2020 was certainly a year that we'll never forget! Most of you are probably aware by now that the Irish DP Commission published its Annual Report for 2020 last week. The publication is a regulatory obligation for each EU Supervisory Authority and provides a valuable insight into the work and decisions of the Commission over the last year. Hugh Jones, Data Protection manager at 3M tells us about the key points from the report.
As you can appreciate, two issues loomed large in the report, given the year just gone:
- The decision of the European Court of Justice (CJEU) to invalidate the Privacy Shield mechanism, following a hearing which had been put before the Court by the Irish Commission – the objective was to test the validity of the Standard Contractual Clauses (SCC’s) in light of concerns raised by Austrian privacy advocate, Max Schrems. Now known as ‘Schrems II’, the Court decision supported the continued use of SCC’s for transfers of data to third countries, as long as appropriate and equivalent safeguards are in place.
- Covid-19 and its impact on individual privacy also features in the report – in particular the collaboration between the Commission and the HSE to prepare a Data Protection Impact Assessment (DPIA) as part of the design and build of the Covid-19 tracking application.
The fact that the Commission stopped Facebook from launching a dating app in the week of St. Valentine’s Day also gets mentioned – is there a non-Christmas equivalent of the Grinch? - another timely reminder of the obligation to conduct a Data Privacy Impact Assessment when introducing new or possibly intrusive data processing activities!
Elsewhere in the report, the Commission outlines the workload that it carried in the twelve months of 2020 – a substantial volume of complaints received and resolved, breach notifications received and registered, guidance sought and issued, prosecutions completed and statutory inquiries initiated. More detail on these activities, statistics and conclusions are contained in the Executive Summary of the Report.
2020 was also the year in which the DPC (finally) issued its first fines under the GDPR (both against Tusla, the Child and Family Agency) and its first penalty for a cross-border infringement (€450k against Twitter).
As in other years, the Case Studies published in the Annual Report offer a very valuable resource for Irish Data Controllers and Processors. The twenty-one cases listed in this year’s Report cover cases in which the Commission received complaints or initiated investigations where individual rights were being threatened. The manner in which the Commission dealt with those cases, and the interpretations of the Regulation on which those decisions were based, offer a very valuable insight into the work of the organisation and the challenges of compliance with the GDPR.
We strongly encourage any DPO to make time, over the coming days and weeks, to read through the report and in particular the Case Studies. If your company was the ‘main player’ in one of the cases listed, then you are already familiar with the work of the Commission. If not, however, it is a very healthy exercise to imagine yourself, and your organisation, into the case study scenarios and consider how you would respond, how you would react, and in particular, what mechanisms you would be able to provide as evidence of compliance in a similar situation.
Access the full report here.