The Data Protection Commission's 2021 Annual Report - Privacy Protection

Key Takeaways

In its enforcement updates for 2022, the DPC reiterated the five regulatory goals set out in its recently released Regulatory Strategy. These are to (1) regulate consistently and effectively; (2) safeguard individuals and promote data protection awareness; (3) prioritise the protection of children and other vulnerable groups; (4) bring clarity to stakeholders; and (5) support organisations and drive compliance.

The DPC intends to focus enforcement resources on cases that will have the most impact for data subjects.
It also plans to increase enforcement activity in cases where controllers are failing to respond to data subject access requests ("DSARs").
The DPC also noted an intention to focus on cookies enforcement, albeit using the limited powers it has under the ePrivacy Regulations. The DPC does not have the power to directly prosecute for a breach of the cookie consent and transparency obligations under the ePrivacy Regulations. Instead it must issue an enforcement notice and where there is continued non-compliance, then prosecute for failure to comply with this notice.

The DPC noted a change to its approach to data breach notifications. From January 2022 onwards, the DPC will acknowledge receipt of each breach notification while focusing only on those notifications which are likely to give rise to enforcement actions, as opposed to engaging extensively with every breach notification.

A key feature of the Annual Report is the DPC's focus on continued (and increased) cooperation between the data protection supervisory authorities to ensure the goals of the one-stop-shop and the GDPR are achieved. The DPC also calls for a system to better judge the success of a data protection supervisory authority, as opposed to the narrative that has emerged that utilise "the number of cases and the quantity and size of the administrative fines" as the only measure of success.

The funding of the DPC increased in 2021 by €2.2 million to a total of €19.1 million. The staff count of the DPC at the end of 2021 was 190. The DPC aims to continue recruitment to increase its numbers to 260 employees.

Complaints

The DPC received 3,419 complaints in 2021 and concluded 3,564, (1,884 of these were received prior to 2021).
- 52% of the complaints lodged in 2021 were concluded in same calendar year.
- The Annual report notes that there had been a concerted effort to bring old access requests to resolution. This resulted in the DPC concluding 170% (562) of the total access complaints received in 2021 (331).
463 complaints were concluded by fast-track amicable means.
In relation to access requests, the DPC noted that it often transpires that the controller has; (a) not performed an adequate search for the personal data; (b) not advised the individual that they are withholding data and set out the exemption they are relying on; or (c) not responded within the required timeframe.
The DPC intends to increase enforcement in instances where controllers do not respond to DSARs or complaint commencement correspondence by the DPC.
The DPC also received 138 new direct marketing complaints under the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 ("ePrivacy Regulations") and concluded 150 complaints in 2021.

Top 5 categories of complaints received under the GDPR in 2021

Complaints	% of Total Complaints
Access request	42%
Fair processing	19%
Disclosure	10%
Right to erasure	9%
Direct marketing	4%

Sample Case Studies from the Annual Report

Access Requests

Case Study 2: Requests for identification when responding to access requests (Amicable Resolution)
In response to a DSAR, the controller in this case (a hotel) asked for a copy of a utility bill and photo ID verified by An Garda Síochána. The DPC stated that controllers should only request the minimum amount of further information necessary to prove the requester's identity, as seeking more could be disproportionate. Requesting official ID is likely only to be proportionate for sensitive data and where the information on the official ID can be corroborated with the personal data already held by the controller.

Case Study 2: Requests for identification when responding to access requests (Amicable Resolution)

In response to a DSAR, the controller in this case (a hotel) asked for a copy of a utility bill and photo ID verified by An Garda Síochána. The DPC stated that controllers should only request the minimum amount of further information necessary to prove the requester's identity, as seeking more could be disproportionate. Requesting official ID is likely only to be proportionate for sensitive data and where the information on the official ID can be corroborated with the personal data already held by the controller.

Case Study 15: Request for footage from online meeting (Access Complaints)
A data subject who participated in a Zoom meeting (a club AGM) submitted a DSAR for a copy of the recording of the meeting. The DPC engaged extensively with both sides on a number of issues. Despite the controller's initial assertion, the DPC discovered that the recording was saved and the controller was unable to articulate why it was relying on Article 15(4) GDPR to prevent access. Ultimately, the recording was provided to the data subject. The DPC was critical of this case in the Annual Report, stating that the matter could have been resolved without the involvement of the DPC if the controller had been aware of its obligations under the GDPR.

Case Study 15: Request for footage from online meeting (Access Complaints)

A data subject who participated in a Zoom meeting (a club AGM) submitted a DSAR for a copy of the recording of the meeting. The DPC engaged extensively with both sides on a number of issues. Despite the controller's initial assertion, the DPC discovered that the recording was saved and the controller was unable to articulate why it was relying on Article 15(4) GDPR to prevent access. Ultimately, the recording was provided to the data subject. The DPC was critical of this case in the Annual Report, stating that the matter could have been resolved without the involvement of the DPC if the controller had been aware of its obligations under the GDPR.

Fair Processing

Case Study 3: Processing of footage of funeral service by parish church (Applicable Law – GDPR & Data Protection Act 2018)
A complaint was made against the church for processing personal data in the live stream of a funeral service and in relation to the lack of transparency about the recording. The DPC found that the parish church and those unable to attend the funeral had a legitimate interest under s109 (5)(c) Data Protection Act 2018 ("DPA 2018") to view the service by live stream or recording; the church had a 30-day retention period; the camera had a restricted view; and that the church had also made changes arising from the complaint (including requiring a request for recording to be made in writing and password protecting the recordings). The DPC informed the data subject of this, however it recommended that the church update its privacy policy.

Case Study 3: Processing of footage of funeral service by parish church (Applicable Law – GDPR & Data Protection Act 2018)

A complaint was made against the church for processing personal data in the live stream of a funeral service and in relation to the lack of transparency about the recording. The DPC found that the parish church and those unable to attend the funeral had a legitimate interest under s109 (5)(c) Data Protection Act 2018 ("DPA 2018") to view the service by live stream or recording; the church had a 30-day retention period; the camera had a restricted view; and that the church had also made changes arising from the complaint (including requiring a request for recording to be made in writing and password protecting the recordings). The DPC informed the data subject of this, however it recommended that the church update its privacy policy.

Disclosure

Case Study 22: Disclosure due to misdirected email
A breach occurred when a letter from a statutory body investigating a complaint against a professional was attached to an email and sent to an incorrect address. This attachment contained personal data and was encrypted but the password for this encrypted letter was also sent to the same wrong address in a different email. The DPC reminded the organisation of its obligations under the GDPR and the importance of ensuring the security of personal data when sending information by email. Misaddressed emails are one of the most common causes of breaches reported to the DPC. Encryption is a valuable tool that can help to protect against accidental disclosures but it is advised that a separate medium is used to send the password.

Case Study 22: Disclosure due to misdirected email

A breach occurred when a letter from a statutory body investigating a complaint against a professional was attached to an email and sent to an incorrect address. This attachment contained personal data and was encrypted but the password for this encrypted letter was also sent to the same wrong address in a different email. The DPC reminded the organisation of its obligations under the GDPR and the importance of ensuring the security of personal data when sending information by email. Misaddressed emails are one of the most common causes of breaches reported to the DPC. Encryption is a valuable tool that can help to protect against accidental disclosures but it is advised that a separate medium is used to send the password.

Right to Erasure

Case Study 7: Delisting request made to internet search engine (Applicable Law – GDPR & Data Protection Act 2018)
A search engine operator refused to delist two URLs that appeared as results to searches of the individual's name on foot of a complaint that they contained defamatory content. The criteria for delisting are whether the results are irrelevant, inadequate or excessive, and a balancing exercise must be conducted. The search engine operator relied on the legitimate interest of third parties to access the information in the URLs – arguing that as there was no defamation proceedings, the search engine operator could not definitively decide whether the content was defamatory. The DPC noted that the webpages concern previous business conduct of the individual who continued to engage in the same professional sphere. The DPC rejected an argument that the content was inaccurate because it was defamatory because a significant majority of the content alleged to be inaccurate was clearly third-party opinion in the form of comments. The DPC noted that "role of the search engine in listing is not to challenge or censor the opinions of third parties unless to list results gives rise to personal data processing on the part of the search engine that is irrelevant, inadequate or excessive". The DPC concluded that given the individual's business and public role, there was a public interest to have access to the information concerned. The DPC dismissed the complaint.

Case Study 7: Delisting request made to internet search engine (Applicable Law – GDPR & Data Protection Act 2018)

A search engine operator refused to delist two URLs that appeared as results to searches of the individual's name on foot of a complaint that they contained defamatory content. The criteria for delisting are whether the results are irrelevant, inadequate or excessive, and a balancing exercise must be conducted. The search engine operator relied on the legitimate interest of third parties to access the information in the URLs – arguing that as there was no defamation proceedings, the search engine operator could not definitively decide whether the content was defamatory. The DPC noted that the webpages concern previous business conduct of the individual who continued to engage in the same professional sphere. The DPC rejected an argument that the content was inaccurate because it was defamatory because a significant majority of the content alleged to be inaccurate was clearly third-party opinion in the form of comments. The DPC noted that "role of the search engine in listing is not to challenge or censor the opinions of third parties unless to list results gives rise to personal data processing on the part of the search engine that is irrelevant, inadequate or excessive". The DPC concluded that given the individual's business and public role, there was a public interest to have access to the information concerned. The DPC dismissed the complaint.

Direct marketing

Case Study 13: Prosecution of Three Ireland (Hutchison) Limited (ePrivacy)
An individual had received a marketing email from Three Ireland, even though they had opted out of marketing communications from the company. Three Ireland explained that a technical issue arose with the opt-out request. Three Ireland said it had fixed the matter and made changes to their system. The DPC had previously prosecuted Three Ireland for breaching Regulation 13 of the ePrivacy Regulations and decided to proceed to another prosecution in this case. Three Ireland pleaded guilty to two charges under Regulation 13(1) ePrivacy Regulations and the District Court applied the Probation of Offenders Act 1907 on the basis of a charitable donation of €3,000 by Three Ireland. Three Ireland also agreed to discharge the DPC's legal costs.

Case Study 13: Prosecution of Three Ireland (Hutchison) Limited (ePrivacy)

An individual had received a marketing email from Three Ireland, even though they had opted out of marketing communications from the company. Three Ireland explained that a technical issue arose with the opt-out request. Three Ireland said it had fixed the matter and made changes to their system. The DPC had previously prosecuted Three Ireland for breaching Regulation 13 of the ePrivacy Regulations and decided to proceed to another prosecution in this case. Three Ireland pleaded guilty to two charges under Regulation 13(1) ePrivacy Regulations and the District Court applied the Probation of Offenders Act 1907 on the basis of a charitable donation of €3,000 by Three Ireland. Three Ireland also agreed to discharge the DPC's legal costs.

Data Breach Notifications

The DPC received 6,549 valid breach notifications under the GDPR (a decrease of 2% on 2020) and concluded 95% of these complaints in 2021.

The DPC received 187 complaints in relation to notified and non-notified data breaches and found that organisations who took their time to properly update affected individuals ultimately resolved the matter sooner, sometimes negating the need for the DPC to become involved at all.
A disproportionately large number of the data breach notifications (2,707 out of 6,549) originate in public sector organisations in Ireland.
The DPC has seen a vast increase in the number of breaches arising from email correspondence issuing to incorrect recipients because the message service incorrectly predicted the recipient email address based on the first characters typed (see Case Study 22 above).
The DPC recorded 71 breach notifications for breaches caused by "social engineering – phishing" and 67 for breaches caused by "hacking –ransomware".

Case Study 25 – Social engineering attack
An employee at a medium-sized law firm opened an email from a malicious third party that installed malware, which monitored emails on the computer ultimately allowing the bad actor to defraud a client. The DPC found that, despite using a widely used cloud email service, there was a failure to enforce basic security settings such as strong passwords and multi-factor authentication. The DPC notes that an organisation cannot assume that it has adequate measures in place simply because it uses an established service provider or engages a third party to manage applications.

Case Study 25 – Social engineering attack

An employee at a medium-sized law firm opened an email from a malicious third party that installed malware, which monitored emails on the computer ultimately allowing the bad actor to defraud a client. The DPC found that, despite using a widely used cloud email service, there was a failure to enforce basic security settings such as strong passwords and multi-factor authentication. The DPC notes that an organisation cannot assume that it has adequate measures in place simply because it uses an established service provider or engages a third party to manage applications.

The DPC also received 38 valid data breach notifications under the ePrivacy Regulations. The DPC sees this number expanding due the expansion of the definition of an "electronic communications service" to include messaging services as a result of the EU Electronic Communications Code (due to be implemented in Ireland).¹

Top 5 breach notifications under the GDPR by category

Breach notification by category	Number
Disclosure (unauthorised)	4,728
Unauthorised access	318
Processing error (PD Disclosed)	245
Paper lost or stolen	219
Online publication – unintentional	200

Data Breach Case Studies from the Annual Report

Case Study 24: Email addresses disclosed via group mail
The controller in this case, which is a charity supporting people with intellectual disabilities, filed a breach notification to the DPC. The email addresses of all recipients of an email newsletter were disclosed to all who read the email. This breach is often the result of a human error, is common, and usually poses low risks. Further investigation by the DPC highlighted poor risk awareness of data protection issues and responsibilities among staff and volunteers. The organisation introduced training on data protection and created a new management role for data protection compliance.

Case Study 24: Email addresses disclosed via group mail

The controller in this case, which is a charity supporting people with intellectual disabilities, filed a breach notification to the DPC. The email addresses of all recipients of an email newsletter were disclosed to all who read the email. This breach is often the result of a human error, is common, and usually poses low risks. Further investigation by the DPC highlighted poor risk awareness of data protection issues and responsibilities among staff and volunteers. The organisation introduced training on data protection and created a new management role for data protection compliance.

Case Study 20: Repeated similar breaches
Over a 12 month period, complaints were filed regarding a series of similar breaches from a data controller who sold services through a nationwide retail network, both owned and operated by a third party (processor). The controller agreed with the DPC that there were systematic problems arising from changes in the customer database system and, together with the processor, made some changes. This case demonstrates how the DPC monitors breaches notified under Article 33 of the GDPR, that controllers must monitor the performance of their processors, and how improvements may have unforeseen side-effects.

Case Study 20: Repeated similar breaches

Over a 12 month period, complaints were filed regarding a series of similar breaches from a data controller who sold services through a nationwide retail network, both owned and operated by a third party (processor). The controller agreed with the DPC that there were systematic problems arising from changes in the customer database system and, together with the processor, made some changes. This case demonstrates how the DPC monitors breaches notified under Article 33 of the GDPR, that controllers must monitor the performance of their processors, and how improvements may have unforeseen side-effects.

Statutory Inquiries

At the end of December 2021, the DPC had 81 statutory inquiries on-hand, including 30 cross-border inquiries.
The Annual Report provides a comprehensive breakdown of some of the domestic and cross-border inquiries not yet concluded by the DPC.

Decisions

Inquiries concluded in 2021 include the investigation of WhatsApp for failure to comply with its transparency obligations, investigations into personal data breaches with the Irish Credit Bureau, MOVE Ireland and the Teaching Council and an investigation into Limerick City and County Council for a range of issues in relation to its use of CCTV.

As an overview, the DPC:

concluded five large-scale inquiries;
sent four draft decisions to the Article 60 GDPR process (cooperation between the lead supervisory authority and the other supervisory authorities concerned), and referred one case to the Article 65 process (dispute resolution by the board);
issued nine preliminary draft decisions; and
sought submissions on statement of issues or inquiry reports in 17 cases.

Decisions where a significant sanction or corrective measures was applied in 2021

Entity	Date	Corrective Power Exercised	Fine(s)
Irish Credit Bureau DAC	23 March 2021	Reprimand – Art 25(1), Art 5(2) and Art 24(1)	€90,000
WhatsApp Ireland Ltd	28 July 2021	Reprimand Order to bring processing into compliance	€225 million
MOVE Ireland	20 August 2021	Reprimand – Art 5(1)(f) and Art 32(1)	€1,500
Teaching Council of Ireland	2 December 2021	Order to bring processing into compliance Reprimand – Art 5(1)\|(f) and 32(1)	€60,000
Limerick City and County Council	9 December 2021	Temporary ban on processing Order to bring processing into compliance Reprimand on a number of issues	€110,000

The authors wish to thank Shay Buckley and Ciara Monaghan for their contribution to this briefing.

Footnote

1. The EU Electronic Communications Code will be implemented by way of two pieces of legislation in Ireland – the Government has published a summary of the Communications Regulation (Enforcement) Bill 2022 and a draft of the European Union (Electronic Communications Code) Regulations 2022 – both of which are available here.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.

Ireland: The Data Protection Commission's 2021 Annual Report