Data Protection Commissioner publishes Annual Report for 2011 (08/05/2012)
The Data Protection Commissioner (DPC) has published his Annual Report for 2011. The Report notes a clear shift from traditional complaints relating to inappropriate or unfair use of personal data, to complaints increasingly related to the security of personal data and the use or misuse of technology in ways that present real risks to personal data.
The Report highlights that if the European Commission's draft Data Protection Regulation is passed into law, it will result in a significant increase in the scope of the responsibilities of the DPC’s Office in relation to multinational companies which choose Ireland as an EU base. The draft Regulation provides for a “one-stop-shop” arrangement for multinational companies providing services to EU users from an Irish base. At the moment, such companies are supervised by Data Protection Authorities in each Member State in which they carry out data processing activities. (See our Client Bulletin of 31 January 2012 for more details on the Draft Regulation).
A few interesting statistics included in the Report are:
- Investigations and enforcement accounted for 35% of the allocation of the ODPC resources.
- There were 54 prosecutions initiated against 6 entities under the e-Privacy Regulations. (Breaches of the e-Privacy Regulations are for the most part criminal offences which can be prosecuted through the Courts leading to fines, whilst breaches of most of the provisions of the Data Protection Acts (DPA) are not offences.
- The DPC does not have the power to directly impose financial penalties.) The DPC made a total of 17 formal decisions on whether there had been a breach of the DPA, 13 of which fully upheld the complainant's assertion that there had been a breach.
- 10 Enforcement Notices and 2 Information Notices were issued. Complaints in relation to data subject access requests accounted for approximately 48% of the overall total of complaints received.
- 1167 data security breach notifications were received by the DPC’s Office in 2011, compared to 410 notifications in 2010. (The DPC states this increase is due to a raised awareness of the need to notify the DPC’s office, as a result of the Data Security Breach Code of Practice issued in July 2010).
- A total of 28 audits were conducted by the DPC.
The Report highlights the recent transposition of the e-Privacy Directive by way of the e-Privacy Regulations, S.I. 336 of 2011 (which revoked S.I. 535 of 2003 & S.I. 526 of 2008). The new Regulations impose a mandatory requirement on ISPs and Telcos to report data security breaches to the DPC’s Office. Individuals must also be informed of any data security breach which might cause adverse consequences.
The e-Privacy Regulations also contain the so-called “Cookie law” and the DPC has indicated that he now regards this law as being well established and expects to see significant efforts being made by websites to achieve compliance. (See our Client Bulletin of 12 July 2011 for more details on the new E-Privacy Regulations).
The Report also notes that the DPC’s office dealt with a substantial number of complaints from individuals who received unwanted contact from candidates for election or political parties in the run up to the General Election of 2011. In framing the e-Privacy Regulations, the Government removed the exemption relating to direct marketing for political activities in the context of marketing communications carried out by electronic means, so the DPC is no longer restricted from investigating complaints in this area.
The Report contains 13 case studies, including: excessive data collection by a leisure centre; unlawful use of CCTV by a company to remotely monitor an employee; financial institutions seeking to restrict the right of access to credit assessments; and complaints about solicitors and private investigators not complying with access requests.
To access a copy of the Annual Report, please click here.
For further information on this article please contact Davinia Brennan at firstname.lastname@example.org or your usual contact at A&L Goodbody.
Date published: 8 May 2012