Data Protection Commission publishes Annual Report for 2022
Locations
"poor operational practices"
Public sector bodies and banks account for the top ten organisations for the number of breach notifications against them with correspondence issuing to incorrect recipients accounting for a significant portion of breach notifications. This continues a trend from previous years. The Report notes that poor operational practices contribute to many of these incidents. Any organisations experiencing such incidents on a regular basis should take a proactive approach and review internal practices in order to limit the scope for breaches to occur. The Report notes that while human error will remain as a major risk to Data Controllers, operational practices can and should be updated to limit the number of breaches occurring in an organisation.
European Union (Electronic Communications Code) Regulations 2022
The Report discusses the introduction of the European Union (Electronic Communications Code) Regulations 2022 which amended a number of definitions, including that of "electronic communications service". This has resulted in a wider range of service providers falling within the scope of personal data breach notification requirements.
Large-Scale Inquiries
The DPC concluded 17 Large-Scale Inquiries in 2022 with 88 Statutory Inquiries ongoing as of 31 December 2022. This included 22 Large-Scale Cross-Border Inquiries. The One-Stop-Shop mechanism allows organisations to be subject to one Data Protection Authority dependent on where the organisation has a "main establishment", removing the burden of being subject to multiple DPAs across each member state and streamlining engagement with the relevant DPA. The Report outlines how a number of these Cross-Border Inquiries were concluded in 2022, with significant fines imposed, the largest of which was €405 million against Instagram.
Compensation Cases
The Commissioner's Foreword notes that compensation cases in the EU follow trends seen in previous years with conservative awards being the height of the compensation awarded where cases have progressed to hearing across a number of Member States. The first compensation case to go to hearing in Ireland resulted in a finding that proof of more than minimal loss was necessary with no evidence of any actual loss suffered by the claimants. An email containing the names and addresses of the claimants inadvertently being issued to some 212 other SIPTU members was deemed not to satisfy this threshold.
Supervisory Role
The DPC also performs a supervisory role, engaging with public and private sector organisations, policy makers and legislators. The Report highlights the benefits of this for both parties involved in any consultation, noting that it "enables the DPC to understand the ways in which personal data are being processed by data controllers and processors, and enables the DPC to proactively identify … data protection concerns" as well as promoting organisational awareness of compliance obligations and potential problems in advance of data processing activities taking place. The DPC provided observations and input on over 30 pieces of proposed legislation in 2022 and received 322 consultation requests.
Data Protection for Children
Protection of children's personal data is a key strategic goal of the DPC. In 2022 the DPC published three short guides aimed at children to introduce them to and provide them with information on their data protection rights. The DPC was also involved in the euCONSENT project which is an EU initiative to create a framework for age verification and parental consent tools in order to increase the protection of children online.
Data Protection Officers
The Annual Report highlighted the importance of Data Protection Officers and the need for Data Controllers to designate a data protection officer and notify the DPC of their contact details in compliance with Article 37 of the GDPR. All data controllers and processors should ensure to comply with this requirement with the DPC actively conducting Inquiries into instances of non-compliance. One Inquiry detailed in the Annual Report illustrated that a lack of intent to breach this requirement will not deter the DPC from reprimanding an organisation.
The workload for the DPC shows no signs of slowing down in 2023 with a particularly noteworthy development ahead being the introduction of regulators of digital platforms via the Online Safety and Media Regulation Act 2022.
Our Technology team is available to discuss any queries.
This article is for general guidance only and not intended as professional advice. Advice should always be taken before acting on any of the issues identified.
Written by: Craig Farrar and Rory Ferguson