On March 7, 2023, the Irish Data Protection Commission (“DPC”) published its annual report for 2022. The report reflects the DPC’s reputation as both an active enforcer of the General Data Protection Regulation (“GDPR”) and a contributor to policy development at national and EU levels.  The level of interaction between the DPC and the European Data Protection Board (“EDPB”) is particularly significant with more than 300 meetings reported for 2022 (averaging at more than 25 per month), many of which involved participation in the EDPB’s expert subgroups.

Enforcement

On enforcement, the DPC issued two-thirds of the total monetary amount of fines assessed across Europe (including the UK) in 2022, the vast majority of which were against social media platforms.  While the report lays out the DPC’s significant enforcement credentials, it remains to be seen whether it will be enough to quell recent criticisms that it has been “soft” on enforcement.

One-Stop-Shop

In the report, the DPC expresses frustration with the operation of the One-Stop-Shop mechanism under the GDPR, which allows organizations that have their main establishment in a particular Member State to designate that Member State’s supervisory authority as their “lead” supervisory authority.  The DPC observes that “[t]he novelty of the political and economic compromise that led to the creation of the One-Stop-Shop, in its current form, has created something of a legal maze that requires constant navigation, building an ever more complex landscape for litigators.”

The frustrations of the One-Stop-Shop mechanism echo elsewhere in the report.  For example, the DPC cites an Irish complaint against a German company which required it to refer the matter to the relevant German supervisory authority (“SA”).  Partly due to lengthy discussions between DPAs as required by the GDPR, as well as the requirement for translations between English and German, the matter took three years to resolve.  On the delay, the DPC states that “resolution for the complainant, and the respondent, were delayed by the unnecessarily protracted process required by the operation of the One-Stop-Shop.  It also involves the transmission of the complaint’s personal data around an unnecessarily large number of investigative staff in various EU data protection authorities.  This issue requires examination by legislators to improve the timeliness and appropriate handling of decision for EU citizens.”

Highlights

Other highlights of the report include the following:

  • The DPC has 22 large scale cross-border inquiries that are currently ongoing;
  • The DPC received 125 new cross-border complaints last year as lead supervisory authority, with just 12 received in its role as a concerned supervisory authority;
  • The DPC concluded 245 cross-border complaints in 2022;
  • There were notable changes in the DPC’s management team, including the loss (and replacement) of the 3 deputy commissioners, and additional new appointments being made to increase the management team from 7 to 9;
  • A three-fold increase in ePrivacy breach notifications due to the recent expansion of the ePrivacy Directive’s scope to cover OTT services;
  • German DPAs objected to 12 large-scale DPC cross-border cases, with the French and Italian DPAs objecting in 8 cases each.  To date, 14 Member State DPAs have not raised any objections to such cases;
  • The DPC has a busy domestic agenda; in addition to a number of locally based cases and litigation, it provided guidance and observations in relation to 30 new legislative proposals, most of which were domestic, in 2022;
  • The DPC’s budget increased by 21.5% in 2022, to now exceed €23 million; similarly, staffing numbers jumped to 196 in December 2022, and continue to increase in 2023;
  • The DPC received 40 Freedom of Information requests, most of which (29) were deemed out of scope.  Of the remainder, 5 were granted in full, and 3 were granted in part;
  • The DPC received 5 valid and external protected disclosures from a potential pool of 13 initial disclosures, most of which were rejected as being complaints rather than protected disclosures, or due to the lack of detail provided; and
  • As part of its awareness-raising campaign, the DPC produced 7 new pieces of guidance, including 3 short guides for children, and 11 updates to existing guidance. 

The Covington Privacy & Cyber team continues to keep a close eye on the enforcement activities of European supervisory authorities, and enforcement trends more generally. If you have any questions, feel free to reach out to any member of the team.