The Data Protection Commission ("DPC") published its 2023 Annual Report on 29 May 2024. The report provides insight into the evolving landscape of data protection and privacy, including the DPC's activities, highlighting significant trends, key enforcement actions and emerging challenges.
Key Enforcement Takeaways:
- By the end of 2023, the DPC imposed fines totalling €1.55 billion.
- The DPC had 89 statutory inquiries on-hand during the year, including 51 cross-border inquiries.
- The DPC received 11,200 new cases from individuals in 2023, representing a 20% increase on 2022. The DPC concluded 11,147 cases in 2023.
- In 2023, the DPC received 6,991 valid GDPR data breaches. This represented a 20% increase (1,077) on the GDPR breach numbers reported in 2022.
- The DPC received 156 valid cross-border complaints (as EU/EEA Lead Supervisory Authority). 82.5% of cross-border complaints received since 2018 in which the DPC is Lead Supervisory Authority have been concluded.
- Several administrative decisions were confirmed by the Circuit Court
Large-scale Cross Border Inquiries
Two major decisions stood out in 2023. In May, the DPC adopted its Final Decision on the lawfulness of transfers of personal data of Meta from the EU/EEA to the USA. The decision imposed a fine of €1.2 billion and ordered Meta to suspend any transfer of personal data to the USA until such time measures become available to make the data transfers compliant. It also ordered Meta to cease the unlawful processing, including storage in the USA, of personal data of EU/EEA users transferred in violation of the GDPR. The Final Decision is understood to be under appeal.
The TikTok Decision was handed down by the DPC in September 2023 after an inquiry examining the processing of personal data relating to children by the platform. The inquiry concentrated on public-by-default settings, settings associated with the 'Family Pairing' feature, transparency information provided to child users, and age verification. The Decision ordered TikTok to bring its processing into compliance and imposed fines totalling €345 million. The Final Decision is also understood to be under appeal.
CCTV
2023 also saw an increase in queries on the use of CCTV in areas where there is a higher expectation of privacy. As a result, the DPC published a detailed update of its CCTV guidance and wrote to a number of sectoral representative bodies to ask them to circulate the guidance to their members. Organisations who collect CCTV footage must have a clear justification and lawful basis to do so. Subsequent sharing of that information/ imagery similarly requires a clear lawful basis.
Legislative Consultation
The DPC's Annual Report also details its work in other key areas. The report confirms that the DPC provided input and observations on over 37 pieces of legislation, including the Codes of Practice introduced under the Circular Economy and Miscellaneous Provisions Act 2022 which will provide a legal basis for local authorities to use CCTV and body worn cameras for the prevention, investigation, detection and prosecution of waste management offences. All of the DPC's recommendations were taken on board by the code authors.
The DPC also engaged in consultation on legislative measures including the Digital Services Bill 2023, the Health Information Bill 2023 and the Planning and Development Bill 2023.
Children's Data Protection Rights
The DPC Annual Report also addresses the 2022-2027 Regulatory
Strategy, which sets out a commitment to prioritise children's
data rights and the rights of vulnerable persons. The DPC has
continued to provide guidance and support to various organisations
including concerns arising in the context of schools. On foot of
this engagement, the DPC commenced drafting a new 'Data
Protection Toolkit for Schools' resource, which includes a
detailed guidance document, a sample Data Protection Impact
Assessment (DPIA) template, a checklist for responding to subject
access requests, and tips on what to include in a privacy policy,
all of which are tailored to the needs of schools. In early 2023,
the DPC also produced four short guides for parents on
children's data protection rights under the GDPR.
Conclusion
While 2024 saw the departure of longstanding Data Protection Commissioner Helen Dixon, the 2023 Annual Report deals with many of the same issues as in previous reports, albeit noting increased enforcement metrics in particular. The current Chairperson of the DPC Des Hogan noted that the remaining Commissioners take over an organisation which values vindicating the rights of the individual through fair and proportionate regulation. Whether that means a further increase in enforcement numbers during 2024 remains to be seen.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.