On March 7, 2023, the Irish Data Protection Commission (“DPC”) published its annual report for 2022. The report reflects the DPC’s reputation as both an active enforcer of the General Data Protection Regulation (“GDPR”) and a contributor to policy development at national and EU levels.  The level of interaction between the DPC and the European Data Protection Board (“EDPB”) is particularly significant with more than 300 meetings reported for 2022 (averaging at more than 25 per month), many of which involved participation in the EDPB’s expert subgroups.

Enforcement

On enforcement, the DPC issued two-thirds of the total monetary amount of fines assessed across Europe (including the UK) in 2022, the vast majority of which were against social media platforms.  While the report lays out the DPC’s significant enforcement credentials, it remains to be seen whether it will be enough to quell recent criticisms that it has been “soft” on enforcement.

One-Stop-Shop

In the report, the DPC expresses frustration with the operation of the One-Stop-Shop mechanism under the GDPR, which allows organizations that have their main establishment in a particular Member State to designate that Member State’s supervisory authority as their “lead” supervisory authority.  The DPC observes that “[t]he novelty of the political and economic compromise that led to the creation of the One-Stop-Shop, in its current form, has created something of a legal maze that requires constant navigation, building an ever more complex landscape for litigators.”

The frustrations of the One-Stop-Shop mechanism echo elsewhere in the report.  For example, the DPC cites an Irish complaint against a German company which required it to refer the matter to the relevant German supervisory authority (“SA”).  Partly due to lengthy discussions between DPAs as required by the GDPR, as well as the requirement for translations between English and German, the matter took three years to resolve.  On the delay, the DPC states that “resolution for the complainant, and the respondent, were delayed by the unnecessarily protracted process required by the operation of the One-Stop-Shop.  It also involves the transmission of the complaint’s personal data around an unnecessarily large number of investigative staff in various EU data protection authorities.  This issue requires examination by legislators to improve the timeliness and appropriate handling of decision for EU citizens.”

Highlights

Other highlights of the report include the following:

  • The DPC has 22 large scale cross-border inquiries that are currently ongoing;
  • The DPC received 125 new cross-border complaints last year as lead supervisory authority, with just 12 received in its role as a concerned supervisory authority;
  • The DPC concluded 245 cross-border complaints in 2022;
  • There were notable changes in the DPC’s management team, including the loss (and replacement) of the 3 deputy commissioners, and additional new appointments being made to increase the management team from 7 to 9;
  • A three-fold increase in ePrivacy breach notifications due to the recent expansion of the ePrivacy Directive’s scope to cover OTT services;
  • German DPAs objected to 12 large-scale DPC cross-border cases, with the French and Italian DPAs objecting in 8 cases each.  To date, 14 Member State DPAs have not raised any objections to such cases;
  • The DPC has a busy domestic agenda; in addition to a number of locally based cases and litigation, it provided guidance and observations in relation to 30 new legislative proposals, most of which were domestic, in 2022;
  • The DPC’s budget increased by 21.5% in 2022, to now exceed €23 million; similarly, staffing numbers jumped to 196 in December 2022, and continue to increase in 2023;
  • The DPC received 40 Freedom of Information requests, most of which (29) were deemed out of scope.  Of the remainder, 5 were granted in full, and 3 were granted in part;
  • The DPC received 5 valid and external protected disclosures from a potential pool of 13 initial disclosures, most of which were rejected as being complaints rather than protected disclosures, or due to the lack of detail provided; and
  • As part of its awareness-raising campaign, the DPC produced 7 new pieces of guidance, including 3 short guides for children, and 11 updates to existing guidance. 

The Covington Privacy & Cyber team continues to keep a close eye on the enforcement activities of European supervisory authorities, and enforcement trends more generally. If you have any questions, feel free to reach out to any member of the team.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Marie Daly Marie Daly

Marie Daly brings a broad range of commercial and regulatory expertise across a variety of business sectors. She is recognised as being a practical, straightforward, and commercially focussed lawyer; with a proven capacity to influence at all levels within business and to contribute…

Marie Daly brings a broad range of commercial and regulatory expertise across a variety of business sectors. She is recognised as being a practical, straightforward, and commercially focussed lawyer; with a proven capacity to influence at all levels within business and to contribute to policy and legislative development.

With a background as a litigator, employment lawyer, and lobbyist, Marie served as the general counsel of Ibec, the largest Irish lobby and business representative group, for over 16 years before joining the firm. She was responsible for ensuring competition compliance for 38 trade associations and also developed a data protection compliance regime in recent years.

Marie has significant corporate governance experience in the private and public sector having also served as a Board member of two Irish regulators.

Marie is a member of the Irish Company Law Review Group appointed by the Minister of Business Enterprise and Innovation, and was deeply involved in the drafting of the comprehensive new Companies Act 2014.