By John Magee, Eilis McDonald, Nicole Fitzpatrick, Sarah Dunne & Laoise McMahon

The Data Protection Commission (DPC) has published its 2021 Annual Report, highlighting key observations, emerging guidance, and large-scale inquiries and decisions of 2021.

Primary areas of focus for the DPC in 2021 included the safeguarding of children’s data protection rights, progressing ongoing large-scale inquires and prioritising responding to complaints which have raised issues of substance, with a data subject centric approach to resolution.

The DPC received a total of 6,549 valid notifications of personal data breaches in 2021. Unauthorised disclosure of personal data continues to be the leading reason for breach notifications, accounting for 71% of the overall total this year. 38 valid data breach notifications were received under the ePrivacy Regulations and 51 notifications in relation to the Law Enforcement Directive.

Most incidents reported originate from the private sector (3,667), with 2,707 incidents reported from public sector organisations in Ireland such as public sector bodies, banks, insurance and telecom companies. The DPC has noted that the main cause of such incidents is poor operational practices and human error.

In November, the DPC launched the revised Breach Notification Webform. The new format was developed following feedback from data controllers and aims to facilitate easier and more efficient notification of personal data breaches. In particular, the revised form seeks to clarify when an organisation meets the criteria to avail of the “One-Stop-Shop” (OSS) mechanism. The DPC also handled 187 complaints which related to notified and non-notified data breaches in 2021.

Complaints Handling

The Annual Report notes another year of extensive enforcement work by the DPC. In total 10,645 cases were concluded by the DPC in 2021 (another increase on last years’ figures). As of 31 December 2021, the DPC had 81 statutory inquiries on-hand, including 30 cross-border inquiries. In addition to its cases and inquiries, the DPC also handled over 23,930 electronic contacts, 13,633 phone calls and 1,594 postal contacts. 8,017 of the 10,888 queries and complaints received from individuals were concluded by year end.

The Annual Report highlights the DPC’s preference to resolve complaints through amicable resolution between the parties concerned, where possible. There were 3,564 complaints concluded by the DPC over the past year, with 463 concluded by ‘fast-track’ amicable means. In addition, where data protection issues require an immediate response, the Annual Report notes that the DPC will seek to resolve the issue through rapid direct intervention rather than launching an inquiry aimed at enforcement action.

Administrative Fines and Large-Scale Inquiries

The Annual Report highlights five large-scale inquiries concluded throughout the year. The inquiries concerned the Irish Credit Bureau DAC, WhatsApp Ireland Ltd (cross border inquiry), MOVE Ireland, the Teaching Council of Ireland and Limerick City and County Council.

The WhatsApp Ireland decision, which resulted in a fine of €225 million along with an order directing WhatsApp to bring its processing into compliance with the GDPR, has resulted in many organisations re-reviewing data protection notices to meet the DPC’s granular approach to transparency highlighted in the decision. Our analysis of the WhatsApp decision can be read here.

The DPC also:

  • concluded 5 large scale inquiries;
  • sent 4 draft decisions to the Article 60 co-decision making process;
  • referred 1 case to the Article 65 dispute resolution process and issued its final decision;
  • issued 9 preliminary draft decisions for submissions to regulated entities and complainants ahead of finalisation; and
  • sought a further 17 submissions on statements of issues or inquiry reports.

Ongoing Inquiries & Data Transfer Enforcement

Of note is the DPC’s ongoing inquiry into Facebook’s transfer of personal data to the US which resulted in the Schrems II decision by the CJEU. The inquiry recommenced in May 2021, following the High Court’s decision, to lift the stay on the DPC’s investigation. The DPC issued a revised preliminary decision to Meta, the owner of Facebook, on 21 January 2022 in relation to this ongoing inquiry. The draft decision seeks to suspend the data transfers in question. Meta has 28 days to make submissions on this preliminary decision. The Annual Report confirms that, once these are received, the DPC will prepare a draft Article 60 decision for consideration by other concerned supervisory authorities.

ePrivacy Enforcement – Website Cookies & Marketing

The DPC continued to investigate and assess a number of websites for compliance with ePrivacy Regulations in 2021. The DPC also examined and investigated complaints and concerns from individuals over the use of cookies and tracking technologies. The DPC has continued to target issues around setting of tracking and advertising cookies without consent, use of cookie banners and privacy notices on websites and the use of pre-ticked boxes or toggles to gather consents for use of cookies. Investigations and enforcement action, including fines for violations of cookies requirements, will continue to be a key element of the DPC’s activities in the coming years, particularly with the expected implementation of the awaited updated ePrivacy Regulation.

The Annual Report notes that forthcoming EU legislation (NIS2 Directive, Digital Markets Act, Digital Services Act, Artificial Intelligence Act and Data Governance Act) will drive further consideration and priority of data issues.

Financial Services Sector Focus

The financial services sector continues to be an area of focus for the data protection regulator. During 2021, the DPC contributed to the Financial Matters Subgroup in relation to the EU Commission’s new regulation to enhance AML in the financial services sector. The DPC is also involved in various working groups including the Beneficial Ownership Working Group of the European Business Register Association (EBRA) and the Financial Action Task Force (FATF). The DPC has raised concerns that any changes in this area will need to be proportionate and balanced with the GDPR and has made clear that substantive guidance will be needed.

Fundamentals for a Child-Oriented Approach to Data Processing

The DPC has highlighted the protection of children and other vulnerable groups as one of the five pillars of its 5 Year Regulatory Strategy. In December 2021, final guidance on Fundamentals for a Child-Oriented Approach to Data Processing was published with immediate application and operational effect. The DPC has also taken a lead role in the preparation of guidance on children’s data protection issues at EDPB level.

Data Protection Officers

Building on its DPO Network, which was established in 2019, the DPC completed its enforcement programme aimed at public bodies raising the sector’s compliance rate from 69% to near 100%. In the private sector, the DPC specifically identified banking entities as likely to require a DPO. In total, this initiative resulted in 170 additional organisations now complying with the obligation to publish contact details of their DPO and communicate the same to the DPC.

The DPC has included its commitment to support DPOs as a priority in the 5 Year Regulatory Strategy. A series of online webinars supporting SMEs is due to commence in the first quarter of 2022.

5 Year Regulatory Strategy

The DPC published its 5-year Regulatory Strategy in December 2021, which focussed on regulating consistently and efficiently; safeguarding individuals and promoting data protection awareness; the protection of children and other vulnerable groups; brining clarity to stakeholders; and supporting organisations to drive compliance.

In 2021, the DPC’s budget increased to €19.1 million with a further increase of €23.2 million in 2022. The DPC continues to increase its workforce with numbers raising from 145 to 190 this year and has indicated that a further 70 staff members will be recruited during 2022.

The Annual Report indicates that the DPC will continue to monitor and enforce compliance particularly in relation to data transfers and the processing of children’s data. Significant fines issued this year have indeed made headlines; however, the Annual Report emphasises the DPC’s data subject centric approach to complaint resolution, and its handling of own volition inquiries.