The Data Protection Commissioner (DPC) has published her Annual Report for 2016. It highlights key developments and activities of her Office last year, as well as priorities for 2017, which will be “all about GDPR readiness“. 2016 was a busy year for the DPC’s Office. It dealt with an increased number of queries, complaints and data breach notifications. The DPC continued her engaged approach to regulation, engaging extensively with multinational companies, such as Facebook, LinkedIn, Apple and WhatsApp on proposed new policies, products and services, conducting over 100 face-to-face meetings. The DPC also engaged with a number of entities in the public, health and private/financial sectors.
Highlights of the 2016 Report include:
Increase in Complaints
The DPCreceived over 1,400 complaints. Once again, the largest category of complaints concerned access requests (56%). Whilst the DPC resolved the majority of complaints amicably, she issued 59 formal decisions, compared to 52 in 2015. She also continued her pursuit of private investigators who unlawfully obtain and disclose personal data to third parties, which resulted in the successful prosecution of two investigators. Nine other entities were prosecuted for electronic marketing offences.
Highest number of Breach Notifications from Financial Sector
The DPC received 2,224 voluntary data-breach notifications, compared to 2,317 notifications in 2015. As in 2015, the largest category of data breaches reported involved unauthorised disclosures such as postal and electronic disclosures, the majority of which occurred in the financial sector (43%). 2016 also saw a rise in network-security compromises (e.g. ransomware and malware attacks) and website-security breaches (e.g. fraudulent credit card scraping from websites) reported to the DPC.
The DPC carried out 50 audits and inspections. It conducted in-depth audits of State Agencies, including An Garda Síochána, Revenue Commissioners Defence Forces and GSOC, who may make requests for data to communication service providers, under the Communications (Retention of Data) Act 2011. No data protection issues of concern arose as a result of those audits. The Audit Team concluded that the principles of proportionality, necessity, and relevance were applied in all disclosure requests examined and all requests were reviewed, signed and approved at the required level.
However, the Report highlights that Ireland’s surveillance and interception laws require modernisation both to bring them up-to-date to ensure that law enforcement and intelligence agencies have state-of-the-art powers but also to ensure that the rights of individuals are adequately protected, in particular through independent oversight of how these powers are deployed. The Government Legislation Programme for Spring/Summer indicates that the drafting of an Interception of Postal Packets and Telecommunications Messages (Regulation) (Amendment) Bill is currently underway.
A number of audits were also conducted of health insurance providers, telecoms companies, and retailers. The DPC further investigated the retail outlets in order to learn more about the retention of credit-card details by retailers. Common audit findings included: employers seeking PPSNs; ad hoc arrangements for delivering post to business reception areas in sight of the general public; illegal use of enforced access requests; retaining data for longer than necessary; and unsolicited direct marketing. As usual, the Appendix to the Report lists those entities which were audited.
The DPC served two statutory enforcement notices where there was persistent failure to engage with the DPC and comply with directions of the DPC. A number of information notices were also drafted but none were ultimately required to be issued, as the data controllers involved provided the information requested.
In addition to the DPC seeking a reference to the CJEU to examine the validity of standard contractual clauses, the DPC was a respondent/defendant in three other court proceedings. In Nowak v the DPC  IESC 18, the Supreme Court held that there is a right of statutory appeal against a decision by the DPC not to investigate a complaint. The Court also referred the question as to whether an exam script constitutes personal data to the CJEU. That referral is still pending. In Martin v DPC  IEHC 479, the High Court ruled that the DPC does not have the power to conduct an oral hearing in relation to complaint made under the Data Protection Acts 1988-2003. The Judge noted that the data subject could have appealed the DPC’s decision to the Circuit Court and the data controller, against whom the complaint was made, could have been joined as a notice party to that case. This process would have afforded the data subject an oral hearing and the resolution of the factual dispute as issue. In the final case, Savage v DPC, the Circuit Court held that the DPC was wrong to uphold Google’s refusal to take down a link to a discussion forum webpage, as requested by the complainant. The Court concluded that the webpage link bore the resemblance of a verified fact, and therefore it was not accurate, because it was not clear from the link that the original poster was expressing their opinion. This decision has been appealed and is due to be heard in May 2017.
The Appendix to the Report includes a number of case-studies which offer a useful insight into the approach of the DPC across a range of issues, including prosecutions of private investigators; prosecutions for marketing offences; data breaches and refusal of access requests. The cases studies demonstrate a failure by organisations to ensure that individuals are adequately on notice of how their data is being processed. Employee monitoring by means of CCTV remains a concern, with employers often failing to make the rules around reliance on CCTV footage in disciplinary processes clear to employees. In addition, the leaking of data from government bodies to private investigators continues to be a challenge to be tackled. The Report further discusses a number of significant judgments delivered by the CJEU in 2016 relating to data protection law, including VKI v Amazon, Breyer v Germany, Tele 2 Sverige v Sweden post and Watson v UK.
What’s coming down the tracks in 2017?
The DPC has stated that the next 12 months will be “all about the GDPR – both getting ready as an EU data protection authority and helping organisations get prepared“. The GDPR introduces a sweeping new data protection regime, increasing the obligations of companies and providing stronger rights for individuals, the consequences of non-compliance have also been completely transformed, so it is vital that companies start taking steps to comply with the new rules now, to be ready for the 25 May deadline.
The DPC envisages that with BCRs being recognised as a data transfer tool under the GDPR that there will be an increase in such applications. During 2016, the DPC acted as lead reviewer in relation to seven BCR applications that will be finalised in 2017. It also acted as co-reviewer in four BCR applications, two of which were approved in 2016 – Starwoods and Mastercard.
The recent addition of three deputy commissioners, along with additional specialist staff, and an increased budget of €7.5m for 2017, will also allow the DPC’s office to be more proactive in enforcing data protection law. The Report notes that the DPC’s Special Investigation Unit will be opening a new investigation in the hospitals sector in 2017. The Unit intends to carry out physical inspections at hospitals across the State, to gain an insight into the processing of sensitive patient data in public areas of hospitals.
The DPC also plans to engage with the European Data Protection Supervisor (the EDPS) initiative to drive closer engagement between competition, consumer and data protection regulators to ensure that European data subjects and consumers are benefitting fully from ‘fairness’ in terms of the online services to which they subscribe.