It may be the last such report produced before the Office of the Data Protection Commissioner (“ODPC”) evolves into the Data Protection Commission, but Helen Dixon’s fourth Annual Report on the activities of the office during 2017 (the “Report”) is certainly of no less significance. In fact, the Report gives us a useful insight into the ever-increasing public awareness of the importance of data protection and, consequently, provides a not-so-subtle hint as to the expanded and central role that the Data Protection Commission will play in European data protection in a post-GDPR society.
Generating media headlines in the immediate aftermath of the Report’s publication were the figures on the increase in complaints to the ODPC last year, which rose by almost 80% on the previous year. However, these figures, whilst revealing, are not the only interesting element of the Report; much more of its contents should be examined in order to draw conclusions on the current status of data protection in Ireland.
Queries and Complaints to the ODPC
Firstly, however, to those complaints. The Report states that there were 2,642 complaints lodged with the ODPC last year, up from 1,479 in 2016. As has been the case in previous years, complaints about denied access to records made up the majority of these referrals, 1,372 (52%) in total.
Type of Complaint
Number of Complaints
Access rights
1,372
Disclosure
351
Unfair processing of data
312
Direct electronic marketing
215
Use of CCTV footage
77
Failure to secure data
46
Internet search-result delisting
44
Accuracy
43
Excessive data
43
Retention
41
Right of rectification
39
Specified purpose
18
Unauthorised access
14
Postal direct marketing
6
Biometrics
4
Miscellaneous
17
Total
2,642
The Report also describes a commendable level of matter completion within the ODPC, with 2,594 of those 2,642 complaints reaching a conclusion. Also to be noted, however, are the reasons why complaints were not resolved in favour of the complainant: such unsuccessful complaints often, according to the Report, derived from issues emanating from the effects of the financial crash (transfer of loan books, receiverships, etc.) This demonstrated that the data subject’s grievance in these matters often related to the underlying action itself rather than data protection issues.
Data Breaches
A record number of data breaches were also notified to the ODPC, with 2,973 reported by organisations and members of the public. This represents a 26% increase on the previous year, with the bulk of the breaches coming from the financial services sector. Most prominent amongst the categories of breaches reported were: mishandling of personal data, loss of data in both hard and soft copy as well as much-reported “network security compromises”. Regarding the final category, the number of this type of breach more than doubled to 49 in one year. Whilst a number of factors were attributed to this, preeminent amongst these were “social engineering”-type hacks, facilitated by poor staff training and inadequate password procedures within organisations.
The number of network security compromises more than doubled to 49 from 23 in 2016. There was, however, a slight decrease in the number of website security breaches, down to six from 16 reported last year. Phishing and social engineering attacks increased and the ODPC said that there were a number of factors at play contributing to these breaches, including: a lack of staff training, slowness to patch devices, poor password policies and failure to update antivirus software.
Special Investigations and Case Studies
Investigating the Investigators: In a continuance of an investigation commenced in 2016, the ODPC’s special investigation into the activities of private investigators and their use of personal data continued last year. The Report notes that this investigation has resulted in several prosecutions.
New Investigations: Amongst the new investigations commenced this year, the DPC opened files on the processing of patient data within hospitals and the protection of child data by TUSLA in child protection cases. As was well-publicised, the Ms Dixon has also expressed concerns regarding the government’s proposed “Public Services Card”, and her office’s activities have not been limited to public statements; an ODPC investigation has been commenced and we await the findings with interest.
Case Studies: The range of issues dealt with by way of case study include the loss of sensitive personal data contained in an evidence file kept by An Garda Síochána, the use of CCTV footage in an employee disciplinary process and the disclosure of personal data via a social media application. In total, 17 cases studies are discussed in detail in the Report and each one makes for instructive reading.
Public Audits
91 audits, or inspections, were carried out by the ODPC last year, with the full list of audited organisations including enterprises as diverse as Avoca and Threshold. The Report also sets out some of the key findings of audits on multinationals, including a general lack of transparency and overreliance on global organisational security policies.
Note that the ODPC’s interactions with organisations are not solely investigative or punitive. The Report indicates an increased level of consultation and engagement with the office by both public and private bodies. This demonstrates the increasing awareness within business and public life of the impact of the GDPR and the need to ensure compliance.
An Uneasy Relationship: Multinationals and Data Protection
Ongoing battles between the likes of Facebook and Google and national and international data regulators are well-known, with prominent battlegrounds including the CJEU and the Belgian courts. In the Report, 19 of the data breaches discussed above were attributed to these types of technology multinationals. It is also noted in the Report that the ODPC’s investigation into the massive data breach suffered by Yahoo! (now known as Oath) is “approaching completion”.
The Report also details other interactions with the likes of Facebook, LinkedIn and Twitter, and states that the Multinationals and Technology team received 19 cooperation requests or referrals of cases from a number of European Data Protection Authorities in 2017.
Remember, under the ‘one-stop-shop’ model of the GDPR, the Irish ODPC will become the lead data protection authority for regulation of multinationals that have their “main establishment” in Ireland, including Facebook, LinkedIn, etc. This led to the establishment of the aforementioned Multinationals and Technology team within the office in 2016. The team has continued and increased its engagement with the sector in the past year and, following the GDPR’s commencement and the continued Irish and European judicial action, this engagement will become ever-more crucial in shaping the protection afforded to data by such companies.
A Pro-active Office
The ODPC also works with a range of Irish and European agencies in shaping the future of data protection law and its implementation. According to the Report, there was “strong strategic engagement” with the Article 29 Working Party and active contribution at all plenary and subgroup meetings. The ODPC also acted as lead rapporteur on the GDPR transparency guidance and as lead reviewer in relation to 14 Binding Corporate Rules applications. In Ireland, the ODPC was, unsurprisingly, heavily consulted prior to the publication of the Data Protection Bill 2018.
In the Report, Ms Dixon highlights and comments on Murray J’s Review of the Law on the Retention of and Access to Communications Data issued in October 2017 and the subsequent Bill published by the government (subject to pre-legislative scrutiny at the end of last year).
This is all in addition to the office’s broader “outreach schedule”, intended to help the GDPR penny drop before it is too late. A GDPR Awareness and Training Unit has been established in this regard.
Case Law and Prosecutions
ODPC and the SCCs: The full hearing of Data Protection Commissioner v Facebook Ireland and Maximilian Schrems took place in the Irish High Court in spring of 2017. Following the judgment of Costello J in October, a reference is to be made to the CJEU on the validity of standard contractual clauses as a means of transferring data outside of the EU. That reference will be made during 2018 once the High Court has finalised the specific questions to be referred to the CJEU. According to the ODPC, the determination of these matters “will ultimately assist all stakeholders in their understanding of the requirement under EU data protection law to demonstrate adequate protection in the territory to which personal data of EU persons is sought to be transferred”.
Prosecutions: Notable in the Report is the account of prosecutions of entities for breaches of direct marketing laws. Six organisations were prosecuted last year for offences under legislation which prevents unlawful communications with individuals for the purposes of direct marketing.
Money for Data
The substantial, and substantial increase in, work described above could not have been carried out without a corresponding increase in funding for the ODPC. Last year, the office’s budget allocation was increased to €7.5 million, used in part to hire new personnel to bring the total staff of the office to 85. Further increases can, unsurprisingly, be expected for next year, with the budget set at €11.7 million, money likely to be used for further recruitment to cater for the ODPC’s ever-increasing workload.
2018: Year of the GDPR
The remarkable increase in the number of complaints to the ODPC last year is not an anomaly and is not without identifiable causes. Instead, it should be credited to the commendable work of the ODPC in prioritising the promotion of, and the building of awareness of, data protection rights and obligations. A prime example in this regard is www.GDPRandyou.ie, an online resource developed and maintained by the ODPC which aims to guide organisations on how best to prepare for May 2018. Beyond this, however, the ODPC has become more and more prominent in Irish consciousness through activities ranging from public campaigns to responses to governmental proposals (such as the maligned Public Services Cards), social media to court cases.
As the countdown to 25 May 2018 continues, we can be certain that the 2017 Annual Report is a harbinger of the increased centrality of data protection and the operations of the ODPC in the lives of every individual. Similarly, those with expertise and experience in the data protection sphere will be increasing their already-significant efforts to prepare for and respond to the increased duties and rights provided for under the Regulation. Ronan Daly Jermyn works with its clients across the entire spectrum of Irish commercial and public life to ensure they are GDPR-ready. In data protection, RDJ are your ideal partner.
If you have any queries in relation to the content of this Insight, please contact:
Data breach claim struck out in Cork Circuit court as ‘minor’ incident
In our latest Insight, Jennifer Noctor, Partner in RDJ's Cyber and Data Protection team, discusses a data breach claim which was struck out in the Circuit Court affirming the principal that a certain minimum level of severity must be obtained in…
Balancing Risk with Innovation: EU's Approach to AI Procurement Contracts
As we edge closer to the AI Act being adopted into an agreed and final text, the European Commission have published a draft of what are known as 'standard contractual clauses' for the procurement of artificial intelligence systems. In this insight,…
On 29 December 2023, on the floor of the New York Stock Exchange, 2024 was declared to be the “year of AI” by top tech analyst Dan Ives.
In this insight, Ricky Kelly and Sadhbh Walsh look at efforts made to regulate the use of AI around the world in…
Recent Developments To The EU'S Cyber Resilience Framework
Cybersecurity continues to be a significant risk for organisations across all sectors. This year, we have already seen a significant bolstering of the European Commission’s legal framework with initiatives that seek to advance a comprehensive…
Non-Material Damage Compensation – the CJEU Enters the Fray
The CJEU delivers its first, and eagerly awaited, decision on the concept of ‘non-material damage’ arising from an infringement of the GDPR and in doing so departs from the Advocate General’s Opinion.
In this insight Lorcan Moylan Burke and Ricky…
Cyber Incident Response and Crisis Management Workshop
On Wednesday, 10 May, we hosted a Cyber Incident Response and Crisis Management workshop with RDJ partners Ricky Kelly and Jennifer Noctor and guest speakers Mark Fawcett and Joseph Dashwood from Control Risks.