30 08 2017 Insights Cyber and Data Protection

Key Takeaways from the Data Protection Commissioner’s 2016 Annual Report

23 May. 2017

Introduction

The Data Protection Commissioner of Ireland (“DPC”), Ms Helen Dixon, published her Annual Report for 2016 on 11 April 2017. This, her third annual report, gives a valuable insight into the areas of focus for the Office of the Data Protection Commissioner (“ODPC”). The DPC described 2016 as an “Olympic” year in data protection as big strides forward were made in Europe with the enactment of the General Data Protection Regulation (“GDPR”). The new GDPR framework is aimed at modernising and uniforming Europe’s data protection laws and safeguarding the right to protection of personal data.

Expansion of the ODPC

The Annual Report notes an increase in Government funding of the ODPC. The budget of the ODPC increased to €7.5 million in 2016 (from €4.7 million in the previous year). This increase in funding, the DPC comments, is in order to allow the ODPC to continue fulfilling an independent supervisory role in Ireland, which is charged with upholding the EU fundamental right to data protection. The ODPC has also seen continued expansion in terms of staffing levels. The ODPC now employs 70 staff, with an additional 35 staff planned to be added in 2017. Finally, 2016 also saw the launch of the ODPC’s Twitter account.

Queries and Complaints to the ODPC

In 2016, the ODPC dealt with 15,335 queries via email, 16,744 telephone queries and 1,150 queries via post. The ODPC also received numerous complaints. In total, 1,479 complaints were received in 2016, which was an increase of 547 complaints from the previous year. Of the complaints received, 1,438 complaints were concluded by the ODPC, which left 508 complaints outstanding at the end of the year. Below is a breakdown of complaints received by data protection issue.

Type of Complaint	Number of Complaints
Access Rights	835
Disclosure	176
Electronic Direct Marketing	118
Unfair Processing of Data	92
Failure to secure data	35
Use of CCTV Footage	32
Right of rectification Internet	27
Internet search-result delisting	26
Accuracy	26
Retention	16
Specific Purpose	12
Excessive Data	11
Unauthorised Access	9
Data Sharing	8
Use of biometrics	3
Verification ID	3
Miscellaneous	50
TOTAL	1,479

As in previous years, the largest single category of complaints involved access requests (accounting for 56% of all complaints received). The DPC believes this indicates that data controllers are not aware of their statutory obligations in this area. To that end, the DPC notes that preparations were finalised in 2016 in respect of ‘information campaigns’ which aim to promote awareness in relation to access rights and electronic direct marketing and to raise awareness on the rights of individuals and the obligations of organisations. These campaigns are planned by the DPC to launch in 2017. The Annual Report also suggests that the GDPR will have an impact on the area of access requests due to the fact that the period for complying with such requests will be reduced from 40 days to one month.

Data Breach Notifications

A data breach is where there has been unauthorised disclosure, loss, destruction or alteration of personal data by a data controller or processor. A data breach notification is the communication to the ODPC of such a data breach. In 2016, the ODPC received a total of 2,224 valid data breach notifications, being a slight decrease of 93 from the previous year. The highest category of data breaches reported, (being 43.5% of the total notifications), was unauthorised postal and electronic disclosures. Other examples of breaches reported include inappropriate manual handling, theft of IT equipment and website-security compromise.

The DPC comments that telecommunications and internet service providers have a legal obligation to notify the ODPC of a data security breach no later than 24 hours after the initial discovery of the breach. All other data breaches are reported by data controllers under a voluntary Personal Data Security Breach Code of Practice, published in July 2010. The DPC points out however that the area of data breach notification will change significantly with the introduction of the GDPR. This is because the new GDPR framework will make the reporting of certain data breaches to the ODPC mandatory within specified timelines.

Special Investigations

The Special Investigations Unit had its first full year of operation in 2016. It was established primarily to carry out investigations on its own initiative, as distinct from complaints-based investigations. Two prosecutions were successfully undertaken in 2016 by the Special Investigations Unit. A central focus of the Special Investigations Unit in the 2016 was the use private-investigator services by banks, insurance companies, law firms and financial services companies.

A noteworthy case study in this area was that of the prosecution of private investigator, Mr Crowley, who was charged with 61 counts of breaches of section 22 of the Data Protection Acts 1988 and 2003 (the “DPA”). Section 22 of the DPA provides that a person (other than an employee of the data controller) who obtains access to personal data without the prior authority of the data controller, and then discloses that data to another person, shall be guilty of an offence. The DPC’s investigation uncovered access by Mr Crowley to social-welfare records held on databases in the Department of Social Protection which were disclosed to entities in the insurance sector. The records in question were accessed by Mr Crowley through a staff contact who was known to him. Mr Crowley ultimately pleaded guilty to the charges and a €4,000 fine was imposed. The case study highlights the need for both data processors and controllers to ensure that any information they obtain is obtained fairly and legally.

The Special Investigations Unit also investigated the use of vehicle-tracking devices by private investigators, who are generally deemed to be data processors. As data processors, private investigators are required under Section 2C(3) to only process data based on the instructions of the data controller. If a data processor, without the instructions of the data controller, attaches a vehicle-tracking device to a vehicle in order to monitor individuals, the DPC believes that this could impose difficulties for both the data processor and the data controller. The DPC warns therefore that private investigators should only process data as per the instructions of data controllers and that the use of vehicle-tracking devices should not occur without the consent of the vehicle owner concerned.

In 2017, the Special Investigations Unit intends to open a new investigation in the hospital sector which will examine the processing of patient sensitive personal data in Irish hospitals.

Multinationals & Technology

Under the ‘one-stop-shop’ model of the GDPR, the DPC will become the lead data-protection authority for regulation of multinationals that have their “main establishment” in Ireland. With this in mind, a new Multinationals and Technology team has been created at the ODPC. The team supervises multinationals with bases in Ireland and leads all consultations, investigations and audits that relate to cross-border processing by multinationals. During 2016, the ODPC had numerous interactions with several multinationals on a variety of matters. Examples of these engagements include:

consultation between Facebook Ireland and the DPC;
consultation with Apple on the review of its new education service;
engagement with Google on changes to its terms and on its approach to online behavioural advertising;
engagement with LinkedIn on the use of cookies;
examination of WhatsApp Terms of Service and Privacy Policy; and
investigation of the Yahoo! data breach.

Consultation

In order to improve poor personal-data-handling practices, the ODPC encourages engagement from organisations in the public and private sector to ensure that they are responsible and compliant with data protection legislation. Consultation queries rose significantly from 860 queries in 2015 to a total of 1,170 queries in 2016, representing a 36% increase. The ODPC expects that this growth trend will continue for 2017 given the increasing level of awareness of individuals of their data protection rights and organisations of their compliance obligations.

The ODPC identified two emerging trends following consultations in 2016. These were ‘name and shame’ style campaigns that prejudice rights of individuals and “inadequate assessments” by data controllers of their data protection obligations. In respect of the former, the DPC comments that public sector bodies that seek to implement ‘name and shame’ type initiatives need to be sure the evidence is clear and the desired outcomes are produced without interfering with privacy rights. As regards inadequate assessments, the DPC found that there was an inertia at project-planning stage in carrying out data protection assessments. The DPC recommends Data Protection Impact Assessments as the best-practice approach to ensure that all obligations are met by data controllers and all data subject rights are protected.

Privacy Audits

In 2015, the ODPC carried out 50 audits and inspections. The purpose of these audits is for the ODPC to check compliance with the DPA and to assist data controllers and processors in ensuring their data protection systems are effective and comprehensive. The DPC’s annual audit programme is tailored to focus on a number of selected sectors and some of the themes identified in the 2016 audits include:

employers inappropriately seeking PPSN at the application stage;
the retention of data after the purpose for which information was obtained has ceased;
internal security reviews examining the processing of sensitive personal data;
CCTV usage, including lack of signage, excessive use and having appropriate policies;
illegal use of enforced subject access requests by employers; and
marketing issues surrounding the collection and use of email addresses and mobile numbers.

Legal

A centralised legal unit within the DPC was established in 2016. The function of the legal unit is to manage all forms of litigation in which the DPC is engaged and ensure a consistent interface with the legal teams of other EU data protection authorities. An online Judgments Database was also launched by the ODPC in December 2016. This database was created to enable stakeholders and members of the public to directly access written judgments in cases to which the DPC has been a party. The database is also intended to help increase awareness of the developing national and European jurisprudence on data protection and privacy matters.

Recent European Case Law and International Developments

The Annual Report explores three significant judgments of the Court of Justice of the European Union (“CJEU”) during 2016, namely:

Tele2 Sverige and Watson (joined cases C-203/15 and C-698/15). These cases concerned the legality of domestic legislative regimes in Member States that impose a general obligation on telecommunications operators to retain electronic communications data. The purpose of such legislation is for the investigation and detection of crimes and the CJEU examined this legislation in conjunction with data protection principles that traffic and location data be erased or anonymised when no longer required. The CJEU imposed a range of conditions significantly restricting the circumstances under which retention of such data, and access, may be permissible.

The processing of customer personal data by electronic commerce undertaking was examined in VKI v Amazon EU (C-191/14). This case established that the law which governs a commerce undertaking (i.e. an online service provider) is that of the Member State to which the undertaking directs its activities. This is subject to it being shown that the undertaking carries out the data processing in the context of the activities of an establishment situated in that Member state.

Finally, Breyer v Germany (C-582/14) provided guidance on what information may constitute personal data. The CJEU found in this case that the dynamic IP address of a user is personal data if the website operator can identify the user by legally requiring additional information on that user to be provided by the user’s internet service provider.

ODPC Case Studies

The Annual Report contains 25 case studies dealing with a range of issues, including processing an individual’s personal data in an incompatible manner, disclosure of personal information to third parties and personal data being withheld from an access request. Seven of these case studies involved a prosecution by the DPC.

GDPR and Going Forward

It is clear from the Annual Report that promoting and building awareness of data-protection rights and obligations continues to be a key area of priority for the ODPC. In 2016, the DPC utilised conferences, social media and information-awareness-raising campaigns to provide guidance and develop awareness of the forthcoming legislative changes. In this regard, the DPC published a GDPR readiness document, entitled “The GDPR and You”, which aims to guide organisations on how best to prepare for May 2018. The DPC plans to conduct further publicity campaigns in 2017 to ensure awareness of the GDPR extends to all business sectors.

If you have any queries in relation to the content of this Insight, please contact:

Bryan McCarthy, Partner, bryan.mccarthy@rdj.ie
Finín O' Brien, Solicitor, finin.obrien@rdj.ie
Ailbhe Ní Bhriain, Trainee Solicitor, ailbhe.nibhriain@rdj.ie

Key Takeaways from the Data Protection Commissioner’s 2016 Annual Report

Stay in the loop

Related Insights

Data breach claim struck out in Cork Circuit court as ‘minor’ incident

Balancing Risk with Innovation: EU's Approach to AI Procurement Contracts

2024: The Year Of AI

Recent Developments To The EU'S Cyber Resilience Framework

Non-Material Damage Compensation – the CJEU Enters the Fray

Cyber Incident Response and Crisis Management Workshop