Data Protection Commission Publishes Decisions from 2020
The Irish Data Protection Commission (“IDPC”) recently published a number of the decisions it issued in 2020. In this briefing we examine the insights provided into the IDPC’s approach to enforcement and identify notable trends in the decisions.
In 2020 the IDPC undertook several own-volition inquiries in respect of personal data breaches that had been reported to it. The IDPC also acted as the lead supervisory authority for a number of inquiries concerning controllers with their main establishment in Ireland. The inquiries addressed a range of data processing activities and examined issues including: the failure of controllers to implement appropriate technical and organisational measures to ensure an appropriate level of security; undue delays in notifying personal data breaches; and violations of the principles relating to the processing of personal data.
Own-volition inquiries and personal data breaches
Following separate own-volition inquiries undertaken in respect of personal data breaches, the IDPC issued three decisions in relation to Tusla (the Irish Child and Family Agency), two decisions in relation to the Health Service Executive (the “HSE”) and a decision relating to University College Dublin. The IDPC’s 2020 annual report notes the “value” of the mandatory requirement to notify certain personal data breaches as it allows the IDPC “to gain insights into the risks around the security and processing of personal data arising on a case-by-case basis” and to “intervene and guide on mitigation measures”.
Acting as lead supervisory authority
The IDPC acted as lead supervisory authority for a number of inquiries involving cross border processing. In accordance with Article 60 GDPR, the IDPC provided an initial draft decision to other supervisory authorities concerned which the supervisory authorities could submit their opinion on. For example, the IDPC followed this process in issuing decisions relating to data subject complaints in relation to Groupon International Limited (“Groupon”) and in respect of a decision concerning Twitter International Company’s (“Twitter”) handling of a data breach (discussed in detail here).
The IDPC has publicly noted the complex and time-consuming nature of the Article 60 process. In relation to Groupon, the final decision was issued seven months after the initial draft was circulated to the other supervisory authorities concerned.
The Article 60 process highlights the contrast between the IDPC’s approach to enforcement and the approaches of other supervisory authorities. In this regard, when other supervisory authorities concerned submitted that the IDPC should find that the relevant controller had committed additional infringements that were not included in the IDPC draft decision, the IDPC did not always follow these submissions. For example, in responding to objections in the Twitter case, the IDPC explained that it had exercised its discretion to confine the inquiry to two discrete issues and that the Article 60 process cannot have the effect of challenging the scope of an inquiry.
A noteworthy trend in the decisions is the inclusion of an order by the IDPC, under Article 58(2)(d) GDPR, that the relevant controller bring its processing into compliance with the GDPR. In considering the nature of the infringements and the processing activities at issue, in a number of cases the IDPC determined that additional technical and organisational measures were necessary to protect the rights and freedoms of data subjects. Such measures varied depending on the processing activities of the organisation, its resources and sensitivity of the data.
Corrective measures included requirements in relation to training, regularly testing security measures and implementing policies regarding the sending and review of documents containing sensitive personal data. In some cases the IDPC took into account the resources of the relevant controller when setting a deadline for compliance with corrective measures.
The IDPC consistently noted that controllers are under an obligation to continually evaluate the effectiveness of their measures and to ensure an appropriate level of security of personal data. Compliance orders can have a material impact on how a controller collects, uses and shares personal data in its everyday operations. For example, the IDPC ordered that the HSE introduce a standard operating procedure regarding hardcopy documents containing patient data.
Calculating administrative fines
The IDPC has formulated a methodology for calculating an administrative fine. This consists of three steps:
- Consider the permitted range and locate the infringement on that permitted range;
- Apply mitigating factors to reduce the fine, where applicable; and
- Consider whether the fine is “effective, proportionate and dissuasive”.
Considering the permitted range
As the controller in many of these cases was a public body, a cap of €1 million applied to the fine the IDPC could levy. The IDPC consistently noted that the cap is not the starting point for determination of a fine but is relevant to determining the permitted range in accordance with the first step of its fining methodology.
The permitted range is determined by reference to the nature, gravity and duration of each infringement as per Article 83(2)(a) GDPR and any other aggravating factors. In some cases where the decision concerned an infringement of Article 32 (relating to the security of processing) or Article 33 (notification of a personal data breach to a supervisory authority) GDPR the IDPC noted that such infringements are usually capped at a lower threshold under Article 83(4) GDPR, suggesting that they may be less serious. However, the IDPC assessed breaches of Article 32 in light of a number of factors such as the sensitivity of the data processed and the number of personal data breaches that occurred as a result of such failure. Regarding Article 33 GDPR, the IDPC noted the gravity of such infringements can be serious where they result in a failure on the part of the controller to mitigate the personal data breach or prevent the supervisory authoring from taking an enforcement action that could mitigate it.
In considering potential mitigating factors, the IDPC took into account any relevant previous infringements by the controller, actions taken to mitigate damage suffered by data subjects and the degree of cooperation of the controller with the IDPC to remedy the infringement and mitigate possible adverse effects. One example of cooperation that resulted in a €25,000 reduction of the fine was the submission of a detailed action plan to remedy the infringement. Separately, the IDPC noted in a number of decisions that a controller’s compliance with its own obligation to notify personal data breaches under Article 33(1) GDPR cannot be considered mitigating in respect of infringements of other Articles of the GDPR.
Effectiveness, proportionality and dissuasiveness
In considering whether a fine is “effective, proportionate and dissuasive” the IDPC has stated that it must reflect the circumstances of the case being investigated. In making such a determination, the IDPC took into account the affected number of data subjects, the severity of the consequences of a personal data breach (where relevant) and any actions the controller has taken or will take to remedy the breaches. In respect of the dissuasiveness of a fine, the IDPC repeatedly stated that in order for a fine to be dissuasive, it must dissuade both the relevant controller or processor as well as other controllers or processors carrying out similar processing operations from repeating the conduct concerned.
The IDPC has issued a number of reprimands to formally recognise infringements; in some decisions issuing a reprimand was the only corrective action taken by the IDPC. The IDPC has stated that it considers a reprimand to be of significant value in dissuading any future non-compliance and that a reprimand emphasises the requirement of the controller to take all relevant steps to ensure future compliance with the GDPR.
A review of the decisions suggests certain emerging trends in the IDPC’s approach to enforcement. Understandably, organisations often focus on administrative fines when considering enforcement action under the GDPR. It is clear that the IDPC will also issue reprimands and compliance orders in addition to or instead of imposing administrative fines. Compliance orders in particular can have a significant impact on the everyday operations of a controller. The IDPC’s decisions and the use of compliance orders and reprimands demonstrate an emphasis on establishing and encouraging enhanced and ongoing compliance with the GDPR.
The authors would like to thank Shannon Buckley Barnes for her contribution to this briefing.