In this article
Data Protection Commission (‘DPC’) Highlights
2021 Annual Report
In February 2021, the DPC published its annual report. The report highlights the government's increase in funding of the DPC, and makes note of the DPC's roles and responsibilities, as well as queries and complaints made to the DPC.
Some of the main highlights are:
- 7,469 queries and 3,419 complaints were received under the GDPR (an increase of 7% on 2020 figures);
- 6,549 valid data breach notifications were received with 95% 'of the total recorded cases being concluded in 2021’;
- 138 electronic direct marketing investigations were concluded and there were 2 prosecutions of telco companies for persistently contacting customers who had opted out of correspondence;
- 5 large-scale inquiries were concluded;
- €225 million fine was imposed on WhatsApp Ireland Ltd. in addition to an order for WhatsApp to bring its processing into compliance with the GDPR; and
- DPC staff numbers increased to 190 and the DPC’s budget increased to €19.1 million (with a further increase to €23.2 million for 2022).
The DPC received a total of 6,549 valid notifications of personal data breaches in 2021. The highest category of data breaches notified in 2021 was in relation to unauthorised disclosures, which accounted for 71% of the total breach notifications. The DPC received 38 valid data breach notifications under the ePrivacy Regulation and 51 notifications in relation to the Law Enforcement Directive.
The DPC has continued to focus on issues around the setting of tracking and advertising cookies without consent, the use of cookie banners that obscured the text of cookies and privacy notices on websites, as well as the use of pre-ticked boxes or toggles to signal consent for cookies. Investigations and enforcement in this area will continue to be a key activity for the DPC, especially as a result of the upcoming implementation of the ePrivacy Regulation.
The Report highlights 5 inquiries concluded in 2021 that resulted in a significant sanction or corrective measure. In particular, the inquiry concerning WhatsApp Ireland Ltd., which concluded in September 2021, resulted in a fine of €225 million along with an order directing WhatsApp to bring its processing into compliance with the GDPR.
The DPC also issued a significant decision to Limerick City and County Council. The DPC found that certain CCTV systems operated by the Council were unlawful and imposed a temporary ban on the Council’s processing of personal data in respect of certain CCTV cameras, and an administrative fine of €110,000.
Fundamentals for a Child-Oriented Approach to Data Processing
In December, the DPC published its final guidance on the ‘Fundamentals for a Child-Oriented Approach to Data Processing’ with immediate application and operational effect. We summarised the Fundamentals in the previous issue of this newsletter.
Data Protection Officers (DPOs)
The DPC concluded the most recent stage of its DPO enforcement programme aimed at improving compliance with Article 37(7) of the GDPR. Article 37(7) mandates that specific categories of data controller, such as public bodies, are required to appoint a DPO and notify the DPO’s details to the relevant Supervisory Authority. The Report notes that the initial phase of the enforcement programme raised the public sector’s compliance rate from 69% to near 100%.
In 2021, the DPC expanded the project to include the private sector, identifying several sectors likely to meet the threshold to appoint a DPO, such as private hospitals and out-of-hours GP Services, banking entities, and credit unions. This initiative has resulted in 170 additional organisations now complying with their Article 37(7) obligations.
At the end of December 2021, the DPC had 81 open statutory inquiries, 30 of which were cross-border inquiries. The inquiries are either complaint-based or own volition inquiries.
Whistleblowing Bill enhances the protections for whistle-blowers
The Whistleblowing Bill will enhance and strengthen the protections for whistleblowers in Ireland.
The Bill will transpose the EU Whistleblowing Directive and will extend the scope of the legislation in providing protections for volunteers, shareholders, board members and job applicants for the first time.
Private sector organisations with 50 or more employees will be required to establish formal channels and procedures for their employees to make protected disclosures, as currently required in the public sector. This will be monitored and enforced by the Inspectorate of the Workplace Relations Commission.
Employers and prescribed persons who receive protected disclosures will be required to acknowledge them and follow-up on the allegations made and give feedback to the reporting person within three months. This will give greater certainty to both employers and whistleblowers as to what will happen when a protected disclosure is made.
The Bill provides that a reporting person is to be informed before their identity is disclosed unless that would jeopardise the related investigations or judicial proceedings. The Bill also provides protections that apply to ‘the protection of identity of maker of protected disclosure; shall also apply to persons concerned’ (i.e. natural or legal persons who are referred to in a protected disclosure as a person to whom the relevant wrongdoing is attributed or with whom that person is associated).
Organisations dealing with whistleblowing reports will not only have to uphold their duty of confidentiality to whistle-blowers, but also uphold their duty of confidentiality to ‘persons concerned’. The Bill is more onerous in its scope of this duty and will certainly create a greater burden on organisations that must ensure that the identity of 'persons concerned' is also kept confidential. Internally, this will likely require greater training for those who process protected disclosures within the workforce to maintain the confidentiality standards required.
A new Office of the Protected Disclosures Commissioner will be established in the Office of the Ombudsman to support the operation of the new legislation.
Get in touch
If you have any queries on the topics covered in this issue of Data Privacy Matters, please contact Tom Hyland of our Risk Consulting practice. We'd be delighted to hear from you.