By John Magee, Emer McEntaggart, Eilis McDonald, Nicole Fitzpatrick, Sarah Dunne, David Brazil & Christopher Connell
The Data Protection Commission (DPC) has published its 2022 Annual Report, highlighting the DPC’s progress on (i) ongoing large-scale inquiries (in particular against social media platforms), (ii) defence of cross-border decisions, and (iii) increased interaction with the European Data Protection Board (EDPB). Two-thirds of the GDPR fines issued by EU data protection authorities last year where from the DPC, illustrating a continued commitment to enforcement.
In total, the DPC received 5,695 valid notifications of personal data breaches in 2022 (a 13% reduction compared to 2021), with (i) 62% of these notifications being related to unauthorised disclosure of personal data, (ii) 105 being received under the ePrivacy Regulations (an increase of 176% compared to 2021), and (iii) 38 relating to the Law Enforcement Directive.
Most incidents reported originated from the private sector (52%), followed by the public sector (44%), with the remaining coming from the voluntary and charity sector (4%).
The Annual Report notes another year of extensive enforcement work by the DPC. In total 10,008 cases were concluded by the DPC in 2022 (a slight reduction on last years’ figures). As of 31 December 2022, the DPC had 88 statutory inquiries on-hand, including 22 cross-border inquiries. In addition to its cases and inquiries, the DPC also handled over 21,230 electronic contacts, 6,855 phone calls and 1,118 postal contacts.
The Annual Report highlights that the most frequent GDPR topics for queries and complaints in 2022 were access requests; fair processing; disclosure; direct marketing and right to be forgotten (delisting and/or removal requests). The most frequent cause of breaches, representing 62% of breaches in 2022, related to correspondence inadvertently being misdirected to the wrong recipients.
Administrative Fines and Large-Scale Inquiries
The Annual Report highlights 17 large-scale inquiries concluded throughout the year resulting in fines totalling over €1.3 billion.
Of note is the Meta (Instagram) decision which resulted in a record fine of €405 million and provided clarification on the lawfulness of processing children’s personal data in accordance with the legal bases of ‘performance of contract’ and ‘legitimate interest’. This is the second highest fine (after Luxembourg’s regulators issued a fine of €746 million last year) since the GDPR came into effect, and the largest fine to date issued by the DPC. The decision is currently before the High Court where Meta has sought an order quashing the decision and claims, amongst other things, that the fine amounts to a criminal sanction and is unconstitutional. Our analysis of the Meta (Instagram) decision can be read here.
The Annual Report lists 7 inquiries at draft decision stage as of December 2022, 3 of which the DPC has now delivered its final decisions on (in early 2023).
Of note is the DPC’s ongoing inquiry into the Department of Social Protection which commenced in 2021. This inquiry involves the processing of personal data in relation to biometric facial templates used in the department’s registration process. The Annual Report confirms that a draft decision is currently underway.
In addition, as of 31 December 2022, the DPC has 15 cross-border decisions under Articles 60 and 65 at various stages from draft decision to investigation stage. The DPC has received objections and comments on its draft decision in the Meta own volition inquiry, relating to the lawfulness of Facebook’s transfers of personal data to the US (which is currently at the resolution stage). The Annual Report also confirms that the DPC is at an advanced stage in preparing a preliminary draft decision in the Google inquiry, relating to its processing of personal data by its real time bidding advertising technology system.
The Annual Report highlights 9 litigation matters involving the DPC in which written judgments were issued in 2022; 6 statutory appeals, 1 judicial review, and 2 other appeals.
Of the 9 litigation matters, 6 were concluded and the other 3 remain subject to further appeals. Of the 6 matters that were concluded; 3 appeals taken against the DPC were dismissed; 1 judicial review was settled; 1 appeal was partially upheld and 1 appeal was fully upheld. The DPC expects to be involved in more Irish data protection litigation during 2023.
The judicial review proceedings taken by Schrems challenging the DPC’s inquiry into Facebook’s EU-US data transfers, are also referenced. Despite these proceedings being settled by Schrems and the DPC, the parties were unable to reach an agreement on costs. As such, in September 2022, the High Court ordered that the DPC pay 80% of Schrems’ costs. The High Court deducted 20% to reflect the fact that Schrems had not pursued an order quashing the DPC’s inquiry or for other reliefs.
2022 brought the first compensation case under section 117 of the Data Protection Act 2018 to proceed to hearing in Ireland. The case was however dismissed by the Circuit Court and a written decision from the Irish courts on how non-material damage will be assessed is still awaited. The case was taken after SIPTU (a trade union) inadvertently sent an email with the names and addresses of claimants to a group of other SIPTU members. The Judge, on hearing the nature of the claim, found that proof of more than minimal loss was necessary and that no evidence was presented of any actual loss suffered resulting from the email distribution.
Over the course of 2022, the DPC continued to participate in work programmes of European supervisory bodies and, despite continued travel restrictions, the DPC attended and actively participated in monthly plenary meetings (approximately 300).
The DPC also continued to invest considerable resources in the day-to-day operation of the One-Stop-Shop in the performance of its role as Lead Supervisory Authority, including working with other authorities assisting on a broad range of matters and keeping other concerned authorities updated on issues and developments.
Data transfer issues have been an investment area for many enterprises across every sector. The DPC has been focusing on the assessment and approval of Binding Corporate Rules (BCRs) applications from multinational companies. During 2022, the DPC acted as lead reviewer in relation to 27 applications from 16 different companies; worked on obtaining approval for 3 of those applications and acted as co-reviewer or on drafting teams for Article 64 Opinions on 6 BCRs.
The protection of children’s personal data is one of the DPC’s five strategic goals as set out in its 2022-2027 Regulatory Strategy.
Following on from its publication of ‘Fundamentals’ guidance on children’s data protection rights in 2021 the DPC issued three short guides for children aged 13 and over on their data protection rights in 2022. The aim of the guides is to inform children and enable good practices around online safety. The guides will also be helpful to parents, educators and other stakeholders.
In response to a public sector organization query on the use of social media advertising tools to target children or the parents of children under 16 the DPC advised that the organisation would likely to be a joint controller with the social media platform and would share responsibility for ensuring compliant processing. This means that the organisation needed to prepare necessary compliance documentation that set out the legal basis for processing. The DPC questioned if consent would be the most appropriate legal basis, due to the fact that children or parents cannot consent to targeted advertising if they must accept it as a condition for using the service in the first place. The DPC highlighted the relevance of this engagement to other public bodies. It stated that it cannot provide blanket endorsements of social media advertising tools, noting that they must be assessed on a case-by-case basis by organisations. The DPC also noted the “there is a lot of confusion around the appropriateness of consent as a lawful basis” and noted that alternate legal bases should be considered in light of any particular duties and obligations to children and any other relevant contextual factors.
Data Protection Officers
During 2022, the DPC continued its efforts to support the Data Protection Officer (DPO) Network, which was established in 2019. The DPC hosted 32 online webinars for members of the DPO Network on topics ranging from access requests to compiling records of processing activities. Another key focus of the DPC was to continue engagement with data controllers on Article 37 GDPR compliance (designation and notification of a DPO). Following numerous attempts by the DPC to engage with a public sector body, the DPC opened an Inquiry (in accordance with section 110(1) of the Data Protection Act 2018) into the Pre-Hospital Emergency Care Council, which was the last public body to be brought within compliance of Article 37. The Inquiry concluded in May 2022 resulting in a finding of infringements of Articles 31, 37(1) and 37(7) of the GDPR, i.e., failures to designate and provide contact details of the DPO, as well as failure to cooperate, on request, with the DPC in the performance of its tasks. This highlights the importance of the need for data controllers to understand the requirements of Article 37 and designation of DPOs and stresses the importance of cooperating and engaging with the DPC.
A sectoral breakdown notes that of the 322 consultation requests received by the DPC during 2022, 135 (42%) were from public sector organizations, with the remainder from the private sector. The DPC also provided guidance and observations on 30 proposed legislatives measures.
Supervisory engagements undertaken by the DPC in 2022 included engagement with the technology sector on a range of projects including proposed amendments to lawful basis for core processing activities, the introduction of new privacy controls for end users, and transparency and child sexual abuse material. The DPC also engaged with the Financial Services Sector on the migration of customer database of mortgage holders following a large loan sale. It also provided guidance on issues of security of transfer, accuracy of data, providing information to customers and ensuring customers’ data protection rights were not adversely affected.
The Annual Report highlights the DPCs accomplishments in 2022, including the conclusions of 17 large-scale investigations that resulted in fines totaling over €1.3 billion. The DPC’s data subject centric approach to complaint resolution, and its handling of own volition inquiries continues. The DPC will also continue to monitor and enforce compliance particularly in relation to breach and access rights and the processing of children’s data.