On March 7th, 2023, the Data Protection Commission (DPC) published it’s 2022 Annual Report. Once again, this year’s report highlights the volume of work undertaken as well as some large-scale inquiries that have been concluded throughout the year. These inquiries resulted in decisions on infringements and in many cases the imposition of corrective measures. The DPC also reports that the value of fines imposed exceeded €1 billion, which amounts to two-thirds of the total fines issued by supervisory authorities in the EEA and UK last year. This article will take a look at some of the key highlights from the report and what’s next for the DPC in 2023, including a focus on what organisations can do to assist with the issues raised in the report.
The DPC received 2,700 complaints in 2022. As with previous years, the majority (42%) related to access requests. 2022 seems to confirm the trend, previously noted by the DPC, whereby controllers have difficulty in appropriately replying to access requests. Organisations can avoid the same issues by having a clear set of procedures on the processing of access requests and providing focused training to relevant staff.
The DPC received a total of 5,695 valid personal data breach notifications, a 13% decrease on 2021. Once again, unauthorised disclosures to one or a small number of individuals made up the majority of the breaches (62%). Postal material and emails sent to an incorrect recipient accounted for 3,017 notifications alone. These types of breaches can be reduced significantly when organisations provide regular data protection training. Additional reductions can result from having clear procedures in place for all processing activities.
The public sector and banks make up the ‘top ten’ organisations with breach notifications recorded against them. Insurance and telecom companies also feature prominently in the ‘top twenty’. As a result of the investigations into these breaches, the DPC noted that they issued fines and sanctions to a number of financial, insurance and public sector organisations. They named the Bank of Ireland, An Garda Siochana and Limerick City and County Council as being among these. As a result of the decision published against Bank of Ireland, the DPC saw a noted increase in reports from other financial institutions, likely due to their application of the learnings in that case.
Notably, there was a 176% increase in breach notifications under the ePrivacy Regulatons. This resulted directly from the expanded definition of “electronic communication service”, bringing services such as messaging services into scope.
In her opening statement, Helen Dixon, Commissioner, provides a unique insight into the DPC’s frustration with the current ‘One-Stop-Shop’ mechanism and the handling of cross-border complaints. The ‘One-Stop-Shop ‘ mechanism means a citizen of Ireland with a complaint about an organisation in another EEA country must make their complaint to the DPC and it is then handled between the DPC and the relevant supervisory authority. Ms. Dixon noted that of the complaints lodged in Ireland against an organisation in another member state, only 48% have been resolved via other EU data protection authorities. In contrast, 71% of the complaints redirected to the DPC from other member states have been resolved. Ms. Dixon plainly stated that “the operation of the ‘One-Stop-Shop’ in these matters often does not serve individuals well”.
Large Scale Enquiries and Fines
The DPC concluded 17 large scale enquiries over the course of the year. Some of the notable fines issued were;
- Three decisions against Facebook resulting in fines of €17 million, €210 million and €265 million.
- Two decisions against Instagram resulting in fines of €180 million and €405 million
- A fine of €463,000 against Bank of Ireland for unauthorised disclosure of personal data to the central credit register.
In addition to fines in these inquiries, the DPC also issued multiple reprimands and compliance orders.
The DPC noted that six of its fines were confirmed by the Dublin circuit court. However, a number of large-scale fines are subject to appeal in the Irish court system and may also entail references to the Court of Justice of the European Union over matters of interpretation of the GDPR.
Data Protection Claims
2022 saw the first civil action for compensation under the Data Protection Act 2018. SIPTU members took a case against the Union after it had sent an email containing their personal details to 212 other members. The claimants sought damages for loss and distress. No other evidence of actual loss suffered was put forward by the claimants. The Circuit Court rejected the claim on the grounds that more than minimal loss was necessary. The claimants were ordered to pay SIPTU’s costs.
Outlook to 2023
The report acknowledges that the data protection landscape continues to develop and that 2023 expects to bring more decisions from the Court of Justice of the European Union. The coming year is significant in that it also sees the Digital Services Act and the Online Safety and Media Regulation Act come into force, altering the technology landscape. The establishment of the Digital Regulators Group means that the DPC will no longer be alone in taking enforcement action against big-tech.
Based on the 2022 report, it is clear that organisations need to do more to ensure their staff are aware of how to respond to an access request and avoid data breaches resulting from human error. Providing both training and procedures will go a long way to reducing issues with both. In order to avoid any of the non-compliance issues mentioned in this year’s report, Trilateral’s Data Governance and Cyber-Risk Team has significant experience supporting organisations in implementing appropriate security measures regarding personal data and/or raising internal awareness of the importance of data protection. We offer a range of data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. Please feel free to contact our advisors for more information, who would be more than happy to help.