Irish Data Protection Commission Warns of Coming GDPR Penalties

Irish Data Protection Commissioner Helen Dixon

In Ireland, following the publication of the Data Protection  2019 Annual Report, the Irish Data Protection Commissioner has indicated that a litany of large General Data Protection Regulation (GDPR) fine may be on the way in the near future.

Speaking on the publication of the report the Commissioner Helen Dixon made reference to evolution of data protection in Ireland over the last 12 months. She commented: “2019 has been the first full calendar year of the GDPR. There have been many positive changes, including organisations across Ireland appointing Data Protection Officers who can assist the public in exercising their data protection rights and also an increased awareness on the part of individuals and organisations alike as to the importance of protecting personal data.

“At the Data Protection Commission, we have been busy during 2019 issuing guidance to organisations, resolving individuals’ complaints, progressing larger-scale investigations, reviewing data breaches, exercising our corrective powers, cooperating with our EU and global counterparts and engaging in litigation to ensure a definitive approach to the application of the law in certain areas.”

Compared to other European Union data protections agencies the DPC has a track record of allowing companies under investigation to show cooperation in relation to investigated any potential breach.

Looking forward, Ms Dixon commented: “Much more remains to be done in terms of both guiding on proportionate and correct application of this principles-based law and enforcing the law as appropriate. But a good start is half the battle and the DPC is pleased at the foundations that have been laid in 2019. We are already expanding our team of 140 to meet the demands of 2020 and beyond.”

Separately, in an interview with The Irish Independent Ms Dixon made reference to the possible financial penalties that may arise out of current investigations that the DPC is conducting, referring to the $5bn fine issued by the Federal Train Commission (FTC) against Facebook in the US as an important ‘gauge’ to measure fines applied here against. She said: “A very relevant factor in terms of what quantum will create deterrence is the level of fines already existing globally in the area. So if you ask whether the FTC [Federal Trade Commission] fine is relevant, it is. Under the GDPR, deterrence is a particularly important reason why the fines are included. They could have stopped at the corrective measures. But the fines are there to be punitive and give rise to deterrence. And deterrence is based on what’s already in the [fine] landscape.” You can read the full interview here.

The report, which was published this morning included many revelations in relation to data protection in Ireland. Some of the highlights of the report are:

  • 7,215 complaints were submitted in 2019 accounting for a 75% increase on the overall number of complaints (4,113) received in 2018.
  • 5,496 complaints in total were brought to a close during 2019.
  • 6,069 valid data security breaches were notified representing a 71% increase on the total number of valid data security breaches (3,542) recorded in 2018.
  • Almost 48,500 contacts were submitted via the DPC’s Information and Assessment Unit, including 22,200 telephone calls and 22,300 emails.
  • The DPC carried out a thorough consultation on the processing of children’s personal data, yielding 80 responses. The feedback from the consultation will be used to establish guidance on the processing of children’s personal data, which is a DPC aim for 2020.
  • Six statutory inquiries were initiated in relation to multinational technology companies’ compliance with the GDPR, bringing theoverall number of cross-border inquiries to 21.

You can access the full report here.