A productive year: Ireland’s Data Protection Commission

Due to the colocation of several US technology giants in Ireland, the Irish Data Protection Commission (DPC) is, in certain circumstances, the lead supervisory authority of ‘big tech’ in Europe. eolas provides an overview of its performance in 2020.

Led by Commissioner for Data Protection Helen Dixon, at its core, the DPC is the national supervisory authority in Ireland responsible for “upholding the fundamental right of EU persons to have their personal data protected”. The role of Ireland’s DPC is multifaceted and balances complaint processing and resolution with systemic supervision and investigation. 2020 was a year of significant progress and substantial output for the DPC.

Tasked with supervising the application of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the DPC also supervises several additional legal frameworks including the Law Enforcement Directive (LED) and Data Protection Act 2018, as well as the e-Privacy Regulations.

The DPC’s work ranged from the culmination of legal proceedings it initiated in the High Court in 2016 relating to EU-to-US data transfers, to the conclusion of 6,000 complaints and liaisons with the Government on legislative initiatives.

Through GDPR, the EU sought to establish a One-Stop-Shop (OSS) mechanism to streamline how multinationals which operate in more than one EU member state interact with data protection authorities. These companies are subject to oversight from a single supervisory authority in the member state where they have a ‘main establishment’.

As such, Ireland’s DPC often operates as the lead supervisory authority for investigations. In 2020, it received 354 cross-border complaints through the OSS mechanism, lodged with other EU data protection authorities.

2020 was the second full year of the application of the General Data Protection Regulation (GDPR) which comprehensively regulates every sector. The DPC emphasises that the GDPR is an ongoing project, with many areas that “remain for exploration to the benefit of organisations and data subjects alike, including data codes of conduct and certification”.

However, the DPC is not immune from criticism. In the last year, some of the most prominent criticisms have related to the perceived leniency of the fine handed down to Twitter International Company (TIC), the efficiency of its decision-making process and the fact that international data transfers have not been immediately blocked.

Decisions made by the Irish Data Protection Commission are the first that have progressed through the Article 65 dispute resolution mechanism. Previously, Data Protection Commissioner Helen Dixon has criticised the fact that very little had been written about the first Article 65 decisions and “what has been clarified in terms of documenting a breach and how it must be distinguished from an incident tracking”.

Responding to the criticism that the fine issued to Twitter International Company was insufficient, Dixon asserts that the objective of the inquiry was to reasonably prove that there were infringements and apply a proportionate fine.

Large-scale inquiries

Through statutory inquiries, the DPC determines whether infringements of data protection legislation have occurred and, where these occur, it decides on the corrective power to be exercised. In 2020, the DPC issued detailed decisions in respect of its inquiries.

At the close of 2020, the DPC was pursuing 83 statutory inquiries, 27 of which were cross-border inquiries. Organisations under investigation range from Apple Distribution International and Facebook Inc. in cross-border inquiries to An Garda Síochána, Bank of Ireland and the Catholic Church in domestic inquiries.

A final decision issued through the Article 65 procedure in the Twitter International Company case represented the pinnacle of large-scale inquiries concluded in 2020. This determination of this case represented the first substantial fine issued by the DPC.

In this high profile inquiry, which commenced in January 2019, the DPC investigated Twitter International Company’s compliance with its obligations under the GDPR. In December 2020, the DPC issued its decision and found that TIC had infringed Article 33 by failing to notify without delay the DPC about a personal data breach which arose from a bug in the Twitter mobile for Android.

The DPC’s draft decision was submitted to other Concerned Supervisory Authorities (CSAs) via the Article 60 mechanism of the GDPR in May 2020. It was the first draft decision to traverse the Article 65 dispute resolution process as well as being the first in a ‘big tech’ case on which all EU supervisory authorities were consulted a CSAs. The European Data Protection Board adopted the decision in November 2020 and the DPC issued its final decision the following month, imposing an administrative fine of €450,000. The DPC asserted that this fine was an “effective, proportionate and dissuasive measure”.

Complaints

Alongside large-scale inquiries, routine work undertaken by the DPC involves processing thousands of complaints made to the office by organisations and individuals. In 2020, 4,660 GDPR complaints and 59 Data Protection Act complaints were made against organisations by individuals with 4,476 complaints (including those received before 2020) resolved. Over 60 per cent, or 2,186 complaints, were received by the DPC in 2020 were resolved within the calendar year. These complaints ranged from securing access to personal data to unauthorised and unnecessary disclosure of personal data to third parties.

In order to trigger the DPC’s complaint processing function, a complaint must emanate from:

• an individual in relation to the processing of their own personal data;
• a legally authorised person or entity on behalf of an individual; or
• an advocacy group which meets GDPR, LED and DATA Protection Act 2018 requirements to act on behalf of one or more individuals.

However, an inadvertent trend has been the increase in complaints received that have “little or nothing to do with data protection”. Likewise, a phenomenon whereby organisations and individuals have attempted to “misuse the GDPR to obfuscate or pursue other agendas” has continued in 2020.

Breaches

As a result of the mandatory requirement to notify the DPC in relation to data protection breaches, the volume of notifications received by the DPC remains high. In 2020, the DPC received 6,783 data breach notifications under Article 33 of the GDPR, 2 per cent of which did not meet the criteria of a personal data breach. A total of 6,673 valid data protection breaches constitute a 10 per cent increase on data breach notifications in 2019.

By some margin, the most commonly notified data category of data breaches under the GDPR in 2020 was ‘unauthorised disclosures’ (86 per cent), with the majority of the total data breaches occurring in the private sector. Additionally, the DPC received 70 valid data breach notifications under the e-Privacy Regulations and 25 breach notifications relating to the LED.

Other projects

Other specific projects undertaken by the DPC in 2020 include Children Front and Centre: Fundamentals for a Child Orientated Approach to Data Processing, a comprehensive guide relating to the protections required for processing children’s data under the GDPR.

A ‘regulatory sweep’ of the most frequently visited websites in Ireland was also completed in order to establish the extent of compliance with e-privacy regulations in Ireland. The results of this were described as “disappointing” and the DPC has indicated that its cookies investigations and enforcement action will continue throughout 2021.

Covid-19

The DPC identifies the Covid-19 pandemic as a moment which exemplifies the value of the GDPR. In rolling out its public health response, government was required to consult with the DPC on any public health initiative with personal data processing implications. Such initiatives included the Return to Work Safely Protocol and the Covid-19 Passenger Locator Form. GDPR provided the parameters within which to ensure that these initiatives were proportionate and that the rights of individuals were protected.

The most prominent example of this was the consultative engagement between the DPC and the Government on the Covid Tracker App. Beginning in March 2020, the DPC emphasises the data protection challenges of developing a national contact tracing app. The supervisory authority later provided a Data Protection Impact Assessment for the Covid Tracker App, ensuring that all risk was adequately assessed prior to its launch. After the app’s launch, this engagement with the Department of Health continued in relation to cross-border interoperability.

Data transfers

From a litigation perspective, 2020 was a demanding year for the DPPC. Legal proceedings initiated by in the Irish High Court by the DPC in 2016 were concluded by a July 2020 judgement made in the Court of Justice of the European Union (CJEU). On the use of Standard Contractual Clauses in underpinning personal data transfers from the EU to the US, the CJEU clarified that that regardless of the legal mechanism employed, the personal data of EU citizens must have equivalent protections in the US as are guaranteed in the EU. Following this judgement, the DPC initiated an investigation into Facebook transfers to the US.