Data Protection Commisioner’s Report
The Data Protection Commissioner published the 25th Annual Report on 12 May 2014. The Report is the final report of the current Commissioner, Mr. Billy Hawkes, who is due to retire in August 2014 after a very active 8 year term. As usual, the Report provides an insight into the priority areas that are being actively pursued by the Office of the DPC while also highlighting some interesting trends.
Complaints about Data Access Requests
While the overall number of complaints to the DPC is declining (910 complaints in 2013 as against 1,349 in 2012), the number of complaints relating to data access requests has continued to increase. There were 517 individual complaints (57%) relating to access requests last year. The Report encourages data controllers to positively deal with customers who exercise their right of access, a challenge for those companies who are struggling to deal with the high volume of data access requests they are receiving.
Data Breach Notifications
1,507 valid data breach notifications were recorded by the ODPC in 2013. A number of these notifications concerned data subjects from other countries. These notifications came from; (a) technology corporations who have established a base in Ireland, such as Adobe Software Systems Ireland and Facebook Ireland, and (b) national businesses who are offering international services. The Commissioner revealed that this development has changed the nature of investigating and resulted in the ODPC working more closely with other national data protection authorities.
The Report revealed there were 204 complaints about unsolicited marketing communications, a similar figure to recent years. The ODPC successfully criminally prosecuted a number of companies for unsolicited marketing offences during 2013. In recent years, the ODPC has followed a “two strikes” policy whereby it will exercise its prosecution powers under the ePrivacy Regulations (S.I 336 of 2011) where a company has previously been the subject of a similar marketing complaint.
The Report noted that there has been slow legislative progress in enacting a European Union General Data Protection Regulation which would introduce a “one-stop-shop” arrangement for oversight of multinational companies. Elsewhere Commission Regulation 611 of 2013 came into effect across the EU on the 25th August 2013 although this will principally impact telecoms and communications providers. The Commissioner also stressed the need for proportionality and safeguards in the area of data retention legislation in light of the recent decision of the Court of Justice of the European Union to invalidate the Data Retention Directive (for further information about this case, see here).
The Commissioner revealed that audits of State organisations have illustrated, “a scant regard by senior management within State organisations to their duty to safeguard the personal data entrusted to them”. In relation to an audit of An Garda Siochana (“AGS”) the Report noted that overall AGS operated in compliance with data protection law. However the Commissioner was concerned with instances of improper access by individual AGS members to records and the use of fingerprint data. The Report recommended the AGS should have a dedicated data protection unit.
The Commissioner also revealed that information rich multinational companies that have chosen Ireland as a base for providing international services will continue to be a priority for audit. The result of an audit of LinkedIn-Ireland is expected to be finalised in 2014.
Cookie Compliance Sweep
The Report outlined new guidance produced by the ODPC to assist organisations whose websites deploy cookies to achieve a minimum standard of compliance with the ePrivacy Regulations. The steps include prominent notification that cookies were being used and a link on the organisation’s website to a comprehensive statement on cookies, including a listing of each of the types of cookies being dropped.
The Report includes a detailed consideration on the use of CCTV. While the focus of the review related to the controversy around CCTV cameras in crèches, the principles will be of interest to all employers who work in a CCTV environment. The Commissioner takes the view that CCTV camera in crèches may be used legitimately under the Data Protection Acts for “security related purposes at the perimeter of such a facility but that any use beyond this would need to be fully justifiable”. Normally therefore, CCTV cameras could not be used to monitor the quality of staff.
National Postcode System
The ODPC was consulted by the Department of Communications Energy and Natural Resources in relation to a unique seven character postcode to be allocated to every home in the country in 2015. The Report echoed previous concerns that a public database linking a code to a single unit residential address could be considered as personal data of the occupants of that dwelling. It further warned that through the use of modern technology and “big data”, a public database of postcodes could be easily assimilated into a range of electronic devices which could be then used for range of purposes, such as State services and commercial exploitation.
Looking back on the nine annual reports during Mr. Hawkes tenure, there are some interesting trends. The number of overall complaints is generally higher, 300 complaints were received in 2005 compared with 910 in 2013. Some of the categories have remained consistent with complaints about direct marketing emails and phone calls popular throughout the Commissioner’s tenure. However, the nature of complaints has evolved from mainly local issues to complaints about Irish companies, international companies and the State sector. This has also led to an increase in complaints concerning data subjects in other countries, the most high profile of which have related to Facebook and complaints emanating from an organisation styling itself as “Europe v Facebook”.Download PDF