Irish Data Protection Commission publishes first annual report since GDPR

• United Kingdom
• Ireland

• Privacy, data protection and cybersecurity

15-04-2019

We examine the Irish Data Protection Commissioner’s first annual report since the introduction of GDPR on 25 May 2018, which notes an uptick in complaints and breach reports due to ‘the GDPR Effect’ as well as the DPC’s handling of cross-border processing matters through the newly established one-stop-shop mechanism.

On 28 February 2019, the Irish Data Protection Commission (“DPC”) published its first annual report since the introduction of GDPR covering the period 25 May – 31 December 2018. The report details the work of the authority following the introduction of the GDPR on 25 May 2018. Since that date, in accordance with the new Data Protection Act 2018, the DPC is no longer a data protection authority with a solely Irish focus; it has become a supervisory authority with an EU-wide remit, responsible for protecting the data privacy rights of millions of individuals across the EU.

Some highlights of this report are:

• 2,864 complaints were received over the period in total

• ­977 of complaints received related to ‘access rights’
• ­1,928 GDPR complaints and 936 complaints under the Data Protection Acts 1988 and 2003
• ­Of the GDPR complaints, 550 were actively being assessed; 510 complaints proceeded to complaint handling and 868 had been concluded

• While the majority of complaints continued to be amicably resolved, the DPC issued a total of 18 formal decisions (of these, 13 upheld the complaint and 5 rejected the complaint)

• A total of 3,542 valid data security breaches were recorded, with the largest single category being ‘Unauthorised Disclosures’

• ­ 38 of those data breaches related to 11 multinational technology companies

• The Information and Assessment Unit received almost 31,000 contacts comprising almost 15,000 emails, 13,000 telephone calls and 3,000 items of postal correspondence

• The Special Investigations Unit (“SIU”) opened 31 own-volition inquiries into the surveillance of citizens by the state sector for law enforcement purposes through the use of technologies such as CCTV, body worn cameras, automatic number-plate recognition, enabled systems, drones and other technologies

• The SIU continued its work in relation to the special investigation into the Public Services Card of the Department of Employment Affairs and Social Protection

The DPC’s report highlights ‘the GDPR Effect’ which has showcased people’s interest in and appetite for understanding and controlling use of their personal data. According to the DPC, while in recent years there has been a rise in public concern about the use of personal data, the increase in the number of complaints and queries to data protection authorities since 25 May 2018 demonstrates ‘a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data’.

The report also details the new one-stop-shop (“OSS”) mechanism established under the GDPR with the objective of streamlining how organisations operating across more than one EU member state deal with data protection authorities (“DPAs”). The OSS requires that organisations with multiple establishments across different member states are subject to regulatory oversight by just one DPA where they have a ‘main establishment’ in the EU and are engaged in cross-border processing. This new channel for receiving complaints requires close cooperation between the DPC and other EU DPAs. The DPC is the lead-supervisory authority for a broad range of multinationals, including many large technology and social media companies whose main establishment is located in Ireland. The DPC has received 136 cross border complaints through the OSS mechanism since 25 May 2018, these complaints were lodged by individuals with other DPAs.

The 2018 Annual Report reflects the beginning of a new era for the DPC in light of the GDPR and a commitment to drive compliance with data protection legislation.