04 May 2021 | 09.23 am
Cookies Enforcement High On DPC’s Agenda
Insight from Philip Nolan in law firm Mason Hayes & Curran LLP
04 May 2021 | 09.23 am
Philip Nolan of Mason Hayes & Curran LLP highlights some key takeaways from the annual report 2020 of the Data Protection Commission
In 2020, the Data Protection Commission (DPC) received 4,660 complaints from individuals under the GDPR and 60% of these were resolved within the year. The top five categories of complaints received related to access request, fair processing, disclosure, direct marketing, and right to erasure.
A deeper dive into the commentary and case studies reveals some interesting insights behind the statistics. In relation to access requests, the annual report explains the parameters of the right granted by Article 15 GDPR and the relevant exemptions which restrict the right of access.
Where a controller has invoked an exemption to justify its refusal to provide personal data in response to an access request, the DPC will closely examine the validity of the exemption. For example, where legal privilege is asserted as the reason why certain records are not being provided to a data subject, this will not be simply accepted by the DPC. Rather, the DPC will assess the privilege status of the records by requiring ‘considerable information’ from the controller, including a narrative of each document. If litigation privilege is invoked, the DPC will seek to understand if and when litigation was reasonably contemplated.
More generally, the report emphasises the benefits of complaints being resolved early between the controller and data subject, so as to avoid resource-intensive mediation by the DPC. There is also a clear preference for processing complaints handled by the DPC via the amicable resolution process.
Two case studies provide insight into the lengthy delay that can arise in the cross-border context when a complainant refused to accept the proposed amicable solution. This meant the complaints had to proceed through the ‘particularly involved, complex and time-consuming’ Article 60 process.
The Article 60 process is arduous for individual complainants, since it involves engaging with privacy regulators in other EU Member States and taking the views of other supervisory authorities into account.
One cross-border complaint was made by a UK data subject on foot of a delay by Ryanair to appropriately process their access request, which resulted in responsive records being deleted. The call recording at issue had been deleted after 90 days in accordance with Ryanair’s retention and deletion practices. Since the data subject was unwilling to accept Ryanair’s proposal, the complaint continued through the Article 60 process with the result that it was not resolved until six months later.
Inquiries and Decisions
The DPC continued to pursue a number of large scale statutory inquiries during 2020. Highlights included the fine against Twitter for €450,000, which is described as the first ‘big tech’ decision on which all EU supervisory authorities were consulted. The DPC also had a number of domestic inquiries, including against TUSLA, which resulted in the first fines levied under GDPR by the DPC.
During November and December 2020, the DPC wrote to 20 organisations about cookies non-compliance issues on their websites, warning of the DPC’s intention to issue an Enforcement Notice if these issues were not addressed within 14 days.
While these letters were effective in bringing many of the recipient organisations into compliance, seven organisations did not take any action and were served with Enforcement Notices. It is clear from the commentary in the annual report that cookie-related investigations and enforcement will continue to be a key element of the DPC’s activities in 2021.
In summary, 2020 was a busy year for the DPC with many firsts, including its first administrative fine under the GDPR and its first major cross border enforcement decision. With increased funding and an expanding workforce, we expect a significant number of decisions and enforcement actions in 2021.