The Information Safety Fee (“DPC”) not too long ago printed its 2020 annual report (the “Report”) overlaying its regulatory actions between 1 January 2020 and 31 December 2020. The Report highlights that the DPC concluded a variety of large-scale inquiries in 2020 leading to selections on infringements and in lots of circumstances the imposition of corrective measures. These topic to corrective measures included Kerry County Council, TUSLA, Waterford Metropolis and County Council, Ryanair, UCD, HSE, Groupon and Twitter. In Might 2020, the DPC used its fining powers for the primary time levying two fines in opposition to TUSLA and it issued its first wonderful in a cross-border case in opposition to Twitter for €450,000 in December 2020. On the finish of 2020, the DPC had 83 statutory inquiries open (27 of which had been cross-border).
Notable highlights embrace:
- 4,660 complaints obtained beneath the GDPR. The most important quantity associated to entry requests (27%).
- 354 cross-border processing complaints obtained by way of the GDPR’s One-Cease-Store.
- 83 statutory inquiries (27 of which had been cross-border inquiries in relations to multinational expertise corporations’ compliance with the GDPR).
- 147 complaints obtained concerning digital direct advertising and marketing (66 referring to electronic mail advertising and marketing; 73 referring to SMS advertising and marketing; and 5 referring to phone advertising and marketing).
- 6 corporations prosecuted for sending unsolicited textual content messages or emails in breach of the ePrivacy Laws 2011. The businesses had been: Three Eire Companies (Hutchinson) Ltd, Mizzoni’s Pizza and Pasta Firm, AA Eire, Three Eire (Hutchinson) Ltd, Ryanair and Windsor Motors.
- 6,783 knowledge breach notifications obtained with 6,673 recorded as legitimate private knowledge breaches (10% enhance since 2019). Unauthorised disclosure accounted for 86% of all breach notifications.
- €450,000 wonderful issued to Twitter Worldwide Firm – the primary wonderful in a cross-border inquiry.
- In Might 2020, the DPC despatched Europe’s first main Article 60 Draft Determination to all different EU Information Safety Authorities.
- Workers numbers elevated to 145 and the DPC’s price range has elevated to €16.9 million for 2021, reflecting the DPC’s elevated workload.
The DPC obtained 4,660 complaints from people beneath the GDPR and 50 complaints referring to its earlier regime, the Information Safety Acts 1988 and 2003 (as amended). General, there was a lower within the variety of complaints obtained since 2019. Entry requests proceed to be the most important class of complaints (30%) adopted by honest processing (27%) and disclosures (26%). The DPC burdened the significance of getting a transparent organisational coverage on how you can deal with entry requests in order to help organisations in avoiding expensive and time consuming repetition work.
In relation to entry requests, the DPC famous that controllers usually invoke authorized skilled privilege to justify withholding private knowledge in response to an entry request, pursuant to s 162 of the Information Safety Act 2018 (the “2018 Act”). The DPC commented that when assessing whether or not privilege applies, it should require appreciable info together with an evidence as to the premise upon which privilege is asserted and it’ll primarily search a story in respect of every doc and, the place litigation privilege is claimed, info as to when litigation was threatened or contemplated.
The Report consists of case research which shed additional gentle on the DPC’s complaint-handling capabilities, together with particulars of circumstances which had been amicably resolved and a case wherein the DPC dealt with an Irish knowledge topic’s grievance in opposition to the German primarily based e-commerce platform Cardmarket beneath the One-Cease-Store mechanism.
Information Breach Notifications
The DPC obtained 6,683 knowledge breach notifications in 2020, of which 6,673 had been recorded as legitimate private knowledge breaches beneath the GDPR. This represents a ten% will increase on 2019. Unauthorised disclosures accounted for 86% of all breach notifications. The DPC famous that it noticed a rise in using social engineering and phishing assaults. It made the purpose that whereas many organisations initially put in place efficient ICT safety measures, they aren’t taking proactive steps to observe and assessment these measures or to coach employees on evolving threats.
Statutory Inquiries and Choices
On the finish of December 2020, the DPC had 83 open statutory inquiries 27 of which had been cross-border inquiries. The inquiries are both complaint-based or personal volition inquiries. A number of the high-profile cross-border inquiries embrace:
- Apple –There are 3 separate complaint-based inquiries into Apple. One such inquiry examines whether or not Apple has a lawful foundation for processing private knowledge within the context of behavioural evaluation and focused promoting.
- Fb – There are 8 separate inquiries into Fb Eire and one involving Fb Inc. These inquiries look at a spread of points together with Fb’s compliance with the switch restrictions beneath Chapter V of the GDPR in gentle of the Schrems II judgment.
- Google – The DPC has 2 own-volition inquiries into Google. Certainly one of these examines whether or not Google has a legitimate authorized foundation for the processing of location knowledge of its customers.
- Instagram – There are 3 separate inquiries into Instagram (2 of that are own-volition inquiries). Certainly one of these examines Instagram’s authorized foundation for the processing of non-public knowledge referring to Instagram customers beneath the age of 18 in reference to account settings.
- LinkedIn – There’s a complaint-based inquiry into LinkedIn analyzing whether or not it has discharged its obligations in respect of the lawful foundation on which it depends to course of private knowledge within the context of behavioural evaluation and focused promoting on its platform.
- WhatsApp – There are 2 separate inquiries into WhatsApp with one analyzing whether or not WhatsApp has discharged its transparency obligations with respect to the processing of knowledge between WhatsApp and different Fb corporations.
- Twitter – The DPC has 3 separate inquiries into Twitter (2 of that are own-volition inquiries). Certainly one of these was commenced in response to a lot of breaches notified to the DPC since 25 Might 2018, with the DPC analyzing whether or not Twitter has discharged its obligations to implement acceptable technical and organisational measures to safe the person private knowledge.
2020 was a major 12 months for the DPC because it issued its first cross-border inquiry wonderful in opposition to Twitter for €450,000 in respect of its dealing with of a private knowledge breach. The DPC additionally had a variety of home inquiries which had been all own-volition inquiries. A few of these topic to home inquiries included: An Garda Síochána, Financial institution of Eire, the Catholic Church, Division of Social Safety, HSE, Instructing Council, numerous universities, TUSLA and the Irish Credit score Bureau.
Cookies Investigations Sweep and Enforcement
In April 2020, the DPC printed steerage in relation to using cookies and monitoring applied sciences. Organisations got a six month window wherein to convey cookies used on their web sites or platforms into compliance with the regulation and the DPC ran a public consciousness marketing campaign throughout this time. On the conclusion of that window, the DPC wrote to twenty organisations in late 2020 warning them that enforcement notices can be issued if non-compliance was not addressed inside 14 days. Seven organisations had been in the end served with enforcement notices. The DPC famous that it started seeing extra complaints from the general public about cookies and monitoring applied sciences in 2020, and that pattern is predicted to proceed, along with enforcement.
The Report notes that 2020 was a busy 12 months for litigation with 14 judgments delivered and/or orders made in proceedings to which the DPC was a celebration. The Report additionally discusses the proceedings in DPC v Fb Eire & Schrems (“Schrems II”) wherein the CJEU gave judgment on 16 July 2020 in response to a preliminary reference from the Irish Excessive Courtroom in 2018 arising from proceedings initiated by the DPC in 2016 when it sought a reference in relation to using Customary Contractual Clauses (“SCCs”) for private knowledge transfers from the EU to the US. The CJEU upheld the validity of the SCCs nevertheless it supplied an in depth ruling in relation to transfers primarily based on Article 46 of the GDPR and in addition declared the EU-US Privateness Protect choice to be invalid. Following this, the DPC initiated an inquiry into Fb’s transfers of non-public knowledge to the US and this inquiry was the topic of a judicial assessment by Fb in 2020.
Within the context of Covid-19, the DPC engaged with the Authorities in relation to areas such because the Nationwide Return to Work Security Protocol and the Covid-19 contact tracing app (together with offering an in-depth report on the info safety affect evaluation for the app), with this exercise anticipated to proceed in 2021. The DPC consulted with the general public sector within the context of the Leaving Certificates Covid-19 preparations.
Binding Company Guidelines
A key focus of the DPC within the space of worldwide transfers is the evaluation and approval and Binding Company Guidelines (“BCR”) functions from multinationals searching for to take a uniform strategy the place it has subsidiaries on a world scale transferring knowledge between them. The DPC was lead reviewer in 42 functions, and has had contact from a variety of corporations inquiring about transferring their lead authority for BCR functions to the DPC. This was recognized as considerably growing the DPC’s workload in 2020.
Processing of Youngsters’s Information
In December 2020, the DPC printed its ‘Fundamentals for a Baby-Oriented Method to Information Processing with submissions open till 31 March 2021. In 2021, a core initiative of the DPC will probably be facilitating a undertaking to attract up Codes of Conduct in relation to the processing of youngsters’s knowledge.
What’s subsequent for 2021?
- Of the 27 open cross-border statutory inquiries, the DPC expects to share between six and 7 Article 60 draft selections with different EU Information Safety Authorities this 12 months. These draft selections are anticipated to concern inquiries into Fb, Instagram, WhatsApp, Google and Verizon, amongst others.
- The institution and approval of Codes of Conduct for Code Homeowners in a specified sector pursuant to Articles 40 and 41 of the GDPR is predicted to progress, with the DPC anticipating to obtain the primary official draft Code early in 2021.
- The DPC signifies that it’s going to proceed its concentrate on cookies investigations and enforcement actions all through 2021, having regard to proposed reform on this space within the type of the European Fee’s proposed Digital Companies Act and Digital Markets Act.
- The Report identifies that complaints regarding employment regulation disputes have been closely represented in 2020. Given the continued affect of the Covid-19 pandemic on employers and knowledge safety implications round worker monitoring and return to work protocols, this may be anticipated to proceed into 2021.