GDPR ONE YEAR ON – AN IRISH PERSPECTIVE

Contact: Laura Myles, Flynn O'Driscoll
Posted Jun 3, 2019

25th May 2019 marked the first anniversary of [General Data Protection Regulation (EU) 2016/679] (the “GDPR”).   The GDPR governs the processing of personal data of EU data subjects.  It modernised and sought to harmonise the collection of previous data protection laws in Europe in a way which enhances a data subject’s rights and at the same time emphasises transparency, security and accountability.  It brought with it, however, greater obligations on controllers and processors of personal data, together with the potential for significant administrative fines in the event of non-compliance.

With so many internet giants established in Ireland, not surprisingly perhaps, there is a focus on the Irish supervisory authority, the Data Protection Commission (the “DPC”), and its investigative and enforcement activities.

As at the date of this publication, there have been no administrative fines imposed by the DPC under the GDPR.  That said, however, the DPC has opened inquiries into the data processing activities of companies such as Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram.[1]

On 22nd May 2019, the DPC announced that it commenced a statutory inquiry pursuant to section 110 of the Data Protection Act 2018 in Ireland in respect of Google Ireland Limited’s processing of personal data in the context of its online Ad Exchange.[2] This arose from of the DPC’s examination of compliance in relation to personalised online advertising and a number of related submissions made to the DPC, including those made by Dr. Johnny Ryan of Brave, in this regard. Collectively, 19 statutory enquiries are currently open.

In addition to this, in the last 12 months the DPC reports that:

  • 6,624 complaints were received.
  • 5,818 valid data security breaches were notified.
  • Over 48,000 contacts were received through the DPC’s Information and Assessment Unit.
  • 54 investigations were opened – 35 of which are non cross-border investigations and 19 are cross-border investigations into multinational technology companies and their compliance with the GDPR.
  • 1,206 Data Protection Officer notifications were received.
  • Staffing numbers increased from 85 at the end of 2017 to 137 in May 2019[3] and this is expected to rise to 180 by the end of this year.

One would be forgiven for thinking therefore that resources might be stretched.  That said, the Irish government continues to strongly support and fund the activities and central role of the DPC.  Funding allocated to the DPC for 2019 was increased by €3.5 million to €15.2 million for 2019 and the Irish government has announced the reappointment of Helen Dixon as Commissioner for Data Protection in Ireland for a second term.

While the DPC continues to issue information and guidance, including guidance on matters such as (i) personal data transfers in the event of a “no deal” Brexit with our UK neighbours, (ii) data processing operations that require a data protection impact assessment and importantly (iii) the protection of children’s rights, we anticipate, on foot of this and indeed further guidelines issued by the European Data Protection Board (EDPB),[4] that the data processing activities of online service providers and the protection of children’s rights will continue to be an important focus for the DPC.

The legislative framework currently governing the protection and processing of personal data in Ireland comprises the following:

We also expect new legislation to regulate the sharing of personal data between public bodies[6] in Ireland for certain purposes subject to administrative and technical requirements, e.g., by way of an approved data sharing agreement.

On the date of this publication, the Irish Supreme Court dismissed a bid to block a landmark privacy case concerning the validity of the “standard contractual clauses” (SCCs) from being referred to the Court of Justice of the European Union (CJEU).[7] The SCCs are model data protection clauses previously approved by the European Commission and regularly used to enable the lawful transfer of EU personal data to third countries, i.e., to countries outside the European Economic Area not having an adequacy decision. This could have a huge impact for businesses and data subjects alike on the international transfer of personal data.

We await what’s next in anticipation!

[1] Data Protection Commission Annual Report 25 May – 31 December 2018.

[2] https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-opens-statutory-inquiry-google-ireland-limited

[3] https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-reflects-first-year-gdpr

[4] https://edpb.europa.eu/our-work-tools/public-consultations/2019/guidelines-22019-processing-personal-data-under-article-61b_en

[5] Transposed into Irish law by the Data Protection Act 2018.

[6] The Data Sharing and Governance Act 2019 (passed but not fully commenced as at the date of this publication).

[7]http://www.supremecourt.ie/Judgments.nsf/1b0757edc371032e802572ea0061450e/e50ddd0e6b84212e8025840b003ab4f4?OpenDocument