29 May 2024
On 29 May 2024 the Data Protection Commission (“DPC”) released its 2023 annual report. The DPC highlighted its workload and regulatory accomplishments over the last year, including the finalisation of 19 decisions that yielded fines totalling €1.55 billion, along with multiple reprimands and compliance orders being imposed.
Our team has summarised the key points below.
Between 1 January 2023 and 31 December 2023, the DPC:
The DPC received 6,991 valid GDPR data breach notifications in 2023, an increase of 20% on the GDPR data breach numbers reported in 2022. The highest category of data breaches notified to the DPC in 2023 related to unauthorised disclosures, in cases affecting one or small numbers of individuals.
Of the 6,991 breach notifications, 3,766 related to the private sector, 2,968 to the public sector and the remaining 257 came from the voluntary and charity sector. Public sector bodies and banks accounted for the ‘top ten’ organisations with the highest number of breach notifications recorded against them, with insurance and telecom companies featuring prominently in the top twenty. 92% of notifications received in 2023 were concluded by year end.
Of note, personal data breaches due to unauthorised disclosure were mainly due to posting of material to incorrect recipients or emailing incorrect recipients.
The DPC issued 19 finalised decisions resulting in administrative fines totalling €1.55 billion, alongside reprimands and orders, including against companies in the technology, financial services, and healthcare sectors as well as a number of governmental entities.
Some of the most noteworthy corrective measures and fines issued as part of these decisions are:
Sector | GDPR Obligation Infringed | Corrective measures imposed | Fine (€) |
---|---|---|---|
Technology |
Article 6(1) – The company was found not to be entitled to rely on the contract legal basis for the delivery of service improvement and security and personal data processed in reliance on the contract legal basis amounted to a contravention of Article 6(1). Article 5(1) - The company was also found to be in breach of its transparency obligations pursuant to Article 5 GDPR by not clearly outlining to users the legal basis relied on for processing. |
Order regarding Articles 5(1)(a) and 6(1) GDPR |
5.5 million |
Technology |
Article 46(1) – The company was determined to have transferred personal data from the EU/EEA to the US without a lawful basis. |
Suspension of data flows in relation to Article 46 GDPR and Order regarding Article 46 GDPR |
1.2 billion |
Technology |
Articles 25(1), 25(2) and 5(1)(c) – the company was determined to have failed to implement appropriate technical and organisational measures to ensure that, by default, only personal data which were necessary for the company’s purposes of processing were processed; and to ensure, by default, that the social media content of child users was not made accessible to an indefinite number of persons without the user’s intervention. The company was also found to have infringed Article 24(1) GDPR by failing to implement appropriate technical and organisational measures as it related to the privacy settings of children’s user accounts and the risk of children under 13 accessing the social media platform. Article 13(1)(e) – the company was determined to have failed to provide child users with information on the categories of recipients of personal data. Article 12(1) – the company was found to have failed to provide child users with information on the scope and consequences of the public by default processing in a transparent manner. Articles 5(1)(f) and 25(1) – the DPC stated that the company was in breach of these articles by allowing an intended Parent/Guardian to enable direct messages for a child user where such messages were not previously enabled by the child user. |
Reprimand regarding Articles 5(1)(a), 5(1)(c), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR and Order regarding Articles 5(1)(a), 5(1)(c), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR. |
345 million |
Governmental |
Articles 5(1)(c), 6(1), 6(4) and 9(1) – breach of the requirements to ensure data minimisation and lawful basis for the processing of special category data. It was found that the entity processed information in a way that was excessive and disproportionate to the aims pursued and not necessary in relation to 29 litigation files (for which there was no lawful basis for this processing). Article 14 – transparency. The entity did not include details of its practices in its privacy notice. Articles 5(1)(f) and 32(1) – security of data processing. The entity should have ensured that better internal access restrictions to files were in place. |
Ban on processing regarding Articles 5(1)(c), 6(1), 6(4) and 9(1) GDPR and Reprimand regarding Articles 5(1)(c), 5(1)(f), 6(1), 6(4), and 32(1) GDPR |
22,500 |
Financial Services |
Articles 5(1)(f) and 32(1) – the company was found in breach of these articles in respect of the unauthorised disclosure of personal data, including financial data, on a banking app. |
Reprimand regarding Articles 5(1)(f) and 32(1) GDPR and Order regarding Articles 5(1)(f) and 32(1) GDPR |
750,000 |
The DPC had 751 supervision engagements during 2023.
As of 31 December 2023, the DPC has 89 statutory inquiries on hand, including 51 cross-border inquiries. In 2023, 18 draft decisions were referred to the EU co-decision making process (pursuant to Article 60 GDPR).
The DPC was voted a budgetary allocation of €26.364 million in 2023, which represents a €3.1 million increase on 2022. The DPC also increased its staff numbers by 44 in 2023, bringing the total number at year end to 210.
In addition, in November 2023, Helen Dixon announced that she would step down from her role on 19 February 2024. On 20 February 2024, two new commissioners commenced their roles, Dr. Des Hogan, who serves as Chairperson, and Mr. Dale Sunderland. They will each serve a five-year term.
The DPC will focus on systemic non-compliance, meaning that controllers that have regularly failed to comply with the GDPR can expect more interaction with the DPC this year.
We recommend organisations review their privacy frameworks in order to ensure any gaps relating to, specifically, the processing of children’s data, international transfers and the privacy awareness of their staff are addressed.
In this regard, the DPC’s intensive work on children’s data protection rights is expected to continue with the DPC nominated to represent the European Data Protection Board (“EDPB”) on the newly formed Task Force on Age Verification under the Digital Services Act. The DPC will be at the forefront in respect of the European Commission’s aim to foster cooperation with national authorities with expertise in the field of age verification in an effort to identify best practices and standards.
The DPC will also continue to analyse and closely monitor developments in AI in 2024. The DPC will leverage existing fora hosted by the EDPB to exchange information and inform the discussion on AI and Generative AI processing with a view to establishing a consensus amongst EU regulators regarding compliance and best practice under the GDPR.
The DPC will also continue to drive recruitment during 2024 through a combination of open recruitment and the promotion and development of DPC staff. As noted above, the DPC recruited 44 new members in 2023. We anticipate that organisations can expect an increase in the number of actions driven by the DPC in 2024.
If you have any queries related to the work and activities of the Data Protection Commission, please do not hesitate to contact our team below. We would be delighted to hear from you.
Head of Data Protection & Privacy, KPMG Law LLP
Director, Consulting, KPMG in Ireland
Director & Head of Technology & Digital Law, KPMG Law LLP