On February 24, 2022, the Irish Data Protection Commission (“DPC”) published its 2021 annual report setting out its activities and outcomes for last year (see press release here and the full report here).  At 120 pages long, it is detailed and specific, and in places, comes with a targeted and reflective commentary.  Overall, it provides readers with useful insights into the work of a supervisory authority at the forefront of Europe’s data protection whirlwinds.

Addressing the Critics

The DPC introduces the report with commentary that is critical of the narrative that equates the size of fines imposed under the EU General Data Protection Regulation (“GDPR”) with regulatory efficacy.  This is the elephant in the room tackled up front.  It is a narrative that has been repeated against the DPC in recent times by critics complaining about the level of control (or lack thereof) that the DPC exercises over large technology platforms, many of which have established their center of EU operations in Ireland.  In response to this sentiment, the DPC refers to the ongoing work of European data protection authorities to identify a set of performance metrics to quantity regulatory output across all Member States, stating that “such metrics must, however, move past both superficial totting exercises and assumptions to the effect that the bigger the fine, the greater the change of behaviour it will herald.”

Further, to illustrate the varying levels of complexity that the report refers to, the DPC cites to the example of a decision that ran to “several hundred pages and touch[ed] on the complex operating processes of large multinational organisations, impacting on millions of people” in contrast with another decision comprising “a two-line treatment of a comparatively simple issue that has minimal ramifications for data subjects in general.”

About More Than The GDPR

While cognizant that the control enjoyed by large technology platforms may need to be tackled by more than a single regulatory discipline, whether “data protection, competition law or content regulation”, there is, according to the DPC, “no question” that the GDPR is and will remain the best-available framework in Europe for protecting personal data.  However, in recognizing the limitations of the GDPR, the DPC goes on to say it is not the role of the DPC or any other supervisory authority to “target all manifestations” of platform power.

Given the suite of forthcoming EU laws and frameworks seeking to address data-related issues, the DPC also emphasizes the importance of cross-regulatory structures to deal with the type of issues already escalated by the one-stop-shop mechanism under the GDPR.

Cross-Border Issues

While praising the one-stop-shop mechanism for streamlining the regulatory challenges that large multinational companies would otherwise face, the DPC also comments on the challenge of inconsistent approaches by EU supervisory authorities, where one-stop-shop coordination is not necessarily required.

To set the scene, the one-stop-shop mechanism is useful to multinational companies insofar as it enables them to interface with one central EU supervisory authority, and not the potential myriad of authorities they would otherwise have to deal with directly in the various jurisdictions where their businesses operate.  However, the one-stop shop is only available to companies who have designated a main establishment in a particular EU country, as set out in the GDPR.  Consequently, many cross-border data processing activities are, in reality, outside the scope of the one-stop-shop mechanism.

In commenting on this mechanism, the DPC is critical of the lack of consistency in cross-border decisions, noting that:

“…platforms and other economic operators may choose whether they avail of one-stop shop, or not, with significant consequences attaching to such choices.  Already we have seen decisions that are difficult to reconcile being made about the same cross-border processing operations of one particular platform, but by different EU supervisory authorities where neither process engaged the co-decision making procedures central to the operation of the one-stop shop. That so much cross-border activity can sit outside the one-stop shop brings into question the effectiveness of the coordination efforts that were intended.”

A few other noteworthy points on cross-border issues contained in the report include:

  • The DPC handled 81 statutory inquiries in 2021, 30 of which were cross-border inquiries, and several of those which were at an advanced stage. Twenty-one such inquiries are listed in the report.
  • The DPC consulted all European supervisory authorities in relation to 4 of these cross-border draft decisions, each of which raised objections against the DPC’s draft decision.
  • In addition, the DPC sent another 9 preliminary draft decisions to regulated entities and complainants in advance of finalization.
  • The DPC has reviewed 47 draft decisions from other European supervisory authorities in 2021. Of those, 12 were sent to all EU supervisory authorities, including the 4 that were circulated by Ireland.
  • The DPC  has raised no objections to 7 draft decisions received by it as a concerned supervisory authority from other lead supervisory authorities in 2021.

Other Report Specifics of Note

Some of the other issues highlighted in the report are:

  • Staff numbers have increased to 190 (up from 145 in 2021), with a target headcount of 260 driving recruitment during 2022.  The report also refers to planned strengthening and expansion of the senior management structure.
  • The budged has increased to €23.2m for 2022.
  • 52% of complaints made in 2021 were concluded that year.
  • Data breach notifications are down slightly but interestingly, of those, unauthorized disclosures have fallen from 86% to 71%.
  • The DPC concluded 5 large-scale inquiries, 4 of which were national in scope.
  • 138 electronic direct marketing investigations were concluded in 2021 under legislation that the DPC says now needs updating.
  • The DPC received 16 external whistleblowing disclosures during 2021.  Four were accepted, with the remainder withdrawn or rejected as invalid or otherwise insufficient as a protected disclosure.  One remains under investigation.
  • The DPC provided guidance and observations on over 40 proposed legislative measures in 2021.  The various proposed new laws covered a wide range of areas including road safety, a number of law enforcement, maritime, judicial appointments, employment, health and birth tracing issues.
  • There has been significant DPC energy focused on child protection during 2021, notably with the publication of its guidance on child protection issues near year end.
  • The DPC also looked at the issue of whether private sector organizations in the healthcare, banking and credit union sectors, had a data protection officer (“DPO”) in place.  Only 42% of private hospitals and out-of-hours doctor services were initially identified as having complied; however, full compliance was achieved by year end with the intervention of the DPC, and the report notes increasing compliance in this regard in the banking sector.
  • The DPC made 828 requests for voluntary mutual assistance from other EU supervisory authorities in 2021.  It received 576 such requests.  A much smaller number of formal requests have been made and received (92 and 26, respectively).
  • The DPC’s social media presence increased to over 35,000 followers in 2021.