News
The Data Protection Commission’s 2022 Annual Report
On 7 March 2023, the Data Protection Commission (“DPC”) released its 2022 Annual Report. We have summarized the key points from the 90-page Report below.
The DPC concluded a number of large-scale inquiries in 2022, including several high profile cross-border decisions against some of the largest social media and Big Tech companies in the world. We also saw the imposition of some high value, high profile fines imposed by the DPC, with the total value exceeding 1 billion euro. This figure amounted to over two thirds of the total fines issued by data protection authorities across the EEA and the UK. The DPC also received large numbers of consultation requests and had a busy year in terms of engagement with the European Data Protection Board (“EDPB”) and other national supervisory authorities.
1. COMPLAINTS, INQUIRIES AND DECISIONS IN FOCUS:
1.1 Contacts, Queries and Complaints
From 1 January 2022 to 31 December 2022, the DPC:
- received 21,230 electronic contacts, 16,855 phone calls and 1,118 postal contacts;
- processed 9,370 new cases (a decrease of 14% on 2021 case figures), of which 6,660 were in the nature of queries that could be dealt with relatively expeditiously and 2,710 that progressed to a formal complaint-handling process; and
- concluded 10,008 cases of which 3,133 were resolved through formal complaint-handling.
1.2 Top 5 categories of complaints received under the GDPR in 2022:
Complaints Received under the GDPR - | Number | % of total Complaints |
---|---|---|
Access Request | 1,142 | 42% |
Fair Processing | 383 | 14% |
Right to erasure | 263 | 10% |
Direct Marketing | 235 | 9% |
Disclosure | 183 | 7% |
1.3 Sample Case Study Examples from the Annual Report:
(a) Access Requests: The DPC received 1,142 new access complaints and concluded 1,255 in 2022.
Case Study 1: Failure to Respond to an Access Request |
---|
An individual made a subject access request to an organization for a copy of all information held regarding his engagement with them but did not receive a response. The individual then complained to the DPC, which intervened to resolve the matter. The individual was not satisfied that all documents were provided. However, the controller claimed the personal data had been provided in another format. The DPC clarified that access rights are about access to personal data, not documents, and that the controller had provided all the data to which the individual was entitled in an intelligible form. Therefore, the DPC advised the complainant that he had been provided with all the data he was entitled to under data protection legislation. |
(b) Right to Erasure:
Case Study 19: Article 60 decision concerning Airbnb Ireland UC – Delayed response to an Access Request and an Erasure Request |
---|
The DPC found that Airbnb Ireland UC infringed several articles of GDPR in response to a complaint lodged by a customer. The complaint alleged that Airbnb failed to comply with an erasure request and a subsequent access request within the statutory timeframe. The complaint also outlined that Airbnb requested that the customer provide a copy of their photographic ID, which the customer had not previously provided to Airbnb. The DPC found that Airbnb's request for photographic ID infringed the principle of data minimization and that the legitimate interest pursued by the controller did not constitute a valid lawful basis under the GDPR. Further, Airbnb infringed Article 12(3) of the GDPR with respect to its handling of the complainant's access request. In light of these infringements, the DPC issued a reprimand to Airbnb Ireland UC and ordered it to revise its internal policies and procedures for handling erasure requests. |
(c) Direct Marketing: The DPC received 204 new complaints in relation to electronic direct marketing in 2022, including 118 complaints in relation to email messages, 52 complaints in relation to text messages, 28 complaints in relation to cookies and 6 complaints concerning phone calls. A total of 207 electronic direct marketing investigations were concluded in 2022, with two successful convictions, resulting in total combined fines of €6,500.
Case Study 11: Prosecution of Vodafone Ireland Limited |
---|
The DPC received a complaint from an individual in July 2021 about an unsolicited marketing call from Vodafone. Vodafone admitted that due to human error, the complainant was included in the marketing campaign despite opting out in 2018. Vodafone had previously been prosecuted five times for similar breaches. In June 2022, Vodafone pleaded guilty to one charge and made a charitable donation of €500 to Little Flower Penny Dinners. The Probation of Offenders Act 1907 was applied, and Vodafone discharged the DPC's legal costs. |
(d) Disclosure:
Case Study 9: Disclosure of Sensitive Data |
---|
A clothing and food company was reported to the DPC for disclosing an individual's personal medical information by printing “Coeliac Mailing” on the outside of an envelope. The individual had signed up to receive an 'Annual Certificate of Expenditure' of gluten-free products purchased during the year, which could be used for tax purposes. The DPC advised the store that health data is sensitive and has additional protection under Article 9 of the GDPR. The store agreed to cease using the wording “Coeliac Mailing” on the outside of envelopes for all future mailings. |
2. DATA BREACH NOTIFICATIONS
2.1 The DPC received 5,828 valid data breach notifications in 2022, a decrease of 12% on 2021 figures. A total of 5,695 valid GDPR breaches were recorded, representing a 13% decrease on 2021 figures overall.
2.2 Similar to 2021, public sector bodies and banks accounted for the “top ten” organizations in terms of the highest number of breach notifications recorded against them, with insurance and telecom companies featuring prominently in the top twenty.
2.3 With financial institutions, repeated instances of poor operational practices and human error were observed, including inserting wrong documents into envelopes addressed to an unrelated third party, and lack of caution with autofill options on email address bars leading to emails being sent to incorrect addressees.
2.4 Breach notifications helped the DPC to identify trends, and has led to inquiries into, among others, Bank of Ireland, An Garda Síochána and Limerick City and County Council.
2.5 Top 5 Breach Notifications under the GDPR by Category:
2.6 ePrivacy Breaches:
The DPC received a total of 105 valid data-breach notifications in 2022 (an increase of 176% on 2021 figures) under the ePrivacy Regulations (which predominantly covers telecoms operators), which accounted for just under 2% of total valid breach cases notified for the year. As predicted in its 2021 Annual Report, the number of breaches notified to the DPC under the ePrivacy Regulations increased significantly in 2022.
3. INQUIRIES AND CROSS BORDER INQUIRIES
3.1 The DPC concluded 17 large scale inquiries (both national and cross-border) in 2022, against various Big Tech and public bodies. Several of these inquiries led to the imposition of reprimands and corrective actions.
3.2 Some of the more notable fines issued on foot of the conclusion of inquiries in 2022 include:
Entity | Corrective Measures Imposed | Reason | Fine (€) |
---|---|---|---|
Meta (Instagram) | Reprimand re Articles 5(1)(a), 12(1), 35(1), 24(1), 5(1)(c), 25(2), 6(1) and 25(1) GDPR; Orders re Articles 5(1)(a), 12(1), 35(1), 24(1), 5(1)(c), 25(2), 6(1) and 25(1) GDPR | Failure to implement appropriate safeguards in relation to children’s data | 405 million |
Meta (Facebook) | Reprimand re 25(1) and 25(2) GDPR; Order re Art 25(2) GDPR | Data scraping infringements | 265 million |
Meta (Facebook) | Order re Articles 5(1)(a), 12(1), 13(1)(c) and 6(1) GDPR | Incorrect reliance on contract as a legal basis; lack of transparency | 210 million |
Meta (Instagram) | Order re Articles 5(1)(a), 12(1) 13(1)(c) and 6(1) GDPR | Incorrect reliance on contract as a legal basis; lack of transparency | 180 million |
Meta (Facebook) | None | Data breach failures | 17 million |
Bank of Ireland PLC | Reprimand re Articles 33, 34 and 32 GDPR; Orders re Article 32 GDPR | Unauthorized disclosure of personal data to the Central Credit Register | 463,00 |
3.3 Ongoing Inquiries:
As of 31 December 2022, the DPC had 88 statutory inquiries ongoing, including 22 large-scale cross-border inquires.
3.4 Ongoing National Inquiries:
The Annual Report outlines several ongoing inquiries in the national context that were at the draft decision stage by the end of 2022. Some notable parties concerned included Permanent TSB, the Department of Social Protection, the Catholic Church (Archbishop of Dublin), the Department of Health and Bank of Ireland plc.
3.5 Ongoing Cross-Border Inquiries:
(a) The DPC received 125 valid cross-border complaints as Lead Supervisory Authority and concluded 246 cross-border complaints during the year. They also received 12 cross-border complaints as a Concerned Supervisory Authority and concluded 20 of such complaints.
(b) As of 31 December 2022, 4 DPC draft decisions in Large-Scale inquiries involving companies such as TiokTok, Airbnb and Meta were in the EU co-decision making process (Article 60 GDPR).
(c) The DPC had, by 31 December 2022, progressed 9 large-scale inquiries to the point where submissions on a draft decision, statement of issues or inquiry reports were invited from the relevant parties.
(d) The DPC also received 38 breach notifications in relation to the Law Enforcement Directive, (Directive (EU) 2016/680). They also concluded 58 LED complaints during the year.
4. OTHER AREAS OF FOCUS
4.1 Consultation and Engagement
(a) As part of the GDPR’s cooperation mechanism, the DPC engaged on a continuous basis with the EDPB and other supervisory authorities. In 2022, the DPC contributed to over 300 EDPB meetings, continued to have representation on all EDPB subgroups, and became a founding member of Ireland’s first Digital Regulators Group. DPC employees also presented at 88 events, contributed to over 30 pieces of proposed legislation and received 322 consultation requests from a variety of stakeholders.
(b) The most notable engagements included engagement with TikTok on their legal basis for providing personalized advertising and with KBC Bank and Bank of Ireland generally on the migration of most of the KBC customer database of mortgage holders to Bank of Ireland.
(c) The DPC continued their commitment to keeping abreast with the most up to date data developments by updating 11 pieces of existing guidance and producing seven pieces of substantial new guidance (including three specifically tailored towards children).
4.2 Supervision and Direct Intervention
(a) The DPC received 322 consultation requests in 2022, across various sectors. Matters prioritized by the DPC for direct intervention in 2022 included Census data collection practices, excessive data collection in the residential property sector, CCTV in cinemas, school toilets, fast food outlets, nursing homes and medical centers, and remote access to CCTV as a substitute for onsite workplace supervision.
4.3 Fines, Funding and Procedural Difficulties with the One Stop Shop (“OSS”) Mechanism:
(a) Dublin Circuit Court confirmed six of the DPC’s imposed fines, ranging from 1,500 to 17 million euro. The DPC expressed frustration with the procedural delays inherent in the GDPR and EDPB appeals systems in their current forms.
(b) The DPC received €23.234M in budget for 2022, which represents a 21.5% increase on 2021. They also increased their staff numbers by 51 (to 196).
5. LOOKING FORWARD TO 2023
5.1 The Annual Report outlines that the DPC will continue to focus on the protection of the data protection rights of vulnerable people in society in 2023, such as the elderly, homeless and children. While expressing satisfaction at the work done in 2022, they noted there is a litany of potential challenges to come, centering around the lack of clarity in the interpretation of key GDPR principles, the low levels of compensation awarded for GDPR breaches at EU level, and the potential regulatory and enforcement issues set to come to the fore with the commencement of the DMA and DSA.
Article provided by INPLP member: Rob Corbet (Arthur Cox LLP, Ireland)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010