Irish Data Protection Developments - 2020 in Review and a Look Ahead to 2021
27 Jan 2021
To mark Data Protection Day this briefing looks at data protection developments in Ireland in 2020 and considers what will drive the 2021 agenda. COVID-19, international data transfers, Brexit, security breaches and the first GDPR fines imposed by the Data Protection Commission ("DPC") were some of the main issues. Those issues will continue to occupy businesses in 2021 coupled with a focus on the operation of the pan-European enforcement Regulation (EU) 2016/679 General Data Protection Regulation ("GDPR"), the processing of children's personal data, the National Artificial Intelligence ("AI") Strategy and the ePrivacy Regulation.
COVID-19 presented immediate data challenges for businesses. Employers were forced to determine what health and travel related data they could ask employees and visitors to provide, and if they could implement mandatory temperature testing without breaching their GDPR obligations. Data security and the processing of employee data to monitor productivity came to the fore. Businesses which had incidences of COVID-19 were faced with difficult decisions about who had a right to know when a colleague received a COVID-19 diagnosis. As cases increased in the community, businesses began to examine the legality of PCR tests. We discuss the data protection issues facing employers in the third phase of COVID-19 in our COVID-19, Data Protection and the Workplace briefing1.
Cookies – Consent is Required
International Data Transfers
The "Schrems II" decision of the Court of Justice of the European Union3 ("CJEU") was the most significant development impacting international data transfers.
- Invalidated the "US Privacy Shield" which had facilitated the legitimate transfer of personal data from the European Economic Area ("EEA") to the US;
- Introduced the concept of "Transfer Impact Assessments" for controllers relying on standard contractual clauses ("SCCs") to transfer personal data outside of the EEA; and
- Reinforced the core principle that essentially equivalent GDPR protection must travel with personal data when it goes outside the EEA.
The DPC served a draft prohibition order on Facebook in relation to data transfers to the US after this decision, and judicial review proceedings by both Facebook and Max Schrems followed. We consider its implications in our previous update International Data Transfers – Brexit & Schrems II: Impact for Funds briefing4.
First GDPR Fine
Tusla Child and Family Agency ("Tusla") became the first entity to be fined by the DPC under GDPR. It was fined €75,000 for three breaches. In each case Tusla unintentionally disclosed the addresses of children in care to third parties. The decision was confirmed by the Circuit Court in November 2020.
The DPC and Big Tech
The DPC is the lead European regulator for many big tech companies and its statutory inquiries into big tech continued. It started the year with 21 big tech statutory inquiries ongoing and announced a further four into Google, Tinder and Facebook in 2020.
Facebook's planned launch of a dating feature just in time for Valentine's Day was postponed due to a lack of timely consultation with the DPC. The DPC expedited its information gathering process via an onsite inspection at Facebook Ireland's offices in Dublin. It is unclear how much notice Facebook received of this onsite inspection but all controllers and processors should be aware of the DPC's authorised officers' right to conduct unannounced visits (or dawn raids) without the need for any judicial or other approval.
The DPC also issued its first decision and fine arising from its big tech statutory inquiries. It fined Twitter €450,000 for failing to report a personal data breach on time and failing to adequately document it. This was the first big tech decision in which all EU data protection authorities were consulted as part of the GDPR's consistency mechanism. There were stark differences of opinion on the appropriate fine5.
For example, the DPC proposed a fine of between €135,000 and €275,000 or between 0.005% and 0.01% of Twitter's annual turnover. In contrast, the German data protection authority argued it was "too low" and "not dissuasive" to deter further infringements, proposing a fine of between €7.3 million and €22 million.
Reliance on technology to rapidly react to the impact of COVID-19 increased opportunities for cybercrime. The general public felt the impact of phishing and smishing (the SMS equivalent of phishing) as fraudsters targeted bank customers. Businesses faced invoice redirection, CEO impersonation and ransomware attacks. An Garda Síochána announced significant investment in the National Cybercrime Bureau with a new state of the art decryption suite and the recruitment of approximately 60 new officers.
With effect from 1 January 2021 the UK became a "third country" to EU Member States for data protection purposes. The EU/UK Transfer and Cooperation Agreement includes a six month grace period for EU to UK data transfers. This temporary reprieve is intended to give the European Commission ("Commission") time to perform its adequacy assessment on the UK's data protection laws. We covered the data protection issues arising in more detail in our previous update, Post-Brexit Personal Data briefing6.
A Look Ahead to 2021
We can be certain that 2021's data protection agenda will be busy. Here, we consider the issues that will dominate the Irish 2021 data protection agenda.
- The Commission will adopt new SCCs taking into account the Schrems II decision. Transfer impact assessments will be required to demonstrate GDPR compliance for almost all international data transfer decisions.
- The EU will, most likely, issue a conditional adequacy decision for data transfers to the UK. The US and the EU will reach political agreement on an enhanced "Privacy Shield".
- The Commission will adopt SCCs on the Article 28 mandatory controller to processor provisions.
- The Council of the EU released a new, draft version of the ePrivacy Regulation on
5 January 2021. This is the 14th version of the draft e-Privacy Regulation first introduced by the Commission in 2017. The draft regulation will progress under the Portuguese Presidency but is unlikely to be finalised in 2021.
- The CJEU will issue its decision in Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v the Belgian Data Protection Authority (C-645/19).
It will, most likely, follow the opinion of Advocate General Bobek in upholding the competence of the lead supervisory authority over pan European data processing.
- The DPC's use of its corrective powers will not focus solely on fines. It will use its other corrective powers including enforcement and prohibition notices. Further draft decisions in its big tech statutory inquiries to the GDPR's consistency mechanism will be submitted by the DPC and a number of its big tech investigations will be finalised. The DPC will also start enforcement action for cookies' compliance failures.
- The number of data protection claims before the courts will increase including representative actions.
- The processing of children's data will be a focus for the DPC particularly in the regulation of social media platforms. TikTok is the most recent multinational social network to identity the DPC as its lead European data protection regulator. On 22 January 2021, the Italian data protection authority invoked emergency procedures to order TikTok to immediately stop collecting and using data of users whose ages it doesn't know "with certainty" following the death of a 10 year old Italian girl carrying out a challenge on TikTok.
The DPC's consultation on the draft Fundamentals for a Child-Orientated Approach to Data Processing is open for submissions until 31 March 20217.
- Ireland's approach to data privacy and artificial intelligence will come to the fore as the Department of Enterprise, Trade and Employment seeks to progress the National AI Strategy.
For further information or assistance in undertaking any of the actions advised above, please contact the below contact or your usual Maples Group contact.
 C-311/18, 16 July 2020 http://curia.europa.eu/juris/documents.jsf?num=C-311/18
 The decision of the European Data Protection Board details the differences of opinion between the EU data protection authorities on the appropriate fine to impose https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/decision-012020-dispute-arisen-draft_en
T: +353 1 619 2113