The Data Protection Commissioner (DPC) has published her Annual Report for 2017, which discusses the key activities and challenges of her office last year, as well as her priorities for the coming year. The DPC spent much of 2017 raising awareness of the GDPR. She continued to engage with organisations in regard to their data protection law compliance, carrying out over 200 consultations and 100 face-to-face meetings in which preparation for the GDPR was a constant feature. The DPC dealt with a record number of complaints (2,642), most of which were resolved amicably. She was also busy on the litigation front, particularly in regard to court proceedings concerning the validity of the EU Standard Contractual clauses as a legal mechanism to transfer personal data out of the EEA.
Litigation & Data Transfers
The Report highlights the Irish High Court’s decision last October 2017, in DPC v Facebook and Schrems, to refer questions as to the validity of the Standard Contractual Clauses to the EU Court of Justice (CJEU). That reference will be made during 2018, once the High Court has finalised the specific questions to be referred to the CJEU (see our previous blog). In addition, the EU-US Privacy Shield was subject to, and survived, its first annual review carried out by the European Commission and to which the Article 29 Working Party (WP29) contributed. The DPC also acted as lead reviewer in relation to 14 Binding Corporate Rules (BCR) applications, and co-reviewer in three BCR applications. It is envisaged that with the recognition of BCRs as a tool to transfer data under the GDPR, and the introduction of the one-stop-shop mechanism, that there will be an increase in BCR applications to the DPC from May 2018.
In December 2017, the CJEU delivered its ruling in Nowak v DPC (see our previous blog) on foot of a reference from the Irish Supreme Court. In that case, the CJEU ruled that an exam script was “personal data” because even if the examiner did not know the identity of the candidate when he/she was marking the exam, the exam board had the information needed to identify the candidate through his/her identification number. Following its earlier decision in Breyer (2016), the CJEU held that in order for information to be treated as “personal data” there is no requirement that all the information enabling the identification of the data subject be in the hands of one person, so long as there is a means reasonably likely to be used to identify the data subject. The CJEU further ruled that the examiner’s comments were “personal data” as they constituted information “relating to” the candidate. The Report notes that this decision gives rise again to the debate about what one academic has termed the “unfathomable scope” of data protection law.
Finally, at an international level, the Report highlights that the US Supreme Court has accepted for hearing the US Department of Justice’s appeal concerning its attempt to obtain, by US court warrant under the 1986 Stored Communications Act, data held by Microsoft on a service in Ireland. Microsoft contends that people’s privacy rights should be protected by the laws of their own countries, and that US law enforcement needs to go through Irish authorities if they want to obtain the emails. The US has a Mutual Legal Assistance Treaty (MLAT) with Ireland, and Microsoft argues that US law enforcement could simply use the MLAT to ask Irish authorities for help. The DPC notes that cases such as this “demonstrate the burgeoning importance of data protection and privacy as fundamental human rights.”
Proactive Engagement with the Financial Sector
The Report notes that one of the significant areas of development in 2017 in the Financial Sector was the entry into the marketplace of third party payment and account information service providers under the Payment Services Directive 2015/2366 (PSD2). In 2018, the DPC intends to continue its engagement with key stakeholders including industry representatives bodies, financial services regulators, relevant Government Departments, and its EU counterparts to assist both banks and new entrants from the FinTech sector to ensure that the processing of personal data in the provision of innovative payment products under PSD2 is in compliance with data protection law, particularly the GDPR principle of transparency. The DPC also intends to further engage with the Financial Sector in relation to other evolving areas such as Anti-Money Laundering (AML) (in relation to the 4th and anticipated 5th AML Directives), anti-fraud and credit reporting which involve the large-scale processing of customers’ personal data.
Other Engagement Activities
The DPC also engaged with multinational technology and social media companies during 2017, which spanned over 100 meetings. The DPC’s priority was to ensure these companies have a lawful basis for collecting personal data and provide full transparency to users so that they can understand the business model and implications of free services and how their personal data is monetised and used. Driving higher standards of protection for children when using the internet and social media has also been a key concern.
In addition, the DPC’s office engaged extensively with the WP29, acting as “lead rapporteur” on the GDPR Transparency Guidelines with responsibility for drafting and preparing these Guidelines, in conjunction with other WP29 members. The Guidelines were published in preliminary form for EU wide consultation in December 2017, and are expected to be finalised and adopted by the WP29 in April 2018. Speaking at A&L Goodbody’s recent breakfast seminar, ‘GDPR – The Last Lap‘, Ms Morgan, Deputy DPC, noted that she was reviewing 66 consultation responses on the preliminary Guidelines, including a number of objections to the requirement for controllers to provide information to data subjects in privacy notices on the outcome of the balancing test when relying on “legitimate interests” as a basis for lawful processing. The schedule to the Guidelines sets out the WP29’s comments on the extensive information that must be provided to data subjects in privacy notices post-May 2018.
The Report notes that the nature of the consultation queries received by the DPC indicates that data protection is becoming a more significant boardroom issue, and there is a growing appreciation among businesses of the reputational damage and financial loss that can be caused by the mishandling of personal data. The DPC emphasises that “it is “imperative… in line with the principle of accountability”, that organisations can stand over and justify their data processing arrangements and be able to demonstrate compliance with the GDPR.
Complaints & Prosecutions
The DPC received 2,642 complaints in 2017, up from 1,479 in 2016 (a 79% increase from 2016) with the largest single category continuing to concern “Access Rights” which made up 1,372 (or 52%) of the total. The majority of complaints were resolved amicably, with only 34 written statutory decisions being issued. The Report highlights that most of the complaints which could not be resolved amicably concerned issues arising as a result of the financial crash, in particular cases involving the transfer of loan books to new lenders and receiverships where buy-to-rent owners are involved, as their fundamental grievance relates to the underlying transaction itself or the actions of the lender, rather than data protection issues per se. The Report points out that whilst personal data is transferred and processed in such circumstances, it is generally provided for in the original terms the borrower signed.
The case study section of the Annual Report sets out 17 illustrative complaints which the DPC handled during 2017. The case studies relate to a wide variety of data protection issues such as: use of CCTV footage by an employer in a disciplinary process; failure to respond fully to an access request; unlawful disclosure of personal data by an employee via a social media app; failure of an employer to impose access restrictions to medical data of an employee, and unsolicited marketing offences.
A number of prosecutions were successfully pursued by the DPC, including six entities for unsolicited electronic marketing. The DPC’s Special Investigations Unit also continued its work in the Private Investigator sector resulting in several prosecutions. Given the high level of breaches uncovered in the Private Investigator sector, the DPC intends to continue to focus on this sector for the foreseeable future.
Investigations & Audits/ Inspections
Over 91 audits/inspections were carried out in 2017. The Special Investigations Unit also carried out a number of investigations, including in regard to the processing of patients’ sensitive data by hospitals, where such data was being held in publicly accessible areas. On a geographical basis, the hospitals inspected represented a broad sample from across the State, including HSE facilities, private and voluntary hospitals. Building on the findings of the hospital inspections, the Special Investigations Unit is currently drawing up an overall investigation report for dissemination in the first half of 2018, to every hospital in the State. Matters of concern found in the twenty hospitals inspected include: controls in medical record libraries; storage of confidential wastepaper within the hospital setting; and lack of privacy when discussing medical and other personal issues. Having disseminated the overall report to all hospitals, the DPC will seek an action plan from each of them outlining how and when they will implement the recommendations.
The DPC also conducted an audit of certain prescribed state agencies who are permitted to make requests to communications service providers (CSPs), for disclosure of metadata (i.e. call and traffic data) relating to phone and internet records pursuant to the Communications (Retention of Data) Act 2011, for the purpose of the prevention, investigation, detection and prosecution of serious crime. The DPC conducted a series of audits of disclosure requests processed by CSPs to ensure the processing of such requests was in compliance with data protection law. The 2011 Act assigns a specific role to the DPC as national supervisory authority for the purposes of that Act. The DPC made a number of recommendations in terms of security measures, procedures and oversight which should be implemented by CSPs, and will conclude its series of audits of CSPs in 2018. The Report notes that last October 2017, the Government published draft legislation to replace the 2011 Act, namely the General Scheme of the Communications (Retention of Data) Bill 2017 in response to Chief Justice Murray’s Report which identified numerous failings with the current regime. The DPC warns that retaining the current status quo is “simply not an option” and urges the Irish Government to immediately prioritise the new legislation, which includes a requirement for judicial pre-authorisation for access by state agencies to data and proactive notification to users after the fact (see our previous blog on this draft Bill).
There was a surge in data breach notifications in 2017, the majority continuing to come from the financial services sector. A total of 2,795 breaches were recorded by the DPC in 2017, an almost 26% increase form 2016, despite the mandatory requirement under the GDPR to report data breaches posing a risk to data subjects not kicking in until 25 May 2018. Ms Morgan noted at A&L Goodbody’s breakfast seminar, that post-GDPR the DPC’s office expects to receive up to 100,000 breach notifications per year, a number of which are likely to be unnecessary, as organisations will play it safe, notifying even where the circumstances of the breach do not bring it within the parameters of an actual breach as defined in Article 4(12) of the GDPR. Ms Morgan warned that companies who flood her office with incidents which do not fall within the parameters of a breach, in an attempt to ward off regulatory action, will be counter-productive and will result in enforcement action against organisations to prevent on-going notification of non-breach incidents. However, the DPC will equally enforce against those organisations who under-declare the severity of a breach. The annex to the WP29 Guidelines on Breach Notification helpfully provides a list of non-exhaustive examples of reportable breaches, which is well worth reading.
In 2017, the DPC’s office investigated 19 data breaches involving multinational companies. The DPC highlighted that these breaches largely involved overreliance on data processors to implement appropriate security measures, such as reliance on the default security settings offered by cloud-service providers, which in many cases led to unauthorised access to personal data; failure to ensure that processors complied with their obligations to securely process personal data on the instruction of the controller, and failure to undertake periodic reviews of security measures and apply critical updates and security patches. Companies should take note of these common types of breaches, as they will face significant fines, as well as potential compensation claims, for such breaches post-May 2018.
The Year Ahead
The Report sets out the DPC’s main goals for 2018, which include:
- Proactively targeting and engaging with public and private sector organisations, particularly in areas of highest risk and large-scale systemic data processing;
- Providing guidance to controllers and processors on its microsite www.GDPRandyou.ie;
- Pursing regulatory action, including sanctions, in a “lawful, fair, proportionate and effective manner”, with the objective of driving better compliance and accountability by organisations in upholding their data protection obligations;
- Engaging proactively at EU level through the WP29 to the development of a harmonised interpretation of the new laws and preparation of GDPR guidance;
- Engaging with stakeholders and other EU supervisory authorities to identify areas of bad practice and serious non-compliance, which may require enforcement measures, and
- Driving improved compliance with data protection obligations through investigations and audits targeting high-risk and large-scale processing of personal data.
The DPC, like other stakeholders, is eagerly awaiting the finalisation and enactment of the Irish Data Protection Bill 2018, which is currently before the Oireachtas. That legislation will give further effect to the GDPR in areas where national derogations are permitted, and will transpose the Law Enforcement Directive into Irish law, as well as further underpinning the structures, functions and powers of the DPC. The Irish Government has committed to finalising the Bill by 25 May 2018, when the GDPR comes into force.