Nuggets from DPC Annual Report 2022

Every year I take a look over the Annual Report of the Irish Data Protection Commission to see what nuggets might be gleaned from it. I've been doing this since the early 2000s. Back then I'd get my team in the phone company to run through it with me. It was part training exercise for them and part strategic intel gathering for our regulatory assurance function. Today, I do the same with my team in Castlebridge. We review the report and collate our assessment.

What does the Annual Report tell us?

The DPC's Annual Report can tell the reader a lot. There are three key things that we hope to glean from it as we dig through the text:

1. Information on the common causes of data protection issues that have wound up being case studies in the Annual Report. These vignettes can illustrate a lot about what things go wrong and, equally importantly, what things can go right and what factors can sway a decision one way or another.
2. Information on what areas the DPC thinks are a concern, either sectorally or in the context of specific areas of regulation and enforcement. This helps identify what their priority areas of focus are going to be.
3. Information on what the DPC's enforcement posture is going to be for the coming year

So what does the report tell us this year?

My colleagues and I will be commenting in more detail on specific aspects of what we gleaned from the annual report in blog posts on the Castlebridge site over the coming days. In this post I'd like to highlight some of the big ticket items that jumped out at me.

• The wind has shifted on enforcement posture

Reading the Annual Report in parallel with the recently published Regulatory Strategy for the Commission, it is clear that there is a hardening of enforcement posture emerging. There are many who would say that this is about time, and yet others who will exclaim that the proof of the pudding is in the eating. As others will eat your attention and electrons making those arguments, I will instead focus on what this is likely to mean in practice.

The DPC's Annual Report focussed on the question of Amicable Resolution in a number of areas and in a number of the example case studies. Amicable Resolution is a process under Section 109(2) of the Data Protection Act 2018 under which the DPC, if they determine there is a reasonable likelihood of the parties reaching a resolution in a reasonable time may take such steps as they feel are necessary to facilitate such a resolution.

There is discretion here for the DPC on three fronts. There must be a reasonable likelihood, it must be likely in a reasonable time, and there is no obligation on the DPC to actually facilitate an amicable resolution.

What I read into the multiple references to the reasonable likelihood/reasonable time test for amicable resolution, and the dangling of the case studies of the types of things that result in an amicable resolution is two things:

1. Amicable resolution is often an appropriate solution. These issues do not result in a decision, but they do come in as a complaint. Therefore, things can get solved without a formal investigation or decision. A number of the case studies read to me like scenarios where Controllers were chancing their arm on something and when the email landed from the DPC to ask "What the f*ck is going on?" the Controller acted to resolve the issue or an explanation for the issue was identified.
2. DPC is losing patience with controllers who string the process out. The key question here is what is a "reasonable time". In the Castlebridge submission to the Oireachtas Justice Committee in March of last year we actually highlighted one possible benchmark the DPC could apply to this test. Section 108(2) requires an update to be given to a Data Subject within 3 months of their complaint being filed. Arguably, if an issue is so complex or fraught that it cannot be resolved amicably within 3 months, then there is no reasonable likelihood that an amicable solution can be found. If one does arise, the DPC always has the discretion under 109(2) to accept that as the outcome.

• Action on low hanging fruit is frustrated by gaps in legislation

Cookies enforcement (which the DPC's updated guidance on Cookies is clear includes any form of tracking technology, including Google Fonts) is hampered by a significant gap in the legislation. It's nice to see the DPC actually calling this lacuna in the law out. Paragraph 5(3) of SI336/2011 doesn't actually create any specific offence that can be enforced if people choose to ignore it. A simple tweak to SI336 (which is in the gift of the Minister for Communications at the stroke of a pen) would at least allow a few barrels full of fish to be shot at with simple desk audits and evidence gathering using screen recordings. But for now... a long circuitous route will need to be walked to actually get meaningful enforcement here.

The other gap they call out is the challenge of enforcing in a cross border context if the Controller (aka "CookieMonger") is in another member state. For that we need the ePrivacy Regulation to arrive to align ePrivacy and GDPR enforcement regimes. There's a reason they should never have been decoupled back in 2011/2012 and should have landed as a single package!

• Training and skills development for Data Protection needs to be ongoing

We commented on this previously on the Castlebridge site after the DPC decision in respect of MOVE Ireland, but the DPC's annual report calls out again the importance of human factors and training in ensuring data protection compliance capability in organisations.

They highlight the common causes of problems in SAR cases as being down to awareness of what's involved in handling a SAR, lack of attention to detail, or simply failure to engage. This highlights the need for organisations to ensure their staff are properly trained.

Castlebridge has a range of data protection training offerings on our training portal www.dataeducation.ie, This includes self-paced e-learning on data protection fundamentals and Registers of Processing Activities, a 'deep dive' self-paced course for staff who need more in-depth knowledge as well as live instructor led training on topics like Subject Access Request handling, developing ROPAs, and conducting DPIAs.

• One Man Can Make a Difference

No. I'm not talking about that man. I'm actually talking about Nowak, of the infamous exam scripts case at the CJEU. I have learned from the DPC's Annual Report that Mr Nowak accounts for almost 50% of the judgements and final orders issued in court cases involving the DPC in 2021.

And he has appealed to the High Court in all of them.