Data Breaches and complaints up over 70% - key findings of DPC Annual Report

The Data Protection Commission (“DPC”) has published its first Annual Report for the first full calendar year of General Data Protection Regulation (“GDPR”), describing data protection as having now become an "established fixture of public consciousness". This is clear when we consider some of the key findings set out below. There have also been widely publicised EU developments in 2019 such as the Court of Justice of the European Union’s decisions in Fashion ID and Planet49 which concerned the use of cookies and similar technologies on a selection of websites across a range of sectors.

Key findings

• The DPC recorded a total of 7,215 complaints in 2019, a 75% increase on 2018. A large percentage of these complaints fell into the categories of Access Request, Disclosure and Fair Processing. 
• A total of 6,069 valid data breaches were received over the course of 2019, representing a 71% increase on 2018. Unauthorised disclosures represent the highest classification of notified breaches across all sectors, representing 83% of all breaches. 
• The DPC is working on 70 statutory inquiries, including 21 relating to multinational technology companies. One such inquiry is into Facebook their compliance with the right of access and into the lawful basis for processing in their Terms of Service and Data Policy. 
• The DPC detailed its findings in respect of its investigation into the processing of personal data carried by the Department of Employment Affairs and Social Protection in relation to the Public Services Card in 2019. In its findings there was a focus on the legal basis on which personal data is processed and whether there was sufficient transparency when providing this information to data subjects.
• A wide-ranging consultation was carried out by the DPC of the processing of children's personal data and of the rights of children as data subjects under GDPR. The feedback provided reflected the need for greater simplicity, accessibility and transparency in how children’s personal data is processed. It also highlighted the need for age verification gates on digital platforms.  
• The DPC received 712 Data Protection Officer notifications through a new online web-form on the DPC website.

What next

The DPC has identified emerging trends and topics of interest from 2019 including the use of CCTV, exam information and HR/employment disputes. The DPC has also committed to the publishing of guidance on children's data protection rights and the processing of children’s data, with a child-friendly guide for children on their rights and risks. In addition, the DPC is expected to publish guidance on cookies and other technologies which will take account of the judgments in Planet49 and Fashion ID.     

Further developments on the Public Services Card dispute which is currently before the courts, ongoing statutory inquiries into tech companies and possible fines, and guidance on the processing of children’s data are keenly awaited in 2020.

For further information or advice, please contact Seán O'Donnell, John Anthony Devlin, Hazel McMullan, or any member of the ByrneWallace Data Protection/GDPR Team.