Irish Data Protection Commission Issues First Fine Against State Agency
Ireland's data protection commission confirmed last week it planned to fine a state agency €75,000 for violating the General Data Protection Regulation, or GDPR.
While there haven’t been nearly as many as privacy experts predicted, the slow trickle of General Data Protection Regulation (GDPR) fines continue, pandemic or no pandemic.
One of the latest, handed down last week by Ireland’s Data Protection Commission (DPC) levied a €75,000 fine against Tusla, Ireland's Child and Family Agency, in connection to three data breaches that the agency claims violated the GDPR.
The state-run agency is in charge of matters in the country relating to children and youth affairs; it heads up child protection reform, family support services, and oversees the country’s National Educational Welfare Board (NEWB).
According to reports, the agency disclosed the contact and location data of a mother and child victim to an alleged abuser. In the other cases, data on children in foster can was disclosed to blood relatives.
While the breaches in question aren’t new – they happened last year and were disclosed in a Data Protection Commission report on GDPR breaches in February – the €75,000 fine is.
A deputy commissioner at the DPC, Graham Doyle, told publications in the UK last week that the regulator had filed papers with the court to confirm the fine.
Tusla said it wasn’t planning to contest the fine.
“Tusla is acutely aware of its responsibilities in relation to the very sensitive data we work with on a daily basis,” the agency said, "We continue to work proactively with the office of the Data Protection Commissioner to continuously improve our systems and practices to reflect data protection legislation, and the data protection rights of the children and families we work with. The main focus of our work with the DPC is in setting out improvement plans and more importantly implementing those. These reforms do take time in a complex and challenging environment.”
The fine, while notable as its the first to be carried out against a state organization, is still just a fraction of what the DPC could have fined Tusla. The law allows for regulatory fines of €1 million for breaching individuals' data protection rights but Tusla was only fined 7.5% of that figure.
Still though, this likely won't be the last fine the DPC imposes on Tusla; it's also looking into two other breaches it outlined in its 2019 annual report, issued in February. In that report the DPC found as many as 75 breaches at Tusla between 2018 and 2019.
As we near the two year anniversary of GDPR, privacy advocates have been up in arms over the lack of enforcement around the regulation.
While there have been minor fines, like the Tusla fine, it appears larger fines, like those previously issued to British Airways and Marriott by the ICO, stemming from breaches, are lagging behind. COVID-19 could complicate the regulatory process as well. The ICO said last month that despite being announced, fines against both companies are being deferred until further investigations are completed.
As the New York Times pointed out last month, it’s likely more traction will come around GDPR fines in the coming months as cases against larger tech companies, like Twitter and Facebook's WhatsApp, get off the ground.