The Data Protection Commission’s Annual Report for 2021
Reading time: 5min
Introduction
The Data Protection Commission (“DPC”) recently published its 2021 Annual Report (the “Report”), marking the end of the third full calendar year of the General Data Protection Regulation (“GDPR”).
Regulatory Strategy 2022-2027 (the “Strategy)
The Strategy was adopted in December 2021, following consultation with the public and stakeholders and a consideration of emerging academic theories in relation to effective regulation and behavioural economics. The Strategy sets out the DPC’s roadmap for what it believes will be five crucial years in the evolution of data protection law regulation and culture. The strategy is based upon five inter-connecting pillars of equal priority:
- Regulate consistently and effectively
- Safeguard Individuals and promote data protection awareness
- Prioritise the protection of children and other vulnerable groups
- Bring clarity to stakeholders
- Support organisations and drive compliance
With this in mind, the DPC has created the agenda of regulatory priorities which will achieve the overall objective ‘to do more, for more’.
Complaints made to the DPC
The Report contains the usual overview of complaints made to the DPC during 2021. A total of 3,419 complaints were made to the DPC. This represents a decrease in the overall amount of complaints made to the DPC in both 2019 and 2020.
The Report details that 52% of all complaints lodged in 2021 were dealt with within the year. In total, 3,564 complaints, including 1,884 complaints received prior to 2021, were concluded.
As has been the trend in recent years, the majority of complaints received by the DPC related to denied access to records. The Report sets out the top five categories of complaints received under GDPR, as shown here:
Type of Complaint | Number of Complaints | Percentage of Complaints |
Access Request | 1,232 | 42% |
Fair Processing | 560 | 19% |
Disclosure | 291 | 10% |
Right to Erasure | 263 | 9% |
Direct Marketing | 128 | 4% |
The Report notes a number of common issues which arise in the investigation of complaints in relation to access requests which would be prudent for data controllers to note:
- The data controller failed to acknowledge an access request,
- The data controller failed to perform an adequate search for the personal data,
- The data controller failed to advise the individual they were withholding data or the exemption they relied upon for same, or
- The data controller failed to issue a response within the required timeframe.
Under s.109(2) of the Data Protection Act 2018, the DPC is permitted, in circumstances where there is a reasonable likelihood of the parties to a complaint reaching an amicable resolution, to take such steps as it considers appropriate to arrange or facilitate such an amicable resolution. The DPC has, for the first time, provided details of complaints concluded in these circumstances. Where the DPC identified the possibility of a swift resolution to a complaint, it proceeds down a “fast-track” basis. In 2021, 463 of the 3,564 complaints concluded by the DPC were concluded by fast-track amicable means.
Data breach notifications
The introduction of GDPR brought about mandatory data breach notification obligations for all data controllers. 2021 saw a total of 6,549 valid data breaches reported to the DPC, representing a 2% decrease on the numbers reported in 2020. The DPC advised that, when assessing the necessity of notifying a breach, a data controller should particularly focus on the impact of a data breach on the rights and freedoms on an affected individual.
In line with previous years, the highest category of data breaches notified was in relation to unauthorised disclosures, accounting for 71% of the total notifications.
The Report notes that a disproportionately large chunk of breach notifications (2,707) originate in public sector organisations in Ireland. Other organisations with high levels of breach notifications include banks, insurance companies and telecoms companies.
The DPC noted that the cause of most unauthorised disclosures was poor operational practices and human error. An increase in the number of breaches caused by the issue of email correspondence to the incorrect recipient was recorded. In terms of breaches caused in relation to hard copy correspondence, a number of breaches occurred due to a failure of the data controller to update data, e.g. the data subject’s address, in a timely manner.
The DPC notes that it is taking a new strategic approach with regards to the handling of breach notifications. To date, the DPC would conduct its own risk and impact assessment and engage with the controller on mitigation actions and notification to data subjects, if required. This practice has ceased since January 2022. In most cases, the DPC will now only provide acknowledgement of receipt of breach notifications and will not issue recommendations or seek further information. However, the Report notes that the absence of further immediate engagement by the DPC will not indicate satisfaction with the notification itself, nor the assessment contained therein. The DPC will continue to assess all notifications individually and, in cases where the DPC deems the issues to warrant further information or a formal statutory inquiry, it will proceed in that way.
Statutory inquiries
The DPC may conduct two types of statutory inquiries: a complaint-based inquiry or an inquiry of the DPC’s own volition. The purpose of either inquiry is to make a formal decision as to whether there was an infringement under GDPR, and, where there is an infringement, to determine whether corrective measures such as fines should be applied. As of the year-end, the DPC were conducting 81 statutory inquiries, including 30 cross-border inquiries.
In 2021, the DPC imposed the below sanctions of fines and corrective measures.
Data Controller | Date of DPC Decision | Subject Matter | Administrative Fine € | Other Sanctions/Corrective Measures |
Irish Credit Bureau | 23 March 2021 | Personal data breach | 90,000 | Reprimand in respect of the infringements |
WhatsApp Ireland Ltd | 28 July 2021 | Provision of information and the transparency of that information, to both users and non-users of WhatsApp’s service | 225,000,000 | Reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions |
MOVE Ireland | 20 August 2021 | Personal data breach | 1,500 | - |
Teaching Council of Ireland | 2 December 2021 | Personal data breach | 60,000 | Reprimand and order to bring its processing operations into compliance with Articles 5(1)(f) and 32(1) of the GDPR by implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk |
Limerick City and County Council | 9 December 2021 | Unlawful CCTV systems | 110,000 | Temporary ban on the Council’s processing of personal data in respect of certain CCTV cameras and ordered the Council to bring its processing into compliance by taking specified actions, reprimand in respect of infringements |
Supervision, consultation and communication
The DPC engages directly with stakeholders in a supervisory role in order to provide context specific guidance. The Report notes that such collaboration can mitigate against potential infringements before they occur. In 2021, the DPC received 1,013 consultation requests.
The DPC engaged with the government departments in relation to the ongoing Covid-19 pandemic to ensure appropriate consideration was given to their obligations under GDPR in the various governmental responses to the pandemic.
The DPC provided guidance and observations on over 40 proposed legislative measures in 2021 which, as noted in the Report, promotes data protection by design within legislation under which the processing of personal data may occur.
Looking forward
Commissioner for Data Protection, Ms Helen Dixon, describes 2021 as a year ‘characterised by significant momentum gain’. Indeed, 2021 saw the volume of work completed by the DPC ever intensify. In addition to the resolving complaints and processing data breach notifications, the DPC progressed a number of large-scale investigations, imposed fines and corrective measures on foot of detailed decisions and published comprehensive guidance on protecting children’s data.
Furthermore, the DPC adopted its ambitious Strategy for the next 5 years, which Ms Dixon states, signals the commitment of the DPC to ‘do more for more people’. Already, changes have been implemented in the way in which the DPC handles data breach notifications. The DPC has also begun to resolve complaints by fast track amicable means where appropriate. This will give the DPC more time to focus on its other objectives.
Ms Dixon notes that a suite of pending of legislation at an EU level, including the NIS2 Directive, the Digital Markets Act, the Digital Services Act, the E-Privacy Regulation, the Artificial intelligence Act and the Data Governance Act, will impact data issues. Co-ordination at both EU and cross-regulatory levels will be crucial to the effective implementation of this legislation. Ms Dixon states that the DPC look forward to continued engagement with the EU Commission, its fellow regulators across the EEA to reach a consensus.
Whether or not we see this legislative change in 2022, the DPC has clearly signalled its commitment to ‘do more for more people’.