Practical Learnings from the DPC’s Annual Report 2020
The Data Protection Commission (DPC) published its Annual Report for 2020 on 25 February 2021. We look at some key takeaways from the Annual Report below.
Data Subject Complaints
In 2020, the DPC received 4,660 complaints from individuals under the GDPR and 60% (2,186) of these were resolved within the year. The top five categories of complaints received related to:
Nature of the complaint |
Number |
% |
Access request |
1683 |
27% |
Fair processing |
1623 |
26% |
Disclosure |
793 |
12% |
Direct marketing |
429 |
7% |
Right to erasure |
423 |
7% |
A deeper dive into the commentary and case studies reveal some interesting insights behind the statistics.
In relation to the most common complaint, access requests, the Annual Report explains the parameters of the right granted by Article 15 GDPR and the relevant exemptions which restrict the right of access. Where a controller has invoked an exemption to justify its refusal to provide personal data in response to an access request the DPC will closely examine the validity of the exemption(s). For example, where legal privilege is asserted as the reason why certain records are not being provided to a data subject, this will not be simply accepted by the DPC. Rather the DPC will assess the privilege status of the records by requiring “considerable information” from the controller, including a narrative of each document. If litigation privilege is invoked, the DPC will seek to understand if and when litigation was reasonably contemplated.
In the case of a hospital where staff statements were withheld from a data subject on the basis of litigation privilege, the DPC requested sight of the documents on a voluntary basis. Having reviewed the documents, the DPC was not satisfied that litigation privilege applied in circumstances where the staff statements had been prepared for the dominant purpose of an internal review and no litigation had commenced or been threatened at the date of the creation of those statements. The DPC directed the previously withheld documentation be released to the data subject in response to the access request.
Failure to action or respond to an access request will also be closely scrutinised by the DPC. In the case of a controller who no longer held personal data about a data subject, the DPC found a contravention of Article 12(3) where the controller failed to respond to the access request within the one month timeframe and to provide information on the action it had taken. So even if a controller has no records to provide in response to an access request, it is clear that the controller should respond to the data subject communicating that they have taken action and there are no records.
More generally, the Annual Report emphasises the benefits of complaints being resolved early between the controller and data subject so as to avoid resource-intensive mediation by the DPC. There is also a clear preference for amicable resolution of complaints handled by the DPC via the amicable resolution process in Section 109 of the Data Protection Act 2018. Interestingly, the two examples given of instances where the complainant refused to accept the proposed amicable resolution arose in the cross-border context. This meant the complaints had to proceed through the “particularly involved, complex and time consuming” Article 60 process. This process is particularly arduous for complainants since the views of other concerned supervisory authorities across the EU must be taken into account and carefully considered.
In a case involving Groupon, a Polish data subject submitted a complaint relating to the company’s practice of requiring a copy of government issued ID to verify an erasure request in circumstances where an ID was not required to set up a Groupon account. Although this blanket ID policy was subsequently discontinued, the complainant refused Groupon’s proposal. The complaint proceeded through the Article 60 process and was finally resolved some seven months later. The other cross-border complaint was made by a UK data subject on foot of a delay by Ryanair to appropriately process their access request which resulted in responsive records being deleted. The call recording at issue had been deleted after 90 days in accordance with Ryanair’s retention and deletion practices. Since the data subject was unwilling to accept Ryanair’s proposal, the complaint continued through the Article 60 process with the result that it was not resolved until six months later.
In addition to Article 60 being a cumbersome and time consuming process to resolve individual complaints, it is interesting to note that in each of the case studies where the complaint proceeded to Article 60, relevant and reasoned objections were received to the DPC’s draft decision. Conversely in the Cardmarket case study where the DPC was a concerned supervisory authority and not the lead authority, the DPC was satisfied with the Berlin data protection authority's decision and did not raise clarifications or requests for amendments.
Inquiries and Decisions
The DPC continued to pursue a number of large scale statutory inquiries during 2020. Highlights include the fine against Twitter International Company for €450,000 which is described as the first ‘big tech’ decision on which all EU supervisory authorities were consulted. The DPC also had a number of domestic inquiries including against TUSLA which resulted in the first fines levied under GDPR by the DPC.
At the end of December 2020, the DPC had 83 open statutory inquiries, 27 of which were cross-border inquiries. This compares with 70 statutory inquiries including 21 cross-border inquiries at the end of December 2019. We can therefore expect 2021 to hold a significant number of decisions by the DPC in store. As noted in Data Protection Commissioner Helen Dixon’s foreword, this pipeline will continue to yield detailed decisions which will assist organisations in understanding how the law applies.
Cookies
Following a sweep of 40 organisations’ compliance with the cookies rules, in April 2020 the DPC published its findings together with a Guidance Note on Cookies and other tracking technologies. See our related article here. The Guidance Note indicated that a six month grace period would be given for organisations to bring their cookies practices into compliance. Over November and December 2020, the DPC wrote to 20 organisations about cookies non-compliance issues on their websites and warning of the DPC’s intention to issue an Enforcement Notice if these issues were not addressed within 14 days. While these letters were effective in bringing many of the recipient organisations into compliance, seven organisations did not take any action. Pursuant to Regulation 17(4) of the Irish ePrivacy Regulations (S.I. 336/2011), the DPC served Enforcement Notices on 21 December 2020 to these seven organisations. The Enforcement Notices were issued for infringements of Regulation 5, including failure to obtain valid consent for the use of cookies and for failing to provide clear and comprehensive information about the use of cookies on the websites concerned. It is clear from the commentary in the Annual Report that cookie-related investigations and enforcement will continue to be a key element of the DPC’s activities in 2021.
Main Establishment
For companies seeking to organise their main establishment in Ireland for the purposes of One- Stop-Shop, the Annual Report contains some helpful guidance on the key issues which the DPC will consider. In particular:
-
Where are decisions about the purposes and means of the processing given final ‘sign off’?
-
Where are decisions about business activities that involve data processing made?
-
Where does the power to have decisions implemented effectively lie?
-
Where is the Director or Directors with overall management responsibility for the cross border processing located?
-
Where is the controller or processor registered as a company, if in a single territory?
Children’s Policy
Special projects undertaken by the DPC in 2020 included the publication of the draft guidance “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing”. The ‘Fundamentals’ addresses core data protection issues for children. These include concerns such as the age at which children can exercise their own data protection rights, the role of parents/guardians in acting on behalf of their children, age verification, and verification of parental consent. Other issues relate to rules governing the processing children’s personal data for direct marketing and advertising purposes. The DPC is conducting a public consultation on the draft guidance and submissions are open until 31 March 2021. After taking into account the feedback received, the DPC will publish a finalised version of the Fundamentals which will inform the DPC’s enforcement, supervision and regulatory activities in this space.
Going forward into 2021
In summary, 2020 was a busy year for the DPC with many firsts; including its first administrative fine under the GDPR and its first major cross border enforcement decision. With increased funding and an expanding workforce, we expect a significant number of decisions and enforcement actions in 2021.
For more information please contact a member of our Technology team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Share this: