Data privacy newsletter Data privacy newsletter Data privacy newsletter

• 7,215 complaints were received in 2019 representing a 75% increase from 2018.
• In December 2019, the DPC had 70 statutory inquiries on hand, including 49 domestic inquiries. Six statutory inquiries were opened in relation to multinational technology companies’ compliance with the GDPR in 2019. This year, new investigations into Google, MTCH Tech Serves (Tinder), and Facebook have been launched.
• 6,069 valid data security breaches were notified representing a 71% increase on the total number of valid data security breaches (3,542) recorded in 2018.
• The feedback from an extensive consultation on children’s data will be used to develop guidance on the processing of children’s personal data, which is a DPC priority for 2020. 

• Some of the trends and issues identified by the DPC in 2019 were: late notifications (13% did not satisfy the ‘without undue delay’ requirement); difficulty in assessing risk ratings; failure to communicate the breach to data subjects; repeat breach notifications; and inadequate reporting. 83% of breaches reported were due to unauthorised disclosure of Personal Data. The second most common was cyber incidents which accounted for 7% of reported breaches. 
  

• During the Brexit transition period, negotiations are underway for a data deal. It is assumed that the EU Commission will adopt an adequacy decision, which would permit transfers of personal data for the purposes of the GDPR to the UK. However, in the absence of a data deal, UK and EU businesses have fallback options, including agreeing SCCs. The UK has said it will continue to temporarily allow data flows to the EU in a “no data deal” scenario. However, the EU has not agreed. 
  

Since GDPR came into force, there has been a steady increase in fines issued. Ireland’s Data Protection Commissioner has yet to issue a fine. However, with a number of investigations into multinational tech companies, there may be fines on the horizon.

Most fines issued by other supervisory authorities were due to a breach of Article 5 of the GDPR, ‘Principles relating to processing of personal data’. This was followed by breaches of Article 6, ‘Lawfulness of processing’ and finally, Article 32,‘Security of processing’.

Recently, the Information Commissioner's Office in the UK fined DSG Retail Limited £500,000 after a 'point of sale' computer system was compromised as a result of a cyber-attack. Additionally, a UK pharmacy, Doorstep Dispensaree, has been fined £275,000 for “careless” storage of patient data.

The top ten biggest GDPR fines combined amount to €411.7 million. The largest fine was to British Airways. The airline was fined €204.6m (£182m) for a large data breach due to a cyber hack.

As enforcement activity picks up across the EU, it is important for organisations to implement and monitor their Data Privacy Strategy.

India has proposed its first major law on the use and control of its citizens’ personal data, a controversial piece of legislation that will restrict how companies can manage sensitive information while giving government authorities broad powers to access it. 

As facial recognition becomes more prevalent, there is an increased need for regulation over its use. The European Commission is planning regulation that will give EU citizens explicit rights over the use of their facial recognition data as part of an overhaul in the way Europe regulates artificial intelligence. 

The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. Companies have already responded by updating privacy policies promising ‘more transparency’. There is uncertainty around a new right allowing consumers to ban companies from selling their data on to third parties. However, companies have time to adapt as enforcement will not begin until July 2020. 

In anticipation of the CCPA, the US Congress is renewing discussion of a possible comprehensive federal data privacy law. On December 4, a US Senate Committee held a hearing focused on developing a framework for consumers to exercise control over the data that companies collect by providing them with access, deletion and portability rights, and the extent to which a federal law should pre-empt state privacy laws such as the CCPA. 

• In January 2017, the European Commission proposed a new ePrivacy Regulation (ePR) to replace the 2002 ePrivacy Directive, known as the ‘cookies law’. The new ePR regulation aims to ensure privacy in all electronic communications, which will have implications for all businesses that have a website once brought into force. 
• This regulation will lay out more stringent rules around electronic communications. However, under the GDPR, organisations are already viable to be fined for their cookie and privacy policy.
• The DPC has reported 165 new complaints were investigated in respect of various forms of electronic direct marketing: 77 related to email marketing; 81 related to SMS (text message) marketing; and seven related to telephone marketing. Prosecutions were concluded against four entities in respect of a total of nine offences under the E-Privacy Regulations.

• As consumers' attitudes toward privacy change, providing consumers with control over their data is imperative to a brand's success. The desire for consumer control over data now forces browsers and manufacturers to address consumer concerns, such as reviewing their cookies, decreased use of location data, etc.
• In 2020, we will likely see companies lean into privacy as a competitive differentiator. This "competing" around privacy will cause major brands to make bold claims on their privacy offering in order to build consumer trust. 

• Data privacy tools, both for regulatory compliance and consumer peace of mind, are becoming more in demand.
• Geographic relevance to data privacy is becoming increasingly important. While large, multi-national privacy regulations such as GDPR or major laws like the California Consumer Privacy Act (CCPA) make headlines, there are many smaller, regional laws and customs that are often overlooked by organisations.
• Topical client data privacy issues include the following:
• GDPR compliance even more than a year on;
• Completion of Data Protection Impact Assessments (DPIAs)
• Privacy Management Ongoing Governance, Controls and Monitoring Framework;
• Management of third party processors; and
• Adequacy of transfer mechanisms such as the Privacy Shield / SCCs.

If you have any related questions or need further information, please get in touch with Michael Daughton or Tom Hyland of our Risk Consulting practice.