24/03/2023
Briefing

The DPC concluded a number of large-scale inquiries in 2022, including several high profile cross-border decisions against some of the largest social media and Big Tech companies in the world. We also saw the imposition of some high value, high profile fines imposed by the DPC, with the total value exceeding 1 billion euro. This figure amounted to over two thirds of the total fines issued by data protection authorities across the EU, EEA and UK. The DPC also received large numbers of consultation requests and had a busy year in terms of engagement with the European Data Protection Board (“EDPB”) and other national supervisory authorities.

Complaints, Inquiries and Decisions In Focus: 

Contacts, Queries and Complaints

From 1 January 2022 to 31 December 2022, the DPC:

  • received 21,230 electronic contacts, 16,855 phone calls and 1,118 postal contacts;
  • processed 9,370 new cases (a decrease of 14% on 2021 case figures), of which 6,660 were in the nature of queries that could be dealt with relatively expeditiously and 2,710 that progressed to a formal complaint-handling process; and
  • concluded 10,008 cases in 2022 of which 3,133 were resolved through formal complaint-handling.

Top 5 categories of complaints received under the GDPR in 2022:

Complaints Received under the GDPR – Number % of total Complaints
Access Request 1,142 42%
Fair Processing 383 14%
Right to erasure 263 10%
Direct Marketing 235 9%
Disclosure 183 7%

Notable Case Studies from the Annual Report

Access Requests: The DPC received 1,142 new access complaints and concluded 1,255 complaints in 2022.

Case Study 1: Failure to Respond to an Access Request
An individual made a subject access request to an organisation for a copy of all information held regarding his engagement with them but did not receive a response. The individual then complained to the DPC, which intervened to resolve the matter. The individual was not satisfied that all documents were provided. However, the data controller claimed the personal data had been provided in another format. The DPC clarified that access rights are about access to personal data, not documents, and that the data controller had provided all the data to which the individual was entitled in an intelligible form. Therefore, the DPC advised the complainant that he had been provided with all the data he was entitled to under data protection legislation.

Key Takeaway 1: DSARs apply to personal data, not to documents.

Case Study 7: Restrictions on Right to Access
The Director of Public Prosecutions (“DPP”) imposed restrictions on an individual’s access request to an investigation file, witness statement, interviews, and correspondence with the Garda Síochána (“AGS”) under Section 94(2)(c) and 91(7) of the Data Protection Act 2018. The DPP cited the need to protect the rights and freedoms of other persons and the potential revelation of another individual’s identity. The DPC probed the restrictions on a case-by-case basis and examined claims of privilege applied to the data sent between AGS and the DPP and found that the restrictions invoked were valid and legal privilege applied to the data sent between AGS and the DPP.

Key Takeaway 2: When relying on legal privilege or other exceptions to DSARs, if you document your reasoning carefully the DPC may well support your analysis.

Right to Erasure:

Case Study 6: Right to be Forgotten
The complaint concerned Microsoft Ireland’s response to a right to be forgotten request. The individual requested that seven URLs be removed from Microsoft’s search engine because they contained their National Identity Number, which they believed increased the risk of identity theft. Microsoft initially refused the request, citing the public relevance of the information as the information was published in an official bulletin of the Spanish Government. The DPC intervened and contacted the Spanish Data Protection Authority, which clarified that Spanish law had been modified as a result of the GDPR, and the government could no longer disclose citizens’ complete National Identification Numbers. Microsoft agreed to delist the URLs based on the updated national legislation.

Key Takeaway 3: The DPC will probe complaints allegedly based on other local laws with other EU Supervisory Authorities.

Case Studies 18 and 19: Article 60 decision ID Request, Erasure Request
Case studies 18 and 19 address similar issues with respect to erasure requests, where the data controller sought a copy of photographic ID.  In case study 18 the DPC found that Twitter’s requirement to verify the identity of the complainant by asking for a copy of their photographic ID infringed the principle of data minimisation under Article 5(1)(c) of the GDPR. Additionally, Twitter had not identified a valid lawful basis under Article 6(1) of the GDPR for seeking a copy of the complainant’s photographic ID to process their erasure request. Twitter was found to have infringed Article 17(1) of the GDPR by delaying in handling the erasure request, and Article 12(3) by failing to inform the data subject within one month of the action taken on their erasure request.Similarly, in case study 19 the DPC found that a request for photographic ID by Airbnb Ireland UC infringed the principle of data minimisation and that the legitimate interest pursued by the controller did not constitute a valid lawful basis under the GDPR. Airbnb was also found to have infringed Article 12(3) of the GDPR with respect to its handling of the complainant’s access request. In light of these infringements, the DPC issued a reprimand to Airbnb Ireland UC and ordered it to revise its internal policies and procedures for handling erasure requests.

Key Takeaway 4: The controller must take reasonable steps to facilitate data subjects exercising their erasure rights.

Direct Marketing

The DPC received 204 new complaints in relation to electronic direct marketing under the EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“ePrivacy Regulations”) in 2022, including 118 complaints in relation to email messages, 52 complaints in relation to text messages, 28 complaints in relation to cookies and six complaints concerning phone calls. The Annual Report notes the successful prosecution by the DPC of Guerin Limited for unlawful marketing without consent.

Disclosure:

Case Study 8: Disclosure without consent
A person complained to the DPC that the Criminal Assets Bureau (“CAB”) disclosed their financial information to others without their consent during legal proceedings under the Proceeds of Crime Act 1996-2016. CAB explained that the information was needed to establish the origin of the property involved in the proceedings, and that it was intertwined with the personal data of the individuals being prosecuted. The DPC noted that these proceedings are governed by section 158(1) of the Data Protection Act, which allows for restrictions on GDPR and Law Enforcement Directive rights to protect judicial independence and proceedings.

Key Takeaway 5: The DPC will permit law enforcement to obtain and disclose personal data where there is a lawful basis set out in the Data Protection Act 2018.

Case Study 9: Disclosure of Sensitive Data
A clothing and food company was reported to the DPC for disclosing an individual’s personal medical information by printing “Coeliac Mailing” on the outside of an envelope. The individual had signed up to receive an ‘Annual Certificate of Expenditure’ of gluten-free products purchased during the year, which could be used for tax purposes. The DPC advised the store that health data is sensitive and has additional protection under Article 9 of the GDPR. The store agreed to cease using the wording “Coeliac Mailing” on the outside of envelopes for all future mailings.

Key Takeaway 6: Even relatively innocuous data relating to common conditions can constitute special category data that requires additional care.

Data breach Notifications

The DPC received 5,828 valid data breach notifications in 2022, a decrease of 12% on 2021 figures. A total of 5,695 valid GDPR breaches were recorded, representing a 13% decrease on 2021 figures overall.

Data Breach Notifications 2022. 
Private sector 52%.
Public sector 44%.
Voluntary and Charity sector 4%.

  • Similar to 2021, public sector bodies and banks accounted for the “top ten” organisations in terms of the highest number of breach notifications recorded against them, with insurance and telecom companies featuring prominently in the top twenty.
  • Trends have arisen with breach notifications related to financial institutions, with repeated instances of poor operational practices and human error including inserting a wrong document into an envelope addressed to an unrelated third party, and lack of caution with autofill options on e-mail address bars leading to e-mails being sent to incorrect addressees. Notably, 62% of the overall total number of breaches reported to the DPC in 2022 arose from correspondence inadvertently being misdirected to the wrong recipients.
  • Breach notifications helped the DPC to identify trends, and have led to inquiries into, among others, Bank of Ireland, An Garda Síochána and Limerick City and County Council. The learnings from these inquiries have led to increased reports from lending institutions about their processing operations and has helped the proactive identification of gaps in operating practises.

 

Breach Notification by category.
Disclosure (unauthorised) 68%.
Unintentional alteration (personal data disclosed) 11%. 
Unauthorised access 8%.
Paper lost/stolen official documentation 7%.
Availability - accidental (loss or destruction of personal data) 6%.

Notable Data Breach Case Studies from the Annual Report

Case Study 14: Disclosure of account statements by a bank to the representative of a joint account holder
The complaint in this case was that a bank had disclosed copies of bank statements containing the complainant’s personal data to solicitors acting for the other joint account holder, without the complainant’s consent. The bank argued that it was entitled to do so, as joint account holders are entitled to access the details and transaction information of the joint account as a whole. The DPC found that the bank had a lawful basis for the disclosure under the “legitimate interests” lawful basis, as the solicitors were seeking the statements for legitimate purposes. The DPC also found that the bank had complied with its obligations under data protection law to ensure the security of personal data. Therefore, the DPC did not uphold the complaint.

Key Takeaway 7: Where the data of two people is inherently linked, consent or redaction of the other person’s information may not be required when disclosing documents for a legitimate purpose.

Case Study 16: Hacking of a third party email
A Hospice Care Centre used Microsoft Office 365 and engaged third party IT Consultants. The IT Provider conducted an Office 365 audit and recommended implementing Multifactor Authentication (“MFA”) and disabling forwarding rules on all user accounts. A user’s credentials were subsequently compromised due to a brute force attack that could have been prevented if MFA was implemented. The compromised password was reset, and MFA was introduced for this user. The introduction of MFA for all users has started. The breach could have been prevented if the audit recommendations were implemented on time.

Key Takeaway 8: Ignore IT security best practices like MFA at your peril.

Inquiries and Cross Border Inquiries

The DPC concluded 17 large scale inquiries (both national and cross-border) in 2022, against various Big Tech and public bodies. Several of these inquiries led to the imposition of serious reprimands and corrective actions.

Some of the more notable fines issued on foot of the conclusion of inquiries in 2022 include:

Entity Corrective Measures Imposed Reason Fine (€)
Meta (Instagram) Reprimand re Articles 5(1)(a), 12(1), 35(1), 24(1), 5(1)(c), 25(2), 6(1) and 25(1) GDPR;Orders re Articles 5(1)(a), 12(1), 35(1), 24(1), 5(1)(c), 25(2), 6(1) and 25(1) GDPR Failure to implement appropriate safeguards in relation to children’s data 405 million
Meta (Facebook) Reprimand re 25(1) and 25(2) GDPR;Order re Art 25(2) GDPR Data scraping infringements 265 million
Meta (Facebook) Order re Articles 5(1)(a), 12(1), 13(1)(c) and 6(1) GDPR Incorrect reliance on contract as a legal basis; lack of transparency 210 million
Meta (Instagram) Order re Articles 5(1)(a), 12(1) 13(1)(c) and 6(1) GDPR Incorrect reliance on contract as a legal basis; lack of transparency 180 million
Meta (Facebook) None Data breach failures 17 million
Bank of Ireland PLC Reprimand re Articles 33, 34 and 32 GDPR;Orders re Article 32 GDPR Unauthorised disclosure of personal data to the Central Credit Register 463,000 thousand

Ongoing Inquiries:

As of 31 December 2022, the DPC was conducting 88 statutory inquiries, including 22 large-scale cross-border inquires. As of 31 December 2022, four DPC draft decisions in large-scale inquiries had been referred to the EU co-decision making process (Article 60 GDPR), including:

  • TikTok: This involved an inquiry into TikTok’s compliance with the GDPR’s transparency obligations and its data protection by design and default requirements as they related to the processing of personal data in the context of platform settings for users under age 18 and age verification measures for persons under 13. The inquiry was commenced in September 2021 and the DPC submitted its Draft Decision to the Article 60 process on 13 September 2022.
  • Airbnb: This inquiry involved a suspected unlawful request by Airbnb for a copy of ID to verify the complainant’s identity. The DPC felt this processing had a legitimate interest given, among other things, the potential for users and hosts on the website to meet, therefore requiring enhance safety and security measures such as ID verification. The DPC did not receive any relevant or reasoned objections to the draft decision from the concerned supervisory authorities under Article 60(4) GDPR.
  • Meta Platforms Ireland Limited: This inquiry concerned an own volition inquiry into data transfers between the EU and US in relation to Facebook services. There is also a separate complaint-based inquiry with a complaint made by Mr Maximillian Schrems against Meta Platforms Ireland Limited (formerly Facebook Ireland Limited). The DPC circulated its draft decision in the own-volition matter to the Concerned Supervisory Authorities in July 2022, for the purposes of the co-decision making process outlined in Article 60 GDPR. In response to a number of Supervisory Authorities raising objections or making comments on the decision, the DPC issued a composite response in September 2022. Several of the CSAs maintained their objections, and the DPC subsequently triggered the Article 65 dispute resolution process which is still ongoing.

The DPC had, by 31 December 2022, progressed nine large-scale inquiries to the point where submissions on a draft decision, statement of issues or inquiry reports were invited from the relevant parties.

The Annual Report also contains a chart outlining every Article 60 draft decision prepared by the DPC, with a grid of the objecting Member States to each draft decision. Germany was the top objector, objecting to 13 of the 18 draft decisions.

Fines and Procedural Difficulties with the One Stop Shop (“OSS”) Mechanism:

The Dublin Circuit Court confirmed six of the DPC’s imposed fines, ranging from 1,500 to 17 million euro. All of these fines have been collected and transferred to the central exchequer in Ireland. Many of the larger fines imposed have yet to make their way to the exchequer due to a series of appeals and judicial review proceedings. These appeals potentially will also involve references to the Court of Justice of the European Union over matters of interpretation of the GDPR. As it currently stands, controllers and complainants cannot complain directly against the judgement of the EDPB that informs the DPC’s final decisions in cases, but instead must appeal the DPC decision and ask for a preliminary reference to be sent to the CJEU on the validity of the underlying EDPB decision. The Annual Report notes this will lead to procedural delays. Ultimately, the DPC notes that the OSS and other cooperation mechanisms with EU supervisory authorities has created a “legal maze” and an ever more complex landscape for litigators and data practitioners.

Funding and Staff

The DPC received €23.234 million in budget for 2022, which represents a 21.5% increase on 2021. They also increased their staff numbers by 51.

Looking forward to 2023 

  • While there has been promising progression throughout the year, the Annual Report acknowledges that, given the 45 cases in front of the CJEU on the interpretation of the GDPR, it is likely to be some time before we see clarification on the interpretation of key articles of the GDPR.
  • Claims for compensation under the GDPR continue to see very modest awards being issued at the EU level. For example, in Ireland, Section 117 of the Data Protection Act 2018 was tested for the very first time in the Irish courts but the claim was dismissed on account of the claimants failing to prove any actual loss. How this will develop remains to be seen.
  • The DPC’s Regulatory Strategy 2022-2027 sets out a commitment to prioritise the protection of children and other vulnerable groups. The recently published decision against Instagram saw the DPC investigate the data protection rights of children. We can expect to see further measures and advice aimed at the protection of the data of these groups in the coming years.
  • We will see the start of the application of certain provisions of the Digital Services Act (Regulation (EU) 2022/2065), Digital Markets Act (Regulation (EU) 2022/1925) and the Online Safety and Media Regulation Act 2022 towards the end of 2023 and the start of 2024, which will ultimately enable the entry of regulators of digital platforms “onto the pitch”. This has potential to further complicate an already complex enforcement and cooperation regime, but will also bolster the work of the DPC in their enforcement activities in Ireland. In this regard, the establishment of the Digital Regulators Group should assist the DPC in enforcement and in helping ensure compliance.
  • The DPC ultimately indicated satisfaction with their work in 2022, and felt their work in 2023 “is set to continue this trend” as the DPC seeks to “pursue the issues of greatest consequence for data subjects, drive compliance, and, most importantly, safeguard individuals’ rights.”

The authors would like to thank Luke Lyons and Éimear Devaney for their contribution to this article.