On May 20, 2013, the Irish Office of the Data Protection Commissioner (“ODPC”) published its annual report for 2012 (the “Report”). The Report summarizes the activities of the ODPC during 2012, including its investigations and audits, policy matters, and European and international activities.
Key themes of the Report include:
- data sharing in the public sector;
- additional staffing and resources of the ODPC;
- complaints from individuals, in particular in relation to data subject access rights and direct marketing;
- increased data security breach notifications; and
- audit outcomes.
Data Sharing in the Public Sector
The ODPC accepts that data sharing can increase efficiency in the delivery of public services, but has long raised concerns regarding data sharing in the public sector. The Report details the ODPC’s extensive investigation of data sharing through the Department of Social Protection’s INFOSYS system, uncovering “a disturbing failure of governance in some of the public bodies investigated.” The Report emphasizes (1) the importance of proportionality, (2) that permitted data sharing must have a clear basis in law, a clear justification, strict access and security controls, and secure data disposal procedures, and (3) that only the minimum data necessary to achieve the stated public service objective may be shared.
Irish Data Protection Commissioner Billy Hawkes raised in the ODPC’s previous annual report the increased strain on the ODPC’s limited resources, which will likely be increased under the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). Under the Proposed Regulation, organizations with multiple European establishments will benefit from a lead supervisory authority where they have a “main establishment,” and organizations with only one European establishment will be regulated by a sole supervisory authority. Dublin has in recent years attracted a number of large multinational tech firms, including Facebook and Twitter, and there is speculation that further organizations will set up their sole or main establishments in Ireland ahead of implementation of the Proposed Regulation. Consequently the ODPC foresees increased regulatory oversight of multinational companies.
In response to Billy Hawkes’ request for additional resources, the Irish Government has announced a 20 percent increase in the ODPC’s budget and additional staff, including a Chief Technology Advisor, specialist legal advisor and additional administrative staff.
The ODPC received 1,349 complaints which were opened for investigation during 2012, marking a new record and an increase of 16 percent compared to last year’s 1,161 complaints. 606 of the 1,349 complaints related to unsolicited direct marketing via SMS text messages, phone calls, fax messages and emails, and 442 complaints related to data subject access rights. The vast majority of complaints were resolved without the need for a formal decision, and only a total of 36 formal decisions were taken. The majority of enforcement notices related to data subject access rights.
Security Breach Notifications
During 2012, the ODPC received 1,666 personal data security beach notifications, up from 1,167 received last year. Since July 2011, telecommunication companies and Internet service providers (“ISPs”) have been required to notify data security breaches under S.I. 366 of 2011 (implementing the European E-Privacy Directive). In September 2012, two telecommunication companies were prosecuted for failure to notify.
The Report provides a breakdown of types of breaches and shows that the most common cause of a breach is postal mailing breaches (e.g., mailing information to the incorrect recipient). Theft of IT equipment and website security account for the two least common causes of personal data security breach notifications.
Under the Irish Data Protection Acts 1988 and 2012, the Commissioner is empowered to conduct privacy audits and inspections to ensure compliance with the Acts and to identify possible breaches. During 2012, the ODPC conducted 40 audits, representing an increase of 21 percent from the previous year. Audited organizations included Facebook Ireland, county and city councils, and a number of Irish banks. The ODPC’s follow-up audit of Facebook Ireland, completed in September 2012, found that the great majority of recommendations had been fully implemented, although full implementation of the ODPC’s recommendations had not been achieved in relation to new user education, deletion of social plug-in impression data for EU users, account deletion, and minimizing ad targeting based on sensitive personal data.