1: The One Stop-Shop
In 2021, the DPC sent forward four large-scale draft decisions, relating to multinational organisations with operations in all EU member states, where all 31 European Supervisory Authorities met the threshold to constitute a Concerned Supervisory Authority. In addition, the DPC also shared the finalised WhatsApp decision with all member states as Concerned Supervisory Authorities. The Report notes that the OSS has been successful in providing a “sole interlocutor” for multinationals operating across the EU. However, it goes on to state that as not all multinational activity in fact falls within the scope of the OSS arrangements, its remaining two aims “are doing less well”. These aims being; to ensure a harmonised interpretation of key principles of the GDPR across all EU member states, and to ensure a consistent and level-playing field across the EU in terms of the application of the GDPR’s rules.
5: The Number of Years and Number of Goals in its Regulatory Strategy
In 2021, the DPC completed its work on its Regulatory Strategy for the next five years, taking account of public feedback and its experience since the GDPR came into effect. The goals for the next five years are to; (1) regulate consistently and effectively; (2) safeguard individuals and promote data protection awareness; (3) prioritise the protection of children and other vulnerable groups; (4) bring clarity to stakeholders; and (5) support organisations and drive compliance.
81: Number of Statutory Inquiries on-hand at the DPC at the end of December 2021 (including cross-border inquiries)
Inquiries concluded in 2021 include the investigation of WhatsApp for failure to comply with transparency obligations, investigations into personal data breaches with the Irish Credit Bureau, MOVE Ireland and the Teaching Council and an investigation into Limerick City and County Council for a range of issues in relation to its use of CCTV. As an overview, the DPC:
- concluded five large-scale inquiries;
- sent four draft decisions to the Article 60 GDPR process (cooperation between the lead supervisory authority and the other supervisory authorities concerned), and referred one case to the Article 65 process (dispute resolution by the board);
- issued nine preliminary draft decisions; and
- sought submissions on statement of issues or inquiry reports in 17 cases.
260: The Target Number of Staff for its 2022 Recruitment Drive
The funding of the DPC increased in 2021 by €2.2 million to a total of €19.1 million (€23.2 million in 2022). Its staff count at the end of 2021 was 190 and its 2022 target for headcount is 260 people.
The deployment of resources in a targeted and effective way is a key theme in the Report. Part of the DPC’s vision is to “apply a risk-based regulatory approach to its work, so that its resources are always prioritised on the basis of delivering the greatest benefit to the maximum number of people.” In its Regulatory Strategy, the DPC sets out its intention to “more actively prioritise those complaints, the outcome of which will have the greatest impact”. The Report seeks to address any criticism in this regard, that it will be side-stepping its obligation to handle all individual complaints, stating that ”complaints raising issues of substance, the resolution of which will achieve most for data subjects, are prioritised in terms of resources.”
3,419: Complaints Received by the DPC in 2021
In 2021, the DPC concluded 3,564 complaints (to include complaints received prior to 2021). 463 of the complaints received were concluded by fast-track amicable means.
The most frequent GDPR topic for queries and complaints in 2021 continued to be data subject access requests. However, the Report notes its success in 2021 in concluding more access request cases than it received that year. When dealing with complaints in relation to access requests the Report notes that it often transpires that the controller has: (a) not performed an adequate search for the personal data; (b) not advised the individual that they are withholding data and set out the exemption they are relying on; or (c) not responded within the required timeframe. In 2022, the DPC intends to increase enforcement in instances where controllers do not respond to DSARs or complaint commencement correspondence by the DPC.
6,549: Valid Data Breach Notifications Received by the DPC under the GDPR
In addition to the above, the DPC received 187 complaints in relation to notified and non-notified data breaches and found that organisations who took their time to update affected individuals properly ultimately resolved the matter sooner, sometimes negating the need for the DPC to become involved at all. The highest category of data breaches notified in 2021 was in relation to unauthorised disclosure. The Report notes a vast increase in the number of breaches arising from email correspondence issuing to incorrect recipients because the message service incorrectly predicted the recipient email address based on the first characters typed (and a pertinent case study to illustrate this is included in the Report.)
From January 2022 onwards, the DPC intends to adopt a new strategic approach to handling breach notifications. The DPC will acknowledge receipt of notifications that controllers are legally obliged to submit, but will not issue recommendations or request further information in most cases. This acknowledgement will not indicate satisfaction with the notification itself, or the assessment of the breach. The DPC will continue to assess all notifications and where there are complaints or the DPC deems the issue warrants further information or a formal statutory inquiry, the DPC will proceed accordingly. The focus will be on prioritising enforcement cases, as opposed to guidance, given the large amount of guidance already published on data breaches.
Number Unknown: How to Measure Success
The DPC notes the emergence of a narrative by commentators where “the number of cases and the quantity and size of the administrative fines” are the only measure of success. This narrative is informed by an assumption that financial penalties are effective in delivering improvements for data subjects.
The DPC calls for a system “in which the effectiveness of our interventions (in whatever form they take) are assessed by asking whether they have delivered (measurable) changes in behaviour on the part of controllers and real-life (and measurable) benefits for data subjects”. In the table below, we set out decisions made by the DPC where a significant sanction, or corrective measure, was applied in 2021.
|Entity||Date||Corrective Power Exercised||Fine(s)|
|Irish Credit Bureau DAC||23 March 2021||€90,000|
|WhatsApp Ireland Ltd||28 July 2021||€225 million|
|MOVE Ireland||20 August 2021||€1,500|
|Teaching Council of Ireland||2 December 2021||€60,000|
|Limerick City and County Council||9 December 2021||€110,000|
Article provided by INPLP member: Rob Corbet (Arthur Cox LLP, Ireland)
Dr. Tobias Höllwarth (Managing Director INPLP)