Key Data Protection Trends in 2023: Insights from the DPC Annual Report

The Data Protection Commission (“DPC”) published its Annual Report for 2023 on 29^th of May 2024 detailing significant developments and trends in data protection over the past year. In this article Yvonne Joyce, Partner provides a summary overview of the key highlights from the report and examines the approach taken by the DPC on some interesting cases.

Increase in Cases, Queries and Breach Notifications:

• The DPC received 11,200 new cases in 2023 (a 20% increase on 2022). Of these, 2,600 cases progressed to the complaint handling process.
• The most frequent GDPR topics for queries and complaints continues to be access requests (39%), right of erasure (14%), fair processing (13%), direct marketing (12%) and disclosure (5%).
• Valid data breach notifications were up 20% on 2022 figures with 6,991 valid breach notifications received. The most frequent causes of breaches reported resulted from correspondence inadvertently being misdirected to the wrong recipients 52% of the overall total).
• In 2023, the DPC received 25,130 electronic contacts, 7,085 phone calls and 1,253 postal contacts.

Statutory Inquiries and Major Fines

• As of 31 December 2023, the DPC had 89 statutory inquiries on-hand, including 51 cross-border inquiries.
• The DPC issued finalised decisions resulting in administrative fines totalling €1.55 billion, including a fine of €5.5 million against Meta for an infringement by WhatsApp of Articles 5 (1) (a) GDPR, a fine of €1.2 billion against Meta for infringing Article 46 (1) GDPR by transferring personal data from the EU/EEA to the US without a lawful basis and a fine of €345 million against TikTok relating to the processing of personal data relating to children. All three of these Final Decisions are under appeal.

Case Studies

The Annual Report sets out some interesting case studies which show the approach taken by the DPC in dealing with complaints and data breaches. These included:

1. Organisation publishing alleged personal data
   

   The DPC received a query from an individual relating to what appeared to the unintentional inclusion of their property on an advert published by a property website. The property website had published on its website an image of a property for sale as well as a number of other neighbouring properties.

The DPC helpdesk advised the individual that an image of a property alone may not constitute personal data, but an image containing the property address as well as a house number, may entitle them to request erasure of the data. Having followed the advice of the DPC to contact the property website, the owner of the property website had promptly complied with their request to remove the image. This case study highlights that while the definition of what constitutes personal data is broad, it may not include images of a property or a home when not accompanied by any other identifying information.

2. Complaint of excessive personal data requested by a letting agent

   An individual lodged a complaint with the DPC after they viewed a rental property. They were unsuccessful in their application and therefore made an erasure request under Article 17 of GDPR which was done. However, they were still concerned about the amount of information which the letting agent had sought to begin with. Upon contacting the DPC, the organisation confirmed it had requested copies of identification, proof of current address, employment and previous landlord references, two months bank statements and a PPS number. They advised that this was required to ensure the identity of the applicant and that the applicant could afford the property. The DPC determined that the volume of personal data requested from the individual was excessive for the initial stage of the application.

3. Non-compliance with an Erasure Request, related to medical data

An individual contacted the DPC following the refusal of their erasure request by a healthcare provider. According to the individual, they had requested the erasure of all historic healthcare records relating to them held by the healthcare provider, as the individual was of the opinion that the records were incorrect, as they related to an alleged misdiagnosis.

As part of their engagement with the healthcare provider, the individual provided evidence of a contradictory diagnosis from another healthcare provider, which the individual stated was evidence that proved the original diagnosis was incorrect. Having reviewed the documentation provided, the healthcare provider noted that a medical diagnosis is a medical opinion that is given at a point in time. Therefore, any medical opinion given at a different point in time, cannot be accepted as evidence that the historic medical opinion was incorrect. The medical provider further advised that while a medical condition may change over time, it does not eradicate the fact that an individual was at one point, treated for a particular illness or provided with a certain diagnosis.

The DPC noted that for the purpose of GDPR, personal data is inaccurate if it is incorrect as a matter of fact.  However, based on the information available to the DPC, the personal data held on the file by the healthcare provider, namely the original diagnosis, was not inaccurate, as it was the original diagnosis at this point in time.

Following engagement by the DPC, the healthcare provider added a supplemental statement on the individual’s medical record, to include the documentation provided by the individual, which would inform any future readers of the individual’s medical file of the individual’s opinion and the contradictory diagnosis in relation to the medical diagnosis. The DPC noted that this case study highlights the fact that historic medical data cannot be erased as it relates to an opinion given at a point in time, and any future opinions cannot overwrite historic opinion provided by a professional in the professional capacity.

4. Fair processing complaint relating to CCTV in the workplace
   

   An individual raised a concern with their employer regarding the use of cameras in the workplace. They stated they were not informed that cameras were being installed and had concerns that devices were capable of recording both audio and video. The organisation, which was in the beauty industry, advised the individual that cameras were installed for the safety of staff and that no audio was recorded. The individual then submitted a complaint to the DPC.

   The organisation argued that the decision to install CCTV cameras was made following a series of security issues including incidents of theft and that the cameras were installed for the safety of staff when working alone. In addition, they advised that the cameras had been in place for three years prior to the individual making a complaint to the DPC, and that the individual had provided training to the staff in relation to same. Footage was only retained for a period of twenty days and access controls to the footage were in place. The DPC found there was a lawful basis for the processing.

5. CCTV in restrooms

The DPC have highlighted that there are numerous queries and complaints from individuals regarding the use of CCTV in restrooms by various organisations such as public houses, night clubs, restaurants and transport depots. The DPC advises that organisations should avoid using CCTV where reasonably high expectation of privacy exists (e.g. cubicles).  The threshold for use of CCTV in restrooms remains very high and requires data controller to identify and examine all the legitimate issues arising and to assess and implement appropriate measures. The DPC has issued Guidance on CCTV for Data Controllers by including a specific section on “The use of CCTV in areas of an increased expectation of privacy.”

Conclusion

The DPC’s 2023 Annual Report highlights significant trends and case studies in data protection, emphasising the importance of compliance with GDPR regulations.

The full report is available here.