On March 7, 2023, the Irish Data Protection Commission (“DPC”) published its annual report for 2022. The report reflects the DPC’s reputation as both an active enforcer of the General Data Protection Regulation (“GDPR”) and a contributor to policy development at national and EU levels. The level of interaction between the DPC and the European Data Protection Board (“EDPB”) is particularly significant with more than 300 meetings reported for 2022 (averaging at more than 25 per month), many of which involved participation in the EDPB’s expert subgroups.
The leadership of Ireland’s Data Protection Commission (“DPC”) is to be expanded to a three-person Commission, with the current Commissioner taking the lead role as Chair. The Irish Minister for Justice announced the decision on July 27, 2022, along with the Government’s decision to undertake a review of its governance structures, staffing arrangements and processes for the newly modeled Commission.…
On May 25, 2022, the Irish Data Protection Commission (“DPC”) issued 3 short guides for children, with the objective of raising awareness among adolescents about data protection and their privacy rights, as well as serving as a resource “for parents, educators and anyone [else] interested in children’s safety and wellbeing online”. The 3 guides…
The Irish Data Protection Commission (“DPC”), having last month released its annual report (see our blog post here), has now also issued two additional reports detailing statistics on its handling of cross-border cases (see here) and a recently completed Resource Allocation Audit conducted by independent consultants (see here). Each is important in its own right for the reputation and development of this regulator, the lead EU supervisory authority for many of the large technology companies.
Continue Reading Irish DPC Reports on Cross-Border Activity and Resources
On February 24, 2022, the Irish Data Protection Commission (“DPC”) published its 2021 annual report setting out its activities and outcomes for last year (see press release here and the full report here). At 120 pages long, it is detailed and specific, and in places, comes with a targeted and reflective commentary. Overall, it provides readers with useful insights into the work of a supervisory authority at the forefront of Europe’s data protection whirlwinds.
Continue Reading Irish Data Protection Commission Publishes 2021 Annual Report
One of every five people (20.5%) in Ireland are children under the age of 14. This constitutes the highest proportion of children in the EU, where the average was 15.2% in 2019. Ireland’s proportion of young people under the age of 30 is also the highest in the EU, at 39%. It’s an influential figure for Irish policy makers and regulators, who have strengthened their approach to protection of children’s personal data in recent years. This greater emphasis on children’s rights is due to a number of additional intersecting dynamics including EU law, child abuse scandals, a rise in cyberbullying, and a growing consensus that children face heightened digital risks. These dynamics have also informed the planned establishment of an Online Safety Commissioner, currently advancing as part of the Online Safety and Media Regulation Bill just published and currently receiving strong media attention.
Together with the Irish DPC role as lead regulator for many leading technology and social media companies, these legal and cultural headwinds provide the context within which the DPC aims to develop strong child data protection standards.
Following extensive public consultation, with experts as well as school children, the DPC has issued comprehensive guidance on the processing of children’s data. Entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing,” the guidance sets out 14 principles (referred to as “the Fundamentals”) for organizations engaged in processing the personal data of children.
In addition to the usual GDPR expectations, the specific Fundamentals also include:
- Zero interference with a child’s best interests, where organizations rely on legitimate interests as their legal basis for processing;
- “Know your customer” requirements focusing on child-oriented transparency; and
- Specific guidance around age verification and consent
The overall aim of the Fundamentals, in protecting the best interests of children, is to at least set a default floor of high standardised protection for all data subjects where children may form part of a mixed user audience.…
On Thursday, September 2, 2021, the Irish Data Protection Commission (“DPC”) published its decision in the long-awaited inquiry it initiated into the data processing of WhatsApp Ireland Limited (“WhatsApp”) in December 2018. It finds against WhatsApp, imposing a fine of €225 million.
Continue Reading Irish DPC Finds Against WhatsApp
On Jul 22, 2021, the Irish Joint Committee on Justice (“Committee“) published a report that included a series of recommendations on the work of the Irish Data Protection Commission (“DPC“). The Committee, made up of 14 politicians from across the political spectrum and drawn from both the Dáil (the elected first house) and Seanad (the senate), issued this report following a public hearing held on April 27, 2021 (see our prior blog post here). The recommendations in the report address, among other things, concerns raised about the Irish DPC’s oversight and enforcement of the EU General Data Protection Regulation (“GDPR“).
Continue Reading Ireland’s Joint Committee on Justice Publishes Recommendations to Reform the Irish Data Protection Commission
On April 27, 2021, the Irish Oireachtas Committee on Justice met in Dublin to consider recent written submissions received criticising the Irish Data Protection Commission (DPC). The meeting was divided into two hour-long meetings with the first meeting devoted to the criticisms of Max Schrems, the Austrian privacy campaigner, and Fred Logue, an Irish data protection lawyer. The second meeting, the longer of the two, heard from Helen Dixon, the Data Protection Commissioner, and the Irish Council of Civil Liberties.
Ten politicians, including the Chair (a lawyer with data law experience), questioned each of the invitees on what was a limited agenda. Each participant was limited to a five minute opening statement after which member politicians attending queried them. Discussion of ongoing cases was not permitted.
The Committee scheduled Mr. Schrems and Ms. Dixon on separate panels, presumably to avoid a repeat of Ms. Dixon’s objection to the previous invitation from the European Parliament’s LIBE Committee proposing to hear from both together at the same hearing. Each in turn were the key participants in their panel discussions. Mr. Schrems repeated criticisms he has made previously and Ms. Dixon gave a strong defence of her office.
Continue Reading Irish Parliamentary Committee Hearing Discusses Criticism of the Irish DPC
On March 6, 2020, the Irish Supervisory Authority (“DPC”) issued guidance on how companies should process personal data when taking steps to contain the spread and mitigate the effects of COVID-19.
The DPC made clear that data protection law does not stand in the way of the provision of healthcare and the management of public…