Ireland: Key Takeaways From The Data Protection Commissioner's 2017 Annual Report

Last Updated: 13 March 2018
Article by Bryan McCarthy and Sarah Slevin

Introduction

It may be the last such report produced before the Office of the Data Protection Commissioner ("ODPC") evolves into the Data Protection Commission, but Helen Dixon's fourth Annual Report on the activities of the office during 2017 (the "Report") is certainly of no less significance. In fact, the Report gives us a useful insight into the ever-increasing public awareness of the importance of data protection and, consequently, provides a not-so-subtle hint as to the expanded and central role that the Data Protection Commission will play in European data protection in a post-GDPR society.

Generating media headlines in the immediate aftermath of the Report's publication were the figures on the increase in complaints to the ODPC last year, which rose by almost 80% on the previous year. However, these figures, whilst revealing, are not the only interesting element of the Report; much more of its contents should be examined in order to draw conclusions on the current status of data protection in Ireland.

Queries and Complaints to the ODPC

Firstly, however, to those complaints. The Report states that there were 2,642 complaints lodged with the ODPC last year, up from 1,479 in 2016. As has been the case in previous years, complaints about denied access to records made up the majority of these referrals, 1,372 (52%) in total.

Type of Complaint

Number of Complaints

Access rights

1,372

Disclosure

351

Unfair processing of data

312

Direct electronic marketing

215

Use of CCTV footage

77

Failure to secure data

46

Internet search-result delisting

44

Accuracy

43

Excessive data

43

Retention

41

Right of rectification

39

Specified purpose

18

Unauthorised access

14

Postal direct marketing

6

Biometrics

4

Miscellaneous

17

Total

2,642

The Report also describes a commendable level of matter completion within the ODPC, with 2,594 of those 2,642 complaints reaching a conclusion. Also to be noted, however, are the reasons why complaints were not resolved in favour of the complainant: such unsuccessful complaints often, according to the Report, derived from issues emanating from the effects of the financial crash (transfer of loan books, receiverships, etc.) This demonstrated that the data subject's grievance in these matters often related to the underlying action itself rather than data protection issues.

Data Breaches

A record number of data breaches were also notified to the ODPC, with 2,973 reported by organisations and members of the public. This represents a 26% increase on the previous year, with the bulk of the breaches coming from the financial services sector. Most prominent amongst the categories of breaches reported were: mishandling of personal data, loss of data in both hard and soft copy as well as much-reported "network security compromises". Regarding the final category, the number of this type of breach more than doubled to 49 in one year. Whilst a number of factors were attributed to this, preeminent amongst these were "social engineering"-type hacks, facilitated by poor staff training and inadequate password procedures within organisations.

The number of network security compromises more than doubled to 49 from 23 in 2016. There was, however, a slight decrease in the number of website security breaches, down to six from 16 reported last year. Phishing and social engineering attacks increased and the ODPC said that there were a number of factors at play contributing to these breaches, including: a lack of staff training, slowness to patch devices, poor password policies and failure to update antivirus software.

Special Investigations and Case Studies

Investigating the Investigators: In a continuance of an investigation commenced in 2016, the ODPC's special investigation into the activities of private investigators and their use of personal data continued last year. The Report notes that this investigation has resulted in several prosecutions.

New Investigations: Amongst the new investigations commenced this year, the DPC opened files on the processing of patient data within hospitals and the protection of child data by TUSLA in child protection cases. As was well-publicised, the Ms Dixon has also expressed concerns regarding the government's proposed "Public Services Card", and her office's activities have not been limited to public statements; an ODPC investigation has been commenced and we await the findings with interest.

Case Studies: The range of issues dealt with by way of case study include the loss of sensitive personal data contained in an evidence file kept by An Garda Síochána, the use of CCTV footage in an employee disciplinary process and the disclosure of personal data via a social media application. In total, 17 cases studies are discussed in detail in the Report and each one makes for instructive reading.

Public Audits

91 audits, or inspections, were carried out by the ODPC last year, with the full list of audited organisations including enterprises as diverse as Avoca and Threshold. The Report also sets out some of the key findings of audits on multinationals, including a general lack of transparency and overreliance on global organisational security policies.

Note that the ODPC's interactions with organisations are not solely investigative or punitive. The Report indicates an increased level of consultation and engagement with the office by both public and private bodies. This demonstrates the increasing awareness within business and public life of the impact of the GDPR and the need to ensure compliance.

An Uneasy Relationship: Multinationals and Data Protection

Ongoing battles between the likes of Facebook and Google and national and international data regulators are well-known, with prominent battlegrounds including the CJEU and the Belgian courts. In the Report, 19 of the data breaches discussed above were attributed to these types of technology multinationals. It is also noted in the Report that the ODPC's investigation into the massive data breach suffered by Yahoo! (now known as Oath) is "approaching completion".

The Report also details other interactions with the likes of Facebook, LinkedIn and Twitter, and states that the Multinationals and Technology team received 19 cooperation requests or referrals of cases from a number of European Data Protection Authorities in 2017.

Remember, under the 'one-stop-shop' model of the GDPR, the Irish ODPC will become the lead data protection authority for regulation of multinationals that have their "main establishment" in Ireland, including Facebook, LinkedIn, etc. This led to the establishment of the aforementioned Multinationals and Technology team within the office in 2016. The team has continued and increased its engagement with the sector in the past year and, following the GDPR's commencement and the continued Irish and European judicial action, this engagement will become ever-more crucial in shaping the protection afforded to data by such companies.

A Pro-active Office

The ODPC also works with a range of Irish and European agencies in shaping the future of data protection law and its implementation. According to the Report, there was "strong strategic engagement" with the Article 29 Working Party and active contribution at all plenary and subgroup meetings. The ODPC also acted as lead rapporteur on the GDPR transparency guidance and as lead reviewer in relation to 14 Binding Corporate Rules applications. In Ireland, the ODPC was, unsurprisingly, heavily consulted prior to the publication of the Data Protection Bill 2018.

In the Report, Ms Dixon highlights and comments on Murray J's Review of the Law on the Retention of and Access to Communications Data issued in October 2017 and the subsequent Bill published by the government (subject to pre-legislative scrutiny at the end of last year).

This is all in addition to the office's broader "outreach schedule", intended to help the GDPR penny drop before it is too late. A GDPR Awareness and Training Unit has been established in this regard.

Case Law and Prosecutions

ODPC and the SCCs: The full hearing of Data Protection Commissioner v Facebook Ireland and Maximilian Schrems took place in the Irish High Court in spring of 2017. Following the judgment of Costello J in October, a reference is to be made to the CJEU on the validity of standard contractual clauses as a means of transferring data outside of the EU. That reference will be made during 2018 once the High Court has finalised the specific questions to be referred to the CJEU. According to the ODPC, the determination of these matters "will ultimately assist all stakeholders in their understanding of the requirement under EU data protection law to demonstrate adequate protection in the territory to which personal data of EU persons is sought to be transferred".

Prosecutions: Notable in the Report is the account of prosecutions of entities for breaches of direct marketing laws. Six organisations were prosecuted last year for offences under legislation which prevents unlawful communications with individuals for the purposes of direct marketing.

Money for Data

The substantial, and substantial increase in, work described above could not have been carried out without a corresponding increase in funding for the ODPC. Last year, the office's budget allocation was increased to €7.5 million, used in part to hire new personnel to bring the total staff of the office to 85. Further increases can, unsurprisingly, be expected for next year, with the budget set at €11.7 million, money likely to be used for further recruitment to cater for the ODPC's ever-increasing workload.

2018: Year of the GDPR

The remarkable increase in the number of complaints to the ODPC last year is not an anomaly and is not without identifiable causes. Instead, it should be credited to the commendable work of the ODPC in prioritising the promotion of, and the building of awareness of, data protection rights and obligations. A prime example in this regard is www.GDPRandyou.ie, an online resource developed and maintained by the ODPC which aims to guide organisations on how best to prepare for May 2018. Beyond this, however, the ODPC has become more and more prominent in Irish consciousness through activities ranging from public campaigns to responses to governmental proposals (such as the maligned Public Services Cards), social media to court cases.

As the countdown to 25 May 2018 continues, we can be certain that the 2017 Annual Report is a harbinger of the increased centrality of data protection and the operations of the ODPC in the lives of every individual. Similarly, those with expertise and experience in the data protection sphere will be increasing their already-significant efforts to prepare for and respond to the increased duties and rights provided for under the Regulation. Ronan Daly Jermyn works with its clients across the entire spectrum of Irish commercial and public life to ensure they are GDPR-ready. In data protection, RDJ are your ideal partner.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions