The Data Protection Commission’s 2022 Annual Report
The DPC concluded a number of large-scale inquiries in 2022, including several high profile cross-border decisions against some of the largest social media and Big Tech companies in the world. We also saw the imposition of some high value, high profile fines imposed by the DPC, with the total value exceeding 1 billion euro. This figure amounted to over two thirds of the total fines issued by data protection authorities across the EEA and the UK. The DPC also received large numbers of consultation requests and had a busy year in terms of engagement with the European Data Protection Board (“EDPB”) and other national supervisory authorities.
1. COMPLAINTS, INQUIRIES AND DECISIONS IN FOCUS:
1.1 Contacts, Queries and Complaints
From 1 January 2022 to 31 December 2022, the DPC:
- received 21,230 electronic contacts, 16,855 phone calls and 1,118 postal contacts;
- processed 9,370 new cases (a decrease of 14% on 2021 case figures), of which 6,660 were in the nature of queries that could be dealt with relatively expeditiously and 2,710 that progressed to a formal complaint-handling process; and
- concluded 10,008 cases of which 3,133 were resolved through formal complaint-handling.
1.2 Top 5 categories of complaints received under the GDPR in 2022:
|Complaints Received under the GDPR -||Number||% of total Complaints|
|Right to erasure||263||10%|
1.3 Sample Case Study Examples from the Annual Report:
(a) Access Requests: The DPC received 1,142 new access complaints and concluded 1,255 in 2022.
|Case Study 1: Failure to Respond to an Access Request|
|An individual made a subject access request to an organization for a copy of all information held regarding his engagement with them but did not receive a response. The individual then complained to the DPC, which intervened to resolve the matter. The individual was not satisfied that all documents were provided. However, the controller claimed the personal data had been provided in another format. The DPC clarified that access rights are about access to personal data, not documents, and that the controller had provided all the data to which the individual was entitled in an intelligible form. Therefore, the DPC advised the complainant that he had been provided with all the data he was entitled to under data protection legislation.|
(b) Right to Erasure:
|Case Study 19: Article 60 decision concerning Airbnb Ireland UC – Delayed response to an Access Request and an Erasure Request|
|The DPC found that Airbnb Ireland UC infringed several articles of GDPR in response to a complaint lodged by a customer. The complaint alleged that Airbnb failed to comply with an erasure request and a subsequent access request within the statutory timeframe. The complaint also outlined that Airbnb requested that the customer provide a copy of their photographic ID, which the customer had not previously provided to Airbnb. The DPC found that Airbnb's request for photographic ID infringed the principle of data minimization and that the legitimate interest pursued by the controller did not constitute a valid lawful basis under the GDPR. Further, Airbnb infringed Article 12(3) of the GDPR with respect to its handling of the complainant's access request. In light of these infringements, the DPC issued a reprimand to Airbnb Ireland UC and ordered it to revise its internal policies and procedures for handling erasure requests.|
(c) Direct Marketing: The DPC received 204 new complaints in relation to electronic direct marketing in 2022, including 118 complaints in relation to email messages, 52 complaints in relation to text messages, 28 complaints in relation to cookies and 6 complaints concerning phone calls. A total of 207 electronic direct marketing investigations were concluded in 2022, with two successful convictions, resulting in total combined fines of €6,500.
|Case Study 11: Prosecution of Vodafone Ireland Limited|
|The DPC received a complaint from an individual in July 2021 about an unsolicited marketing call from Vodafone. Vodafone admitted that due to human error, the complainant was included in the marketing campaign despite opting out in 2018. Vodafone had previously been prosecuted five times for similar breaches. In June 2022, Vodafone pleaded guilty to one charge and made a charitable donation of €500 to Little Flower Penny Dinners. The Probation of Offenders Act 1907 was applied, and Vodafone discharged the DPC's legal costs.|
|Case Study 9: Disclosure of Sensitive Data|
|A clothing and food company was reported to the DPC for disclosing an individual's personal medical information by printing “Coeliac Mailing” on the outside of an envelope. The individual had signed up to receive an 'Annual Certificate of Expenditure' of gluten-free products purchased during the year, which could be used for tax purposes. The DPC advised the store that health data is sensitive and has additional protection under Article 9 of the GDPR. The store agreed to cease using the wording “Coeliac Mailing” on the outside of envelopes for all future mailings.|
2. DATA BREACH NOTIFICATIONS
2.1 The DPC received 5,828 valid data breach notifications in 2022, a decrease of 12% on 2021 figures. A total of 5,695 valid GDPR breaches were recorded, representing a 13% decrease on 2021 figures overall.
2.2 Similar to 2021, public sector bodies and banks accounted for the “top ten” organizations in terms of the highest number of breach notifications recorded against them, with insurance and telecom companies featuring prominently in the top twenty.
2.3 With financial institutions, repeated instances of poor operational practices and human error were observed, including inserting wrong documents into envelopes addressed to an unrelated third party, and lack of caution with autofill options on email address bars leading to emails being sent to incorrect addressees.
2.4 Breach notifications helped the DPC to identify trends, and has led to inquiries into, among others, Bank of Ireland, An Garda Síochána and Limerick City and County Council.
2.5 Top 5 Breach Notifications under the GDPR by Category:
2.6 ePrivacy Breaches:
The DPC received a total of 105 valid data-breach notifications in 2022 (an increase of 176% on 2021 figures) under the ePrivacy Regulations (which predominantly covers telecoms operators), which accounted for just under 2% of total valid breach cases notified for the year. As predicted in its 2021 Annual Report, the number of breaches notified to the DPC under the ePrivacy Regulations increased significantly in 2022.
3. INQUIRIES AND CROSS BORDER INQUIRIES
3.1 The DPC concluded 17 large scale inquiries (both national and cross-border) in 2022, against various Big Tech and public bodies. Several of these inquiries led to the imposition of reprimands and corrective actions.
3.2 Some of the more notable fines issued on foot of the conclusion of inquiries in 2022 include:
|Entity||Corrective Measures Imposed||Reason||Fine (€)|
|Meta (Instagram)||Reprimand re Articles 5(1)(a), 12(1), 35(1), 24(1), 5(1)(c), 25(2), 6(1) and 25(1) GDPR; Orders re Articles 5(1)(a), 12(1), 35(1), 24(1), 5(1)(c), 25(2), 6(1) and 25(1) GDPR||Failure to implement appropriate safeguards in relation to children’s data||405 million|
|Meta (Facebook)||Reprimand re 25(1) and 25(2) GDPR;|
Order re Art 25(2) GDPR
|Data scraping infringements||265 million|
|Meta (Facebook)||Order re Articles 5(1)(a), 12(1), 13(1)(c) and 6(1) GDPR||Incorrect reliance on contract as a legal basis; lack of transparency||210 million|
|Meta (Instagram)||Order re Articles 5(1)(a), 12(1) 13(1)(c) and 6(1) GDPR||Incorrect reliance on contract as a legal basis; lack of transparency||180 million|
|Meta (Facebook)||None||Data breach failures||17 million|
|Bank of Ireland PLC||Reprimand re Articles 33, 34 and 32 GDPR; |
Orders re Article 32 GDPR
|Unauthorized disclosure of personal data to the Central Credit Register||463,00|
3.3 Ongoing Inquiries:
As of 31 December 2022, the DPC had 88 statutory inquiries ongoing, including 22 large-scale cross-border inquires.
3.4 Ongoing National Inquiries:
The Annual Report outlines several ongoing inquiries in the national context that were at the draft decision stage by the end of 2022. Some notable parties concerned included Permanent TSB, the Department of Social Protection, the Catholic Church (Archbishop of Dublin), the Department of Health and Bank of Ireland plc.
3.5 Ongoing Cross-Border Inquiries:
(a) The DPC received 125 valid cross-border complaints as Lead Supervisory Authority and concluded 246 cross-border complaints during the year. They also received 12 cross-border complaints as a Concerned Supervisory Authority and concluded 20 of such complaints.
(b) As of 31 December 2022, 4 DPC draft decisions in Large-Scale inquiries involving companies such as TiokTok, Airbnb and Meta were in the EU co-decision making process (Article 60 GDPR).
(c) The DPC had, by 31 December 2022, progressed 9 large-scale inquiries to the point where submissions on a draft decision, statement of issues or inquiry reports were invited from the relevant parties.
(d) The DPC also received 38 breach notifications in relation to the Law Enforcement Directive, (Directive (EU) 2016/680). They also concluded 58 LED complaints during the year.
4. OTHER AREAS OF FOCUS
4.1 Consultation and Engagement
(a) As part of the GDPR’s cooperation mechanism, the DPC engaged on a continuous basis with the EDPB and other supervisory authorities. In 2022, the DPC contributed to over 300 EDPB meetings, continued to have representation on all EDPB subgroups, and became a founding member of Ireland’s first Digital Regulators Group. DPC employees also presented at 88 events, contributed to over 30 pieces of proposed legislation and received 322 consultation requests from a variety of stakeholders.
(b) The most notable engagements included engagement with TikTok on their legal basis for providing personalized advertising and with KBC Bank and Bank of Ireland generally on the migration of most of the KBC customer database of mortgage holders to Bank of Ireland.
(c) The DPC continued their commitment to keeping abreast with the most up to date data developments by updating 11 pieces of existing guidance and producing seven pieces of substantial new guidance (including three specifically tailored towards children).
4.2 Supervision and Direct Intervention
(a) The DPC received 322 consultation requests in 2022, across various sectors. Matters prioritized by the DPC for direct intervention in 2022 included Census data collection practices, excessive data collection in the residential property sector, CCTV in cinemas, school toilets, fast food outlets, nursing homes and medical centers, and remote access to CCTV as a substitute for onsite workplace supervision.
4.3 Fines, Funding and Procedural Difficulties with the One Stop Shop (“OSS”) Mechanism:
(a) Dublin Circuit Court confirmed six of the DPC’s imposed fines, ranging from 1,500 to 17 million euro. The DPC expressed frustration with the procedural delays inherent in the GDPR and EDPB appeals systems in their current forms.
(b) The DPC received €23.234M in budget for 2022, which represents a 21.5% increase on 2021. They also increased their staff numbers by 51 (to 196).
5. LOOKING FORWARD TO 2023
5.1 The Annual Report outlines that the DPC will continue to focus on the protection of the data protection rights of vulnerable people in society in 2023, such as the elderly, homeless and children. While expressing satisfaction at the work done in 2022, they noted there is a litany of potential challenges to come, centering around the lack of clarity in the interpretation of key GDPR principles, the low levels of compensation awarded for GDPR breaches at EU level, and the potential regulatory and enforcement issues set to come to the fore with the commencement of the DMA and DSA.
Article provided by INPLP member: Rob Corbet (Arthur Cox LLP, Ireland)
Dr. Tobias Höllwarth (Managing Director INPLP)