Newswire

For Further Information Contact:

ireland@transatlanticlaw.com

Ireland Update: Data Protection Commission 2023 Annual Report: More Complaints, Queries and Record Fines

The Data Protection Commission (“DPC”) published its 2023 Annual Report on 29 May 2024. The report provides insight into the evolving landscape of data protection and privacy, including the DPC’s activities, highlighting significant trends, key enforcement actions and emerging challenges.

Key Enforcement Takeaways:

  • By the end of 2023, the DPC imposed fines totalling €1.55 billion.
  • The DPC had 89 statutory inquiries on-hand during the year, including 51 cross-border inquiries.
  • The DPC received 11,200 new cases from individuals in 2023, representing a 20% increase on 2022. The DPC concluded 11,147 cases in 2023.
  • In 2023, the DPC received 6,991 valid GDPR data breaches. This represented a 20% increase (1,077) on the GDPR breach numbers reported in 2022.
  • The DPC received 156 valid cross-border complaints (as EU/EEA Lead Supervisory Authority). 82.5% of cross-border complaints received since 2018 in which the DPC is Lead Supervisory Authority have been concluded.
  • Several administrative decisions were confirmed by the Circuit Court

Large-scale Cross Border Inquiries

Two major decisions stood out in 2023. In May, the DPC adopted its Final Decision on the lawfulness of transfers of personal data of Meta from the EU/EEA to the USA. The decision imposed a fine of €1.2 billion and ordered Meta to suspend any transfer of personal data to the USA until such time measures become available to make the data transfers compliant. It also ordered Meta to cease the unlawful processing, including storage in the USA, of personal data of EU/EEA users transferred in violation of the GDPR. The Final Decision is understood to be under appeal. 

The TikTok Decision was handed down by the DPC in September 2023 after an inquiry examining the processing of personal data relating to children by the platform. The inquiry concentrated on public-by-default settings, settings associated with the ‘Family Pairing’ feature, transparency information provided to child users, and age verification. The Decision ordered TikTok to bring its processing into compliance and  imposed fines totalling €345 million. The Final Decision is also understood to be under appeal. 

CCTV

2023 also saw an increase in queries on the use of CCTV in areas where there is a higher expectation of privacy. As a result, the DPC published a detailed update of its CCTV guidance and wrote to a number of sectoral representative bodies to ask them to circulate the guidance to their members. Organisations who collect CCTV footage must have a clear justification and lawful basis to do so. Subsequent sharing of that information/ imagery similarly requires a clear lawful basis.

Legislative Consultation 

The DPC’s Annual Report also details its work in other key areas. The report confirms that the DPC provided input and observations on over 37 pieces of legislation, including the Codes of Practice introduced under the Circular Economy and Miscellaneous Provisions Act 2022 which will provide a legal basis for local authorities to use CCTV and body worn cameras for the prevention, investigation, detection and prosecution of waste management offences. All of the DPC’s recommendations were taken on board by the code authors. 

The DPC also engaged in consultation on legislative measures including the Digital Services Bill 2023, the Health Information Bill 2023 and the Planning and Development Bill 2023. 

Children’s Data Protection Rights

The DPC Annual Report also addresses the 2022-2027 Regulatory Strategy, which sets out a commitment to prioritise children’s data rights and the rights of vulnerable persons. The DPC has continued to provide guidance and support to various organisations including concerns arising in the context of schools. On foot of this engagement, the DPC commenced drafting a new ‘Data Protection Toolkit for Schools’ resource, which includes a detailed guidance document, a sample Data Protection Impact Assessment (DPIA) template, a checklist for responding to subject access requests, and tips on what to include in a privacy policy, all of which are tailored to the needs of schools. In early 2023, the DPC also produced four short guides for parents on children’s data protection rights under the GDPR.

Conclusion

While 2024 saw the departure of longstanding Data Protection Commissioner Helen Dixon, the 2023 Annual Report deals with many of the same issues as in previous reports, albeit noting increased enforcement metrics in particular. The current Chairperson of the DPC Des Hogan noted that the remaining Commissioners take over an organisation which values vindicating the rights of the individual through fair and proportionate regulation. Whether that means a further increase in enforcement numbers during 2024 remains to be seen. 

By ByrneWallace, Ireland, a Transatlantic Law International affiliated firm. 

For further information or for any assistance please contact ireland@transatlanticlaw.com.

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 84 Brook Street, London W1K 5EH, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.