First GDPR fines in Ireland: Big Tech Fines on the horizon
TUSLA, the Irish Child and Family Agency was issued with fines for breaches of the GDPR. The announcements of the first fine of €75,000 and the second of €40,000, were confirmed with a further fine expected soon.
A series of inquiries were launched by the DPC into TUSLA following notifications received from TUSLA relating to disclosure of personal data of children and their families to unauthorised parties. TUSLA processes personal data necessary to support and promote development, welfare and protection of children, and the effective functioning of families. This includes the processing a large volume of special category data, i.e. health and welfare data, as well as criminal history information. This category of personal data is subject to stricter protections under the GDPR.
The reported breaches relate to three separate incidents. The first involved TUSLA accidentally disclosing contact and location data of a mother and child to their alleged abuser. Another incident reported involved the accidental disclosure of contact, location and school information of children in foster care to a grandparent, allowing the grandparent to contact the foster parent about the children. A further breach which has been investigated involved the accidental disclosure of the address of children in a foster family to their father who was in prison.
The confirmatory mechanism
Section 142 of the Irish Data Protection Act 2018 (DPA 2018) permits the data controller or processor who is subject to an administrative fine to appeal to the court against the decision. TUSLA has indicated that it accepts its responsibilities and it does not intend to appeal the DPC's decision. The DPC has, as is required under Section 143 of the DPA 2018, made a summary application to the Circuit Court for confirmation of its decision. The Circuit Court will then confirm the decision unless there is good reason not to do so.
If an administrative fine is appealed, appeals will be heard by the Circuit Court where the fine does not exceed €75,000 and by the High Court in any other case. The Circuit Court has jurisdiction to confirm an administrative fine of any amount where no appeal is brought
DPC inquiries into TUSLA remain ongoing. The agency reported a number of other personal data breaches, which include inappropriate systems access, inappropriate disclosure by email and post, and security of personal data.
It is clear from these fines that the DPC will not hesitate to use its enforcement powers where there are serious failures by public authorities, whether acting as 'controllers' or 'processors', to comply with the provisions of the GDPR.
Inquiries by the Data Protection Commission into Big Tech
More decisions from the DPC are expected to be issued shortly:
Twitter: the DPC confirmed that it has concluded its investigation into Twitter. This inquiry stemmed from a complaint made to the DPC in November 2018 relating to the handling of a data breach. The DPC launched an inquiry into Twitter's disclosure of the breach and its records of processing activities. As the 'lead Supervisory Authority' for Twitter, the DPC is required to liaise and cooperate with other 'concerned Supervisory Authorities' on cross border decisions before issuing enforcement action under the GDPR. The purpose of this process is to promote consistency of data protection regulation across Europe. Since the Twitter decision will be subject to consultation by all the appropriate concerned regulatory authorities, it may take some time before agreement is reached on the appropriate sanction for these GDPR infringements. The DPC submitted a draft decision to other supervisory authorities in May. These regulators have four weeks to comment on the draft decision and if there are no objections, the DPC will issue a final decision.
WhatsApp: Another preliminary draft decision has been sent to WhatsApp Ireland Limited for its final submissions before the DPC prepares its decision.
Facebook: Facebook's proposed launch on 14 February 2020 (Valentine's Day) of a dating service was stopped by the DPC one week before its proposed launch due to concerns regarding “the decision-making processes that were undertaken by Facebook". Additionally the DPC's broader inquiry into Facebook has moved to the decision-making phase, the DPC having confirmed that the investigation phase of its inquiry into Facebook Ireland's obligations to establish a lawful basis for personal data processing is complete.
'Big Tech' GDPR decisions on the horizon
The issuance of fines supplements the DPC's focus on driving internal change through engagement with companies, and in setting precedents for other companies to follow in terms of how the GDPR should be applied. Since only four cross border fines have issued to date in the EU, those being smaller fines, the DPC's 'Big Tech' decisions are likely to be the first major cross border GDPR fines and they will set the bar in terms of assessing the level of financial penalty and the corrective measures which should be applied as a deterrent to technology (and other) companies who breach the GDPR.
Article provided by: Leo Moore (William Fry, Ireland)
Dr. Tobias Höllwarth (Managing Director INPLP)