s cooperation and consistency engagement with the European Data Protection Board (EDPB), a One-Stop-Shop Operations team was established. The DPC received 136 cross-border processing complaints. To manage this process, a new system of online data sharing – the EU IMI system– has been rolled out between the various European Data Protection Authorities (DPAs).
Under the period, captured by the Report, the DPC also received 16 requests for mutual assistance from other DPAs. These requests related to matters such as transparency, the interaction of the GDPR and the ePrivacy Directive, and digital advertising in the ad tech sector.
The DPC opened 15 statutory inquiries in relation to the GDPR compliance of multinational technology companies. The inquiries were commenced on the basis of complaints received, due to specific breaches notified, and, in certain cases, at the DPC’s own volition. Ten of the investigations were about Facebook.
One of the investigations into Facebook is especially wide-ranging, examining whether the company has met its obligations “to secure and safeguard the personal data of its users.” Twitter faces a similar probe, the Report says. The Report underscores how much Facebook’s handling of personal data is dominating both legal and policy conversations in relation to data protection across the European Union.
DPC in 2019
The Report contains various references to the DPC’s intended activities during the rest of 2019:
- Rolling out a Data Protection Officer (DPO) network, offering the opportunities for peer dialogue amongst DPOs;
- Communicating with relevant organisations regarding their obligation to appoint a DPO under the GDPR;
- Building on efforts in 2018, continuing engagement with the private and financial sector, focusing in particular on transparency compliance and the challenges around the presentation and readability of privacy notices;
- In cooperation with EU counterparts, a continuing stakeholder in relation to ad tech and the online advertising world.
When you analyse the GDPR complaints which the DPC has received, the majority relate to “Access Requests” and “Unfair Processing of Data”. The Report makes it clear that organisations must have policies and procedures in place that facilitate the rights of data subjects. They must also process data in a manner that is lawful, fair and transparent.
For more information please refer to our services pages or contact our Data Governance team