GDPR IN NUMBERS – The Irish Perspective

28.06.2019

To mark the occasion of GDPR's first anniversary, findings and statistics tracked from May 2018 to May 2019 concerning awareness, compliance and enforcement of the new rules throughout the EU have been emerging from the European Commission and the Irish data protection supervisory authority ("DPA"). The Irish Data Protection Commission ("DPC") has had a significant role to play in EU privacy oversight and enforcement for several reasons, most notably because some of the world's largest digital and cloud companies have located their European headquarters in Ireland. The DPC's 2018 Annual Report alongside its updated 2019 statistics make for an interesting comparison between Ireland's reaction to the GDPR and that of our EU counterparts.

Awareness 

There has been a charted increase in the level of awareness of the GDPR. 67% of Europeans have now heard of the GDPR with 57% of Europeans aware that there is a DPA responsible for protecting their personal data rights, a 20-percentage point increase since 2015. In Ireland, the GDPR has given rise to a substantial increase in contacts with the DPC over the past twelve months, with over 48,000 contacts received through its Information and Assessment Unit.

As highlighted in Infographic A, 144,376 queries and complaints were lodged throughout the EU, with the most common type of complaint more generally relating to telemarketing, promotional e-mails and video surveillance. The DPC confirms that 6,624 of these complaints were made in Ireland, representing a 150% increase on the total number of complaints (2,642) received in 2017. 

Notifications & Investigations

In total, 89,271 data breach notifications across the EU were lodged. The DPC noted that in the first two months since the implementation of the GDPR it had received 1,184 notifications, more than doubling the average monthly notifications of 230 received each month in 2017. By May 2019, the DPC was notified of 5818 valid data security breaches. This marks a 108% increase in the amount of notifications (2795) under the previous legislative regime.

446 cross-border cases have been initiated by the EU DPAs. In Ireland, 54 investigations have been opened by the DPC, 35 of these being non cross-border investigations. 19 are cross-border investigations into multinational technology companies such as Google, Twitter and LinkedIn and their compliance with the GDPR. In line with this increased work load, staffing numbers within the DPC have increased from 85 at the end of 2017 to a total of 137 in May 2019.

Enforcement

Fines under the GDPR are now being issued by DPAs across as Infographic B outlines e.g.:

  • The German DPA against a social network which failed to secure users' data – €20,000;
  • The Austrian DPA against a sports betting café for unlawful video surveillance – €5,280;
  • The Polish DPA against a data analytics company for failing to inform individuals that data would be processed - €220,000;
  • The Maltese DPA against the Lands Authority for failing to ensure the necessary security for their data processing - €5,000; and
  • The French DPA against Google for lack of consent on ads – €50,000,000. 

Other penalties of note occurred in Norway, Denmark, Portugal, Italy and Greece. Interestingly, the fines imposed by the Portuguese DPA on the Barreiro Hospital were omitted from the European Commission's findings. Two fines were imposed on the Hospital: one for a failure to respect patient confidentiality and to limit access to patient data (€300,000) and the other for the Hospital's inability to ensure data security and data integrity (€100,000). These figures all contribute to a total sum of over €56 million in fines issued across Europe. 

Impact – What Next?

The sheer increase in complaints, notifications and investigations involving EU DPAs is a clear indicator of the public's awareness of the new privacy rules and the willingness of DPAs to enforce the GDPR. 

It is reported that the GDPR is having a positive impact on consumer opinion in relation to personal data being collected and stored by organisations. The DPC has further noted the strong engagement with the new law across the board, particularly from consumers and concerned persons who have raised queries about the processing of their personal data.

Ireland's status as a hub for EU privacy has rendered the DPC the most rapidly growing DPA in the EU. Ireland's Data Protection Commissioner, Helen Dixon, has noted equally that companies are "lawyering up" in readiness for further activity. Over the next twelve months, the DPC has said that it aims to conclude its investigations into various organisations to provide some clarity on the interpretation of key GDPR principles and how DPAs can administer their corrective and fining powers. Ms Dixon has also said that due to the broad range of responses that the DPC receives, it is in a unique position to ultimately show 'a much richer picture to measure across the board what the effects of GDPR are.' We await details of the further emerging trends. 

 

Article provided by: Leo Moore (Partner, William Fry)

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

Gallery

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.