The Data Protection Commission (DPC), the Irish supervisory authority responsible for protecting data privacy rights both nationally in Ireland and (since the GDPR) across the EU, has released its first annual report covering the period from 25 May – the day of the introduction of the GDPR – to 31 December 2018.
The report summarises the status of the DPC’s various core functions, including: driving compliance with data protection legislation; their handling of individual complaints concerning potential data protection infringements; conducting investigations into potential infringements of data protection legislation; and spreading general awareness amongst organisations and the public concerning the issues surrounding the protection of data.
Amongst the most notable figures, the DPC reveals it was notified of 3,542 data breaches during the 7 month period after the introduction of the GDPR. This alone represents a 27% increase over the number of notifications for the whole of 2017. A ‘data breach’ is defined in the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Under the GDPR, the DPC must be notified of any such breaches directly by the data controlling organisations, and failure to do so can result in a fine up to £10 million or 2% of an organisation’s annual turnover of the prior financial year, whichever is higher – this will be a key driver of the increased number of reported breaches, reflecting the impact the GDPR is already having.
The most common of the reported breaches were classified as ‘Unauthorised Disclosures’. For example, a specific case study in the report demonstrates the disclosure risks associated with auto-fill functions. In this case it led to various identifying details of a Ryanair customer using the webchat service being emailed to the wrong recipient when the Ryanair agent accidentally auto-filled the incorrect email address into the recipient space. It does not seem too surprising that something like an auto-fill function would be a cause of a data breach, and Ryanair has reportedly removed this function for the agents operating the webchat service. The significance of this should not be overlooked. A simple auto-fill function represents what many would likely see as a rudimentary and routine aspect of modern IT use, so it is worth recognising that the new regulations may come to have a significant impact on our established usage patterns.
Highlighted of particular relevance in the report was that 38 of the reported data breaches related to 11 multinational technology companies. As a result of these breaches, the DPC has commenced several statutory inquiries in relation to investigating the status of these multinational companies’ compliance with the GDPR. Such companies include Facebook, Twitter, LinkedIn, and Apple, with Facebook being the worst offender facing 7 investigations, along with 3 more into its subsidiaries WhatsApp and Instagram. The results of these investigations are expected to produce significant precedents for better implementation of the GDPR, particularly for social media services.
In terms of the number of individual complaints surrounding potential misuse of their, or others’, personal data by data collecting organisations, the report shows a significant increase post-GDPR – 2,864 in the 7 months after the GDPR compared to the previous highest of 2,642 throughout all of 2017. The category with the largest number of complaints was that of ‘Access Rights’; the complainants felt their ability was limited in obtaining information from whatever organisation they were involved with regarding what data of theirs was being collected, and what purpose this collection was for.
Helen Dixon, the Irish Commissioner for Data Protection, attributes the overall complaints increase in particular to the greater public consciousness that now exists around data protection rights and issues: “The rise in the number of complaints and queries demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data”.
At the same time, though, the DPC report expresses positivity with regards to how most of the organisations they engage with “accept [their] guidance around mitigating losses for affected individuals, communicating any high risks to them and learning lessons from the breach to avoid a repeat”.
In the end, the DPC recognises the challenges that GDPR raises for data controlling and processing organisations, and that adapting to it “will be a process of dialogue that lasts many years and the dialogue will need to shift and change with technology, context, learning from evidence (including emerging case law) and evolving societal norms.”