One Year In, GDPR Keeping Irish Data Protection Commission Busy
Ireland's Data Protection Commission has fielded nearly 6,000 reports of security breaches since GDPR went into effect.
In the one year since the General Data Protection Regulation has gone into effect, Ireland's national supervisory authority has kept busy, registering almost double the number of valid data security breach notifications as other EU countries.
Ireland has long been viewed as one of the more respectful when it comes to its citizens’ data, and it proved it, at least by the numbers, last week. The country's Data Protection Commissioner (DPC) said that over the last year it has had its hands full, receiving 5,818 reports of valid data security breaches and 6,624 complaints.
When looking at the numbers from the EU overall, the numbers mark a steep increase. According to statistics parsed by the European Data Protection Board and released by the European Commission last week, each member's data protection authority received 3,188 data breaches on average – a number that translates to 89,271 data breach notifications overall - over the last year.
The GDPR, legislation around data protection, privacy policies and processes, celebrated its one-year anniversary on Saturday, over the weekend.
Ireland's Commissioner for Data Protection lauded the regulation last week in advance of its anniversary.
“The GDPR is a strong new platform from which we can all demand and drive higher standards of protection of our personal information. As the national supervisory authority, the Data Protection Commission (DPC) is firmly committed to its role in public enforcement of the new law, while also working hard to provide guidance to sectors as they seek to comply with the new requirements.
The statistics came a few days before the independent national authority confirmed that Helen Dixon, the country's Data Protection Commissioner, was slated to be reappointed for a second term. Dixon stressed that it's important for her office to continue beating the drum when it comes to ensuring orgs comply with the regulation.
“At this early but critical juncture of GDPR implementation and enforcement, continuity is important to drive clarity for organisations around the standards they must meet in order to effectively safeguard the data protection rights of service users, consumers and citizens. It is a privilege to serve in this role and to work with the dedicated staff of the Data Protection Commission," Dixon said in a statement on Tuesday.
While the numbers are impressive, it’s worth pointing out there’s a difference between breaches and complaints and actual cases.
According to two members of the European Commission, Andrus Ansip, Vice-President for the Digital Single Market and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, there have been 400 cross-border cases around Europe since the implementation of GDPR. That means that roughly 6 percent of complaints ultimately prompt the launch of a case.
While it's being contested, the largest fine under the GDPR so far, imposed on Google, is seeking €50,000,000 for the company's lack of consent on advertisements. In that case, France's data protection authority, CNIL, said in February that Google didn't have a valid legal basis to process the personal data of its users for ad personalization.
"The company GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons.First, the restricted committee observes that the users’ consent is not sufficiently informed... Then, the restricted committee observes that the collected consent is neither 'specific' nor 'unambiguous,'" CNIL said at the time.
Regulators under the GDPR have the ability to fine companies up to 4 percent of their global revenue or 20 million Euros, whichever is higher for violations.
Ireland's DPC is already investigating Twitter, LinkedIn, and Facebook - along with its Instagram and WhatsApp properties, over how the companies process personal data.
We learned last week that the DPC is also looking into Google around how it handles personal data for advertising.
“A statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited’s processing of personal data in the context of its online Ad Exchange,” the Irish DPC said in a statement last week.