Empty Link Skip to Content

DPC Publishes Annual Report for 2023

The Data Protection Commission ("DPC") recently published its Annual Report for 2023. The Report sets out the breadth of work undertaken by the DPC over the past year. 2023 saw a significant increase in complaints dealt with by the DPC, with record fines issued and corrective orders imposed following cross-border and national inquiries. In addition, there were a large number of data protection-related judgments from the Court of Justice of the European Union ("CJEU").

The Report notes that the DPC intends to closely monitor developments in artificial intelligence (“AI”) in 2024, and engage with the EDPB (including its ChatGPT Taskforce and Technology Expert Subgroup) to exchange information and inform the discussion on AI and Generative AI processing, with a view to establishing a consensus amongst EU regulators regarding compliance and best practice under the GDPR. The DPC views it as incumbent on creators of AI systems to ensure that the information regarding users’ personal data is accessible, clear and easy to understand.

In this article, we consider some of the key highlights of the Report.

Complaints

Trends

In 2023, the top five complaints continued to concern: access requests (39%); the right to erasure (14%); fair processing (13%); direct marketing (12%) and unauthorised disclosure (5%).

A key theme of the Report is the increased number of new cases (i.e. queries and complaints) received from individuals, which is up 20% from 2022 (to 11,200 cases). 2,600 of these cases progressed to the formal complaint-handling process, including 230 electronic direct marketing complaints.

In particular, the DPC received 43 complaints relating to alleged personal data breaches which were not notified to the DPC in line with Article 33 GDPR.

Amicable Resolution

The Report highlights that as part of the complaint handling process, the Data Protection Act 2018 requires the DPC to consider whether a complaint can be amicably resolved within a reasonable period. In the DPC's experience a high proportion of complaints are amenable to amicable resolution in a timely fashion. The most common complaints resolved in this manner relate to data controllers not responding to access requests, or failing to adequately meet their GDPR obligations in respect of customers. By the end of 2023, the DPC had received 1,014 new access complaints, and concluded 1,120.

The Report notes that in accordance with section 109 of the Data Protection Act 2018, the DPC may take such actions as it considers appropriate in relation to a complaint, such as rejecting or dismissing a complaint, issuing an enforcement notice, or commencing a complaint-based inquiry. 2023 saw an addition to section 109 of the Data Protection Act 2018, allowing the DPC to issue reprimands outside of the statutory inquiry process (due to insertion of s.109(5)(da) by the Courts and Civil Law (Miscellaneous Provisions) Act 2023).

In 2023, the DPC concluded 3,218 cases through the amicable resolution process or by utilising the actions specified in section 109 of the Data Protection Act 2018.

Enforcement

The DPC frequently utilises its enforcement powers where the data controller fails to comply with its GDPR obligations and does not engage with either the individual complainant or the DPC. In 2023, the DPC issued three enforcement notices to a GP and organisations associated with a hotel for non-compliance with an access request.

Data Breach Notification

Breach notifications to the DPC increased by 20% in 2023. The DPC received 6,991 valid breach notifications, in contrast to 5,828 breaches notified in 2022. Of those breach notifications received in 2023, 92% were concluded by year end. Despite the continuous rise in cybercrime, the most frequent cause of the breaches reported to the DPC was human error, in particular, correspondence inadvertently being misdirected to the wrong recipients (52% of the overall total).

Of the total 6,991 breach notifications received by the DPC in 2023, 3,766 (55%) related to the private sector; 2,968 (43%) to the public sector; and the remaining 257 (2%) came from the voluntary and charity sector.

In line with the trend of previous years, public sector bodies and banks accounted for the 'top ten' organisations with the highest number of breach notifications recorded against them, with insurance and telecom companies featuring prominently in the top twenty.

The DPC received a total of 146 valid data breach notifications (up 42% from 2022) under the ePrivacy Regulations 2011. This figure accounts for just over 2% of the total valid breach cases notified to the DPC in 2023.

Enforcement and Fines

In 2023, the DPC concluded 19 statutory inquiries, resulting in fines totalling €1.55 billion. In addition, the DPC submitted, through the Article 60 one-stop-shop mechanism, 229 notifications of amicable resolutions achieved in cross-border complaints.

Domestic Inquiries – Concluded in 2023

The DPC concluded six domestic inquiries and imposed reprimands, compliance orders, processing bans and/or fines ranging from €22,500 to €750,000 for infringements of the GDPR. In particular, the DPC exercised its corrective powers in respect of the following organisations: Kildare County Council (€50,000 and temporary ban); Centric Health (€460,000 and reprimand); Bank of Ireland (€750,000, reprimand and compliance order); Archbishop of Dublin (compliance order); Department of Health (€22,500, reprimand and ban); and Galway Country Council (temporary ban; compliance order and reprimand).

Domestic Inquiries – Draft Decisions issued in 2023

The Report outlines eight draft decisions which the DPC issued in 2023 concerning a number of domestic organisations. For example, it refers to the DPC’s own-volition inquiry into the Central Bank of Ireland (“CBI”), following a notified data breach affecting the Central Credit Register and associated processing by the CBI. The inquiry is examining the technical and organisational security measures implemented by the CBI to ensure the security and accuracy of personal data it processes.

Cross Border Inquiries – Concluded in 2023  

The DPC further concluded a number of cross-border inquiries and imposed reprimands, compliance orders, processing bans and/or fines ranging from €5.5 million to €1.2 billion for infringements of the GDPR. In particular, the DPC exercised its corrective powers in respect of the following organisations: WhatsApp Ireland Ltd (€5.5 million and compliance order); Airbnb Ireland UC (reprimands and compliance orders in respect of 5 inquiries); Meta (€1.2 billion, suspension order and compliance order); TikTok (€345 million, reprimand and compliance order), and Microsoft (reprimand and compliance order).

As of 31 December 2023, the DPC had 89 statutory inquiries on-hand, including 51 cross-border inquiries. Several large-scale inquiries concluded with the DPC delivering 87% of all GDPR enforcement fines across the EU (as measured by monetary fines). In particular, in May 2023, the DPC issued the highest fine to date by any EU data protection authority, namely a €1.2 billion fine on Meta, along with an order suspending Meta's transfers of personal data from the EU to the US. But for the subsequent adoption by the European Commission of its adequacy decision for the EU-US Data Privacy Framework in July 2023, the DPC's decision had the potential to cause significant disruption to the business operations of thousands of companies, who regularly transfer personal data from the EU to the US. In addition, the DPC imposed a significant fine of €345 million on TikTok following its investigation into its processing of personal data relating to child users of the TikTok platform.

The Report notes how these fines have led to the companies concerned bringing multiple concurrent sets of legal proceedings before the Irish High Court and the European Courts challenging the DPC's decisions, and the process by which they were concluded.

Cross-Border Inquiries – Ongoing

The Report contains details of a number of ongoing cross-border inquiries, including in relation to Google's compliance with its transparency and lawful basis obligations in regard to its processing of location data. In addition, the DPC is examining Yahoo's compliance with its transparency obligations to data subjects; TikTok's compliance with its data transfer obligations under Chapter V of the GDPR with regard to its EU to China data transfers; and the lawfulness of LinkedIn's processing of user data for behavioural advertising purposes.

ePrivacy enforcement

The DPC concluded 237 electronic direct marketing investigations and successfully prosecuted four companies for sending unsolicited marketing communications to individuals without consent under the ePrivacy Regulations. The court imposed convictions and fines totalling €2,000.  

Engagement & Supervision

The Report notes that supervisory engagement with organisations is “an important part of the DPC’s regulatory toolkit as, in addition to supporting organisations and driving compliance, it can highlight data protection concerns and provide an opportunity for the recommendation of remedial actions”.  However, if during such engagement the DPC finds it necessary to take enforcement action against a particular organisation, the DPC may do so. In total, the DPC had 751 supervision engagements during 2023.

Engagement with Tech Companies

The largest number of engagements (391) were with multinational technology companies, which brought about the postponement or revision of four scheduled internet platform projects with implications for the data protection rights and freedoms of individuals.

For example, in late May 2023, Google informed the DPC that it would be releasing Bard (its experimental conversational AI service) in the EU by mid-June 2023. On reviewing the documentation Google provided, the DPC communicated that it had a number of observations regarding the extent of assessments conducted by Google. Following consultation with the DPC, Google delayed the release of Bard in order to implement initial DPC feedback and recommendations. In particular, Google made a number of changes regarding transparency for users prior to the launch, including: Bard Privacy Notice updates; a more prominent warning notice, and additional educational content on Bard and technology.

A further example of DPC engagement with tech companies, was the DPC’s engagement with Meta on its Ray-Ban Smart Glasses. Following feedback from the DPC, Meta announced a new version of the Smart Glasses in 2023. On foot of concerns raised by the DPC, Meta made changes to increase privacy design measures, such as physically increasing the size of the external facing privacy LED light to give effective means of notice that recording of images, video or call recording is occurring. A blinking pattern has also been added to the LED light when recording. These changes help minimise the risk of inconspicuous media capture and address the privacy concerns raised by the DPC.

Finally, the DPC also engaged with several tech companies in relation to how they share personal data with law enforcement and requested detail on the processes and policies they have in place when doing so. The DPC examined, for example, how controllers authenticate requests for user data from law enforcement agencies; how they determine the validity of emergency requests for user data; and how they respect the data minimisation principle when responding to such requests. Whilst many controller have robust and well-considered policies and procedures in place, a number of controllers had room for improvement. The Report notes that these organisations are expected to revert to the DPC during 2024 with detailed feedback on how they have addressed the DPC’s recommendations.

Legislative Consultation

During 2023 the DPC provided input and observations on over 37 pieces of proposed legislation. In particular, the DPC carried out statutory consultation on the Codes of Practice introduced under the Circular Economy and Miscellaneous Provisions Act 2022, which will provide a clear legal basis for Local Authorities to use recording devices such as CCTV and Body-worn Cameras for the prevention, investigation, detection, and prosecution of litter and waste management offences. This will ensure that Local Authorities can deploy these technologies in a targeted and proportionate manner, in compliance with data protection law.

The DPC also engaged in consultation with regard to other proposed legislative measures, some of which has yet to be adopted, such as the Data Protection Act 2018 (Section 38(4) and section 60(6)) Department of Foreign Affairs Regulations 2023.

Review of BCRs

The DPC was lead reviewing supervisory authority (“SA”) in relation to 22 Binding Corporate Rules ("BCR") applications from 14 different companies. Four of those applications were given approval in 2023.  Once the BCR applications are approved, the DPC continues to have a significant oversight role. Each BCR holder is required to submit an annual update of their BCR which requires review by the DPC.

Engagement with fellow Regulators

In 2023, the DPC responded to over 800 GDPR Article 61 Mutual and Voluntary Mutual Requests for assistance from other European Regulators. In addition the DPC continued to be an active member of Ireland's Digital Regulator's Group, along with ComReg, the Competition and Consumer Protection Commission and Coimisiún na Meán (formerly the Broadcasting Authority of Ireland) as part of Ireland’s implementation of recent EU digital legislative developments.

As part of its engagement with Coimisiún na Meán, the DPC submitted a response to its Call for Inputs on Ireland’s first binding Online Safety Code. The DPC’s submission focused on the areas of age assurance and safety by design.

The DPC is also continuing its role as co-rapporteur in the preparation of EDPB guidance on children’s data protection issues.

New DPC Guidance – CCTV, Childrens’ Data and ROPAs

2023 saw a significant increase in the number of queries received relating to the use of CCTV in areas where there is a higher expectation of privacy, such as in restrooms. As a result, the DPC published a detailed update of its CCTV guidance to address these issues and its expectations on the use of CCTV in such areas and wrote to a number of data controllers and sectoral representative bodies to make them aware of these developments. A copy of the Guidance on CCTV for Controllers is available here.

The Report also contains a case study on the use of CCTV. In that case, the DPC requested a copy of the Legitimate Interest Assessment conducted by the restaurant establishing the necessity and proportionality of placing CCTV in a public restroom. The DPC also requested documentary evidence of the alleged repeated anti-social behaviour which the restaurant had said it was in their legitimate business interest to prevent.  As the restaurant was unable to provide such comprehensive assessments or evidence of anti-social behaviour, the DPC instructed the restaurant to switch off the cameras and securely delete all footage stored until a comprehensive assessment demonstrating justification for the CCTV was conducted.

The DPC also engaged with organisations in relation to priority focus areas under the DPC's Regulatory Strategy 2022-2027, including the protection of children's data rights and the rights of vulnerable persons under the DPC. In addition, the DPC published four sets of guidelines specifically tailored towards children, which are available here.

In addition, the DPC published guidance on the obligation of controllers and processors to maintain records of processing activities (“ROPAs”), which we previously discussed here. The Guidance provides welcome advice to organisations on how they should draft their RPPAs, including a list of 'Dos' and 'Don'ts', along with examples of well completed ROPAs, versus a ROPA that contains insufficient detail.

Adult Safeguarding and Data Sharing

The Report notes that Goal 2 of the DPC’s Regulatory Strategy 2022-2027 sets out a commitment to safeguard individuals and promote data protection awareness. In addition to engaging with relevant stakeholders across the public and private sectors, and delivering workshops to raise awareness of data protection issues arising in the context of adult safeguarding, the DPC published a helpful blog post last June 2023. That blog post addresses concerns regarding failure by an organisation to share relevant information with a nursing home about a resident’s criminal convictions, and the risk that they presented to other residents. The DPC confirmed that data protection law (in particular s. 55(1)(v)(iv) of the Data Protection Act 2018) provides for the sharing of personal data in this context, where necessary to prevent serious harm to other people (see DPC blog post here).

Vulnerable Customers

The DPC engaged with several financial institutions and representative bodies regarding concerns raised by individuals that data protection law is being used as a barrier to accessing services. A common concern raised by the deaf or hard-of-hearing community in particular, is difficulties encountered by third parties seeking to contact a service provider on their behalf. The DPC has previously published guidance for organisations advising that data protection law does not prevent them from dealing with a third party representing a vulnerable customer, as long as they have taken reasonable and proportionate steps to ensure compliance with their security and confidentiality obligations.

DPOs

As of the end of 2023, the DPC had been notified of a total of 3,520 Data Protection Officers (“DPOs”) across the private and public sector. In 2023, the DPC participated in the EDPB’s Coordinated Enforcement Framework concerning DPOs. The DPC contacted 100 DPOs across the private, public and non-profit sectors in Ireland, and requested their participation in a questionnaire, with flexibility as to whether it was completed by the DPOs themselves, or the organisation/controller. The DPC’s findings fed into the broader EDPB report. The DPC found three substantive issues of concern in the responses it received to its questionnaire including in respect to: (i) the resources of the DPO; (ii) conflicts of interests in the role of the DPO, and (iii) tasks of the DPO.

The DPC found, in particular, that approximately 33% of respondents did not have the resources sufficient to fulfil the role of a DPO. In addition, approximately 36% of DPOs’ tasks are performed in addition to other tasks, and not as their main task. Furthermore, there was a conflict of interest between their DPO tasks and their main roles. Such conflicting roles included acting as HR officer, Health and Safety Officer, Communications Officer or Employee Engagement Manager. The EDPB DPO report, including the DPC national report, is available here.

In addition, DPOs carry out considerably more tasks with more responsibility than outlined in the GDPR. The DPC notes that some of these tasks are better served by the organisation, not an independent DPO. For example, over 50% of DPOs, as an additional task, stated that they draft DPIAs. Whilst the DPO can play a vital role in carrying out a DPIA by being consulted for advice before or during a DPIA project, it is the controller's task rather than the DPO's task to carry a DPIA when necessary (Article 35(1) GDPR).

Right of Access

The Report confirms that the DPC will be participating in the EDPB’s Coordinated Enforcement Framework concerning controllers’ compliance with the right of access under Article 15 GDPR in 2024.

Litigation

Written Judgments involving the DPC

The Report sets out seven cases involving the DPC. Five of these cases were concluded, whilst two were discontinued.  These cases include, for example, the High Court’s decision in Johnny Ryan v DPC [2023] IEHC 511. In that case, the applicant sought a declaration that the DPC had failed to carry out an investigation of his complaint in accordance with Article 57 GDPR and/or the Data Protection Act 2018. The applicant also sought an order compelling the DPC to proceed to investigate such elements of his complaint in respect of certain data processing operations being carried out by Google Ireland Ltd that were not being included in the (separate) own-volition inquiry commenced by the DPC in respect of processing operations carried out by Google Ireland Ltd. The DPC maintained that there was a clear overlap between the issues raised in the applicant’s complaint, and those being considered by the DPC in the context of its own-volition inquiry, and the DPC was entitled to progress its own-volition inquiry prior to resuming consideration of the applicant’s complaint. Mr Justice Simons, at the High Court, acknowledged the discretion which the GDPR affords to supervisory authorities in respect of the sequencing of investigations and inquiries. Accordingly, he held it was entirely proportionate for the DPC to complete its own-volition inquiry first, before completing its investigation into the applicant’s complaint. The applicant has now appealed to the Court of Appeal.

In another case, Fox v DPC [2023] IEHC 529, the High Court dismissed an appeal against a Circuit Court decision upholding the findings of the DPC in respect of a complaint concerning the National Gallery of Ireland.  The High Court held that the applicant had failed to identify any point of law, and so the High Court had no jurisdiction to hear the appeal. Furthermore, in John Paul Hickey v DPC (31 October 2023, Unreported), the Circuit Court dismissed an appeal against a decision of the DPC on the basis that the applicant had failed to put forward any evidence to establish any error on the part of the DPC, let alone any “serious or significant error”.

Case Studies

The Report contains 30 case-studies which illustrate the regulatory approach taken by the DPC in relation to a range of data protection compliance issues, such as regarding CCTV usage, and compliance with data subjects’ rights, in particular the right of access and erasure. The DPC also highlighted that it keeps a record of complaints received which forms part of any consideration of potential future action against organisations, including the carrying out of an inquiry and the further exercising of formal powers such as reprimands.

Contact Us

If you would like to discuss the Report, or any other related data protection and data privacy matter concerning your business, please do not hesitate to contact any member of our  Technology and Innovation Group

Author: Davinia Brennan
Co-Authors:
Anne-Marie Bohan, Carlo Salizzo, Sarah-Jayne Hanna & Deirdre Crowley