On 29 May 2024, the Data Protection Commission ("DPC") released its 2023 Annual Report revealing another busy year for the authority. We have summarised the key points from the Report below.
Following several cross-border and national inquiries, the DPC issued a number of record fines and corrective orders and by the end of 2023, it had imposed fines totalling €1.55 billion. Of note, was the conclusion of the DPC's investigation into Meta, which led to a fine of €1.2 billion and its TikTok investigation, which resulted in a fine of €345 million.
There was an important changing of the guard as Helen Dixon, the long-standing Data Protection Commissioner for the DPC, stepped down from her role. Des Hogan and Dale Sunderland have taken over the role, currently as joint Commissioners. The DPC's staff numbers and budgetary allocation grew in 2023, with 44 new members brought on board and a budgetary allocation of €26.364 million.
Complaints and Decisions in Focus:
The Annual Report contains many case studies arising from complaints made to the authority. We set out key takeaways from a selection of these below.
Top 5 categories of complaints received in 2023:
General Accountability
Case Study 1: Organisation publishing alleged personal data
An individual complained to the DPC that a property website included their property in the photographs attached to an advert about a property for sale. The DPC advised that the image of a property alone may not constitute personal data. However, where the images are accompanied by a property address and an identifiable house number, the individual may be entitled to a right to erasure.
Key takeaway: Images of property may not constitute personal data without further identifying data.
Access Rights
Case Study 5: Access request seeking third party data
An individual submitted a data subject access request ("DSAR") to their former employer. They raised a concern with the DPC querying whether the company was obliged to provide them with the names of employees who had been involved in compiling the response to the DSAR. The DPC assessed the legal framework and considered judgment C-579/21 of the CJEU, in particular paragraph 73, in which the CJEU clarified that the 'employees of the controller cannot be regard as being 'recipients', within the meaning of Article 15(1)(c) of the GDPR [...] when they process personal data under the authority of that controller and in accordance with its instructions'. Therefore, the DPC advised the individual that they were not entitled to the list of names.
Key Takeaway: Individuals are only entitled to their own personal data when making an access request, though this can be subject to assessment in accordance with Articles 15(1)(c) and 15(4) GDPR.
Case Study 6: Access request complaint where a fee was requested
The DPC received a complaint from an individual who had been charged a fee to process a data request when seeking to access a copy of their personal data from a medical centre. When the DPC corresponded with the medical centre, the centre confirmed that no fee should have been charged. It confirmed their staff would receive more data protection training and a copy of the personal data was furnished to the individual.
Key Takeaway: Article 15(3) GDPR places an obligation on the data controller to provide a copy of personal data free of charge: a reasonable fee may be charged where there are further requests for copies. A reasonable fee may also be charged where the request is manifestly unfounded or excessive (Article 12(5) GDPR) but this exception is narrowly construed.
Rights to Erasure
Case Study 9: Erasure request connected to a property sale
The complainant submitted an erasure request to the email address listed on a real estate's privacy policy. This 'bounced back' as the email was not active. Upon intervention by the DPC, the real estate intermediary confirmed it had not complied with the erasure request on the basis of an obligation under the Property Services (Regulation) Act 2011 (the "2011 Act") to retain data for six years. The Property Services Regulatory Authority clarified that bank details are not covered by the 2011 Act and could be deleted in an erasure request. The provisions of the 2011 Act however, provided a lawful basis to retain the name, address and contact details of the prospective buyer.
Key takeaway: Organisations should have an appropriate monitored point of contact to facilitate exercising data protection rights in accordance with the GDPR. If relying on a legal obligation to retain personal data, it will only extend to the specific data elements covered by the relevant law, the remaining data must be erased.
Case Study 12: Erasure request related to medical data
An individual who believed their medical records were incorrect sought an erasure request of their historical health records. The individual had provided a contradictory diagnosis from another health care provider which insinuated that the original diagnosis was incorrect. The DPC found that a new medical opinion cannot be accepted as evidence that a historical medical opinion was incorrect. Furthermore, personal data is regarded as inaccurate if it is incorrect to a matter of fact. Therefore, the DPC found that the original diagnoses were not inaccurate and that the health care provider had a lawful basis for the continued processing of the individual's health records as it was still necessary in relation to the purposes for which it was originally collected or otherwise processed (Article 17(3)(c) GDPR).
Key takeaway: New medical evidence that contradicts a historic diagnosis will not render that historic diagnosis incorrect. There may be a valid lawful basis to retain data, even if its accuracy is contested, but controllers may be required to note a supplementary statement on their files so that the accuracy dispute is noted.
Direct Marketing
The DPC received 230 new complaints in relation to electronic direct marketing, under the EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. The DPC concluded 237 electronic direct marketing investigations in 2023, successfully prosecuting a number of organisations for sending unsolicited marketing communications without consent.
Disclosure
Case Study 14: Disclosure of personal data to a debt collection agency
An individual lodged a complaint with the DPC after their personal data was shared by an energy service provider with a third-party debt collection agency. The individual had disputed some charges on their final invoice but received no response from the service provider. When asked about the lawful basis for sharing the data, the service provider cited Article 6(1)(b) GDPR, stating that the disputed charges were an 'early exit fee' due to the individual cancelling their contract early. However, the service provider admitted to failing to record the individual's dispute, resulting in the incorrect sharing of the individual's data. The DPC found that although in normal circumstances, the service provider would have a lawful basis for the data sharing, it had not followed its internal procedures and had processed the individual's data unlawfully.
Key Takeaways: Data controllers need to ensure that staff are made aware of and understand internal procedures and data protection policies to safeguard personal data from unauthorised or unlawful processing.
CCTV
The DPC saw a significant increase in the number of queries received relating to the use of CCTV in areas where there is a higher expectation of privacy. This led to the publication of guidance to address these issues.
Case Study 19: Fair processing: CCTV in the workplace
The complainant was informed that no audio was recorded on the CCTV devices in the workplace, and the use of CCTV was for staff safety reasons. Evidence was provided to the DPC to prove that the cameras did not have audio recording capabilities. The organisation claimed that the CCTV cameras were installed to prevent theft and to protect the safety of staff. The organisation cited Articles 6(1)(d) and 6(1)(f) GDPR as the lawful basis of the data processing. The DPC found that Article 6(1)(d) was not a lawful basis for the organisation's use of CCTV cameras as the processing of personal data in this instance did not reach the threshold of 'vital interests' such as the necessity to protect a person's life. The DPC found that Article 6(1)(f) GDPR was a lawful basis for use of CCTV and its implications for data processing. This provision provides that data processing is lawful if 'necessary for the purposes of legitimate interests'. In this instance, the safety of staff and prevention of crime are deemed to be legitimate interests.
Key Takeaway: A lawful basis is required under the GDPR for the use of CCTV cameras in the workplace. Normally this will be the "legitimate interest" basis under Article 6(1)(f) GDPR so a legitimate interest assessment should be documented which takes account of the DPC's guidance on CCTV systems.
Data Breach Notifications
In 2023, the DPC received 6,991 valid GDPR data breaches, an increase on the GDPR data breach numbers reported in 2022.
Breach notifications by sector
In keeping with the trends we have seen over previous years, public sector bodies and banks accounted for the 'top ten' organisations with the highest number of breach notifications recorded against them, with insurance and telecom companies featuring prominently in the top twenty.
Notably, the DPC has continued to see situations where correspondence was issued to incorrect recipients because of poor operational practices and human error, e.g. inserting the wrong document into an envelope addressed to an unrelated third party.
| Nature of Breach | Total | Percentage |
|---|---|---|
| Disclosure unauthorised – postal material to incorrect recipient | 2255 | 33.69% |
| Disclosure unauthorised – email incorrect recipient | 1203 | 17.97% |
| Integrity – unintentional alteration (Personal Data Disclosed) | 602 | 8.99% |
| Disclosure unauthorised – other | 571 | 8.53% |
| Unauthorised Access – Paper files/Documents/Records | 415 | 6.20% |
| Availability – accidental (Loss/destruction of personal data) | 396 | 5.92% |
Case Study 21: Breach: Employment information
A data breach occurred in a workplace where a HR folder containing the individual's personal data was made available to third party individuals on an open drive that was internal to the organisation. The employer notified DPC of the breach and attributed it to human error. The personal data was not available to anyone outside of the organisation and was relocated to an appropriate drive upon discovery and the employee was given a detailed account of the personal data involved. The DPC reminded the data controller of their obligations under Articles 5(1)(f) and 24 GDPR to ensure appropriate technical and organisational measures are in place to ensure a level of security appropriate to the risk of processing the personal data.
Key takeaway: The use of shared folders and drives within an organisation must be subject to the appropriate controls and monitoring and regularly audited.
Case study 22: Data processor in the charity sector
Eighteen not-for-profit organisations engaged a third party data processor. A bad actor gained access to the data processor's network which resulted in the exfiltration of some data, the deletion of a database and a ransom note demanding payment. The bad actor made direct contact with the data processor, who refused to pay the ransom. While the data processor had restored its systems from backup, the exfiltrated data remained a risk.
Most of the organisations were ill-prepared for a data breach due to a general lack of IT experience and only eight organisations had a Breach Incident Response Plan to tackle data breaches. Furthermore, the organisations were unsure about the personal and special category data that they held. Many of the organisations had failed to carry out their statutory obligations, under Article 35 GDPR to conduct a Data Protection Impact Assessment; under Article 28(3) GDPR to have a controller-processor contract; and they did not implement the appropriate technical and organisational measures as required by Article 24 GDPR in relation to data processing.
The DPC emphasised that while the use of third-party processors is permitted, they must be thoroughly vetted, especially for the processing of sensitive personal data.
Key takeaway: Processing of personal data may be outsourced to a third party, but the data controller still retains its responsibilities and obligations under the GDPR in the event of a data breach.
Inquiries
In November 2023, the DPC decisions to impose administrative fines on five different organisations were confirmed in the Dublin Circuit Court. These comprised:
- VIEC t/a Virtue Eldercare; a fine of €100,000;
- A&G Couriers t/a Fastway Couriers; a fine of €15,000;
- Kildare County Council; a fine of €50,000;
- Centric Health; a fine of €460,000;
- Bank of Ireland; a fine of €750,000.
Some of the more notable fines issued on conclusion of inquiries in 2023 include:
| Organisations | Decision Issued | Fine Imposed | Corrective Measure Imposed |
|---|---|---|---|
| WhatsApp Ireland Ltd | January 2023 | €5.5 million | Order re: Articles 5(1)(a); and 6(1) GDPR. |
| Kildare County Council | January 2023 | €50,000 | Temporary ban on CCTV cameras at a number of locations. Order re: Articles 5(1)(a), 6(1), 13, and 32(1) GDPR; Sections 71, 72, 76, 78, and 82 Data Protection Act 2018. |
| Bank of Ireland | February 2023 | €750,000 | Reprimand re: Articles 5(1)(f) and 32(1) GDPR; Order re: Articles 5(1)(f) and 32(1) GDPR. |
| Meta (Facebook) | May 2023 | €1.2 billion | Suspension of data flows re: Article 46 GPDR; Order re: Article 46 GDPR. |
| Department of Health | June 2023 | €22,500 | Ban re Articles 5(1)(c), 6(1), 6(4), and 9(1) GDPR; Reprimand re Articles 5(1)(c), 5(1)(f), 6(1), 6(4), and 32(1) GDPR. |
| TikTok | September 2023 | €345 million | Reprimand re: Articles 5(1)(a), 5(1)(c), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR; Order re: Articles 5(1)(a), 5(1)(c), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR . |
Ongoing inquiries:
As of 31 December 2023, the DPC was conducting 89 statutory inquiries, including 51 cross-border inquiries. As of 31 December 2023, four DPC draft decisions in large-scale inquiries had been referred to the EU co-decision making process (Article 60 GDPR), including:
- Google Ireland Limited; concerning the lawfulness of Google's processing of location data and whether it meets its obligations as a data controller with regard to transparency. The DPC submitted its draft decision to its peer regulators in the EU in August 2023
- Meta Platforms Ireland Limited; concerning the transfer of the complainant's personal data, processed by means of the Facebook service, to the US. The draft decision was submitted in April 2023.
- Yahoo! EMEA Limited; concerning Yahoo's compliance with the requirements to provide transparent information to data subjects under the GDPR. The DPC's draft decision was submitted in October 2022, but the inquiry remains ongoing.
The DPC had, by 31 December 2023, progressed eleven large-scale inquiries to the point where submissions on a draft decision, statement of issues or inquiry reports were invited from the relevant parties, five of which included Meta Platforms Ireland Limited.
Looking forward
The DPC continues to work towards the 2022-2027 regulatory strategy to prioritise the protection of children and other vulnerable adults. As part of this strategic goal, throughout 2023, the DPC engaged with several financial institutions and representative bodies regarding concerns that the GDPR and data protection law are being used as a barrier to access services. The DPC will continue to prioritise this work throughout 2024.
The DPC also participated in the 2023 Coordinated Enforcement Framework (CEF) on the designation and position of Data Protection Officers. This year, the DPC will be participating in the 2024 CEF action on the implementation of the right of access by controllers.
Overall, the DPC confirms its commitment to its five regulatory goals to; (1) regulate consistently and effectively; (2) safeguard individuals and promote data protection awareness; (3) prioritise the protection of children and other vulnerable groups; (4) bring clarity to stakeholders; and (5) support organisations and drive compliance.
The authors would like to thank Cara Mooney, Mícheál Twomey and Nauani Benevides for their contribution to this article.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.