GDPR Enforcement: The Use of Reprimands by the Data Protection Commission
Supervisory authorities such as the Data Protection Commission can issue a variety of corrective measures to an offending organisation where it determines that a breach of data protection legislation has occurred.
While administrative fines are the landmark corrective measure levied against organisations for serious data protection breaches, DPC decisions have shown that reprimands are a sanction frequently imposed on organisations, but which are not often discussed in detail.
Reprimands under Irish Law
A reprimand is a written statement of disapproval stating that the regulator believes an organisation has not complied with its regulatory obligations. Under data protection legislation, a reprimand serves to formally recognise the serious nature of data protection breaches and to ensure that remedial action is taken.
Reprimands are widely available to Irish regulators as a corrective measure. For example:
- The Central Bank of Ireland (“CBI”): Under Part IIIC of the Central Bank Act 1942 (as amended), the CBI has the power to issue a caution or reprimand as one of many sanctions following the investigation of breaches by financial service providers or persons formally or presently involved in the management of financial service providers.
- Judicial Conduct Committee: The Judicial Conduct Committee has a duty to consider complaints made to it regarding judicial misconduct with a reprimand being a key sanction set down in the legislation.
Notably, more recently established regulatory authorities such as the Media Commission, the Digital Services Coordinator under the DSA or the Gambling Regulatory Authority of Ireland do not have a power to issue reprimands, with a focus instead on administrative fines and financial penalties.
Reprimands under GDPR
Article 58(2)(b) of the GDPR and section 111 of the Data Protection Act 2018 provide that a supervisory authority shall have the power to “issue reprimands to a controller or processor where processing operations have infringed provisions of this Regulation”.
As with all corrective measures under the GDPR, Recital 129 states that a reprimand can only be imposed where it is “appropriate, necessary, and proportionate to ensure compliance with the Regulation, taking into account the circumstances of each individual case”. Data protection bodies must also be cognisant of procedural safeguards under national and EU law, the right of the controller or processor to be heard and that superfluous costs and excessive inconveniences are not imposed on the controller or processor concerned.
The use of reprimands by the Irish Data Protection Commission
The DPC regularly relies on Recital 148 to the GDPR when issuing reprimands as a corrective measure. Recital 148 requires supervisory authorities to impose penalties for GDPR infringements in addition to, or instead of, appropriate measures under the GDPR to strengthen enforcement. It also acknowledges that, depending on the circumstances of each case and appropriate procedural safeguards, a reprimand may be the more appropriate sanction for minor infringements or where a fine is likely to impose a disproportionate burden on a natural person. In a recent decision, the DPC interpreted this to mean that in such circumstances, Recital 148 envisages the “discretionary imposition” of a reprimand instead of an administrative fine and “does not in any way vitiate the use of a reprimand where an administrative fine is to be imposed”.
While the DPC has taken the view that corrective measures help deter non-compliance with the GDPR, reprimands alone have been viewed as lacking “real efficacy in terms of its punitive and deterrent effect”. While there has been a trend for reprimands to be imposed in addition to administrative fines and orders for compliance, the DPC reiterated in its Strategy Report for 2022 to 2027 that while “hard enforcement” options such as penalties and sanctions are at the disposal of the regulator, the role of the regulator stretches beyond this. It emphasised the importance of extensive engagement with organisations to drive societal change towards data protection compliance by using all enforcement powers available to it.
A recent decision from May 2022 is illustrative in this regard as it involved the DPC issuing the controller with a reprimand as the only corrective measure. The DPC took the view that a reprimand in this case was appropriate, necessary and proportionate to ensure compliance without the imposition of a fine, would act to formally recognise the nature of the infringements and emphasise the need for the controller to take all relevant steps to ensure future compliance with the GDPR.
The use of reprimands by other European Data Protection Supervisory Authorities
Reprimands are the most common form of sanction imposed by European supervisory authorities in addition to fines.
The EDPB Annual Report for 2021 shows that supervisory authorities in the EU impose reprimands frequently. European supervisory authorities have embraced the full suite of corrective measures available to them including orders to delete and warnings where processing activities have the potential to infringe data protection legislation.
The approach taken by European supervisory authorities is largely in line with the approach of the DPC where reprimands are issued in concert with other corrective measures. In 2021, there were only three instances – in Sweden, Malta and Belgium – where a reprimand was issued as a compliance tool without an additional corrective measure.
The use of reprimands by the UK’s Information Commissioner’s Office (ICO)
Since 2021, the ICO has increased its use of reprimands as a corrective measure and in December 2022, it began to publish all reprimands, unless there is a particular reason not to. There is a high threshold for non-publication, which includes matters of national security or where publication could jeopardise an on-going investigation. This approach forms part of the ICO’s new strategic approach to regulatory action.
John Edwards, UK Information Commissioner, has stated that the publication of reprimands aims to increase accountability, enable the wider economy to learn from the infringements of others and provide certainty as to what the law requires from data controllers and processors.
In its Strategy Report 2022-2027, the DPC has committed to applying the “full suite” of corrective measures to regulate effectively in a rapidly evolving sector. We anticipate that the DPC will continue to use non-financial corrective measures such as reprimands both as a standalone measure and in combination with other measures to drive compliance with the GDPR.
The authors would like to thank Laura Dunne for her contribution to this article.