Data breach notifications to Irish Data Protection Commission up 70% in first year of GDPR

March 4, 2019

The Irish Commissioner for Data Protection has launched the first annual report of the new Data Protection Commission (DPC) covering the period 25 May to 31 December 2018.  The report contains information about the work of the Irish data protection authority following the introduction of the General Data Protection Regulation. The key points of the report are:

  • 2,864 complaints were received following the introduction of the GDPR. In total, 4,113 complaints were received in the 2018 calendar year representing a 56% increase on the total number of complaints (2,642) received in 2017.
  • 3,542 valid data security breaches were notified. In total, 4,740 valid data security breaches were notified in the 2018 calendar year representing a 70% increase on the total number of valid data security breaches (2,795) recorded in 2017.
  • 136 cross-border processing complaints were received by the DPC through the new One-Stop-Shop mechanism that were lodged by individuals with other EU data protection authorities.
  • Almost 31,000 contacts were received through the DPC’s Information and Assessment Unit.
  • 31 own-volition inquiries were opened under the Irish Data Protection Act 2018 into the surveillance of citizens by the state sector for law-enforcement purposes through the use of technologies such as CCTV, body-worn cameras, automatic number-plate recognition enabled systems, drones and other technologies.
  • Work continued in relation to the special investigation into the Public Services Card (PSC). The DPC has significant resources assigned to investigations of large-scale data processing by the state in terms of the DPC’s examination of the Public Services Card (PSC); its registration system and the mandatory requirement to produce the PSC to the exclusion of any other form of identity for certain non-social welfare-state services; the surveillance of public spaces by state agencies; and the security of data-processing by Tusla, the Child and Family Agency.
  • 15 statutory inquiries (investigations) were opened in relation to the compliance of certain technology companies such as Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram with the GDPR. 
  • 32 new complaints were investigated under the E-Privacy Regulations SI 336/2011: 18 related to email marketing; 11 related to SMS (text message) marketing; and three related to telephone marketing. A number of these investigations concluded with successful District Court prosecutions by the DPC. Prosecutions were concluded during this period against five entities with regards to 30 offences under the E-Privacy Regulations.
  • The first stream of a public consultation on the processing of children’s personal data and the rights of children as data subjects under the GDPR was launched on 19 December 2018 and ends on 5 April 2019.  A guidance note will be produced. The consultation asks when and in what contexts children may exercise their own rights independently of their parents or guardians; for views on the age at which children should be able to sign up to free apps in their own right; how age should be verified by service providers; and how parental or guardian approval should be sought and verified if required. 
  • In late 2018, the DPC commenced a significant project to develop a new five-year DPC regulatory strategy. This will include extensive external consultation during 2019, which will be central to the analysis, deliberation and conclusions on the DPC’s enduring strategy.
  • 900 Data Protection Officer notifications were received by the DPC.
  • Staffing numbers increased from 85 at the end of 2017 to 110 at the end of 2018.