On May 20, 2013, the Irish Office of the Data Protection Commissioner (“ODPC”) published its annual report for 2012 (the “Report”). The Report summarizes the activities of the ODPC during 2012, including its investigations and audits, policy matters, and European and international activities.
Key themes of the Report include:
- data sharing in the public sector;
- additional staffing and resources of the ODPC;
- complaints from individuals, in particular in relation to data subject access rights and direct marketing;
- increased data security breach notifications; and
- audit outcomes.
Data Sharing in the Public Sector
The ODPC accepts that data sharing can increase efficiency in the delivery of public services, but has long raised concerns regarding data sharing in the public sector. The Report details the ODPC’s extensive investigation of data sharing through the Department of Social Protection’s INFOSYS system, uncovering “a disturbing failure of governance in some of the public bodies investigated.” The Report emphasizes (1) the importance of proportionality, (2) that permitted data sharing must have a clear basis in law, a clear justification, strict access and security controls, and secure data disposal procedures, and (3) that only the minimum data necessary to achieve the stated public service objective may be shared.
Increased Resources
Irish Data Protection Commissioner Billy Hawkes raised in the ODPC’s previous annual report the increased strain on the ODPC’s limited resources, which will likely be increased under the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). Under the Proposed Regulation, organizations with multiple European establishments will benefit from a lead supervisory authority where they have a “main establishment,” and organizations with only one European establishment will be regulated by a sole supervisory authority. Dublin has in recent years attracted a number of large multinational tech firms, including Facebook and Twitter, and there is speculation that further organizations will set up their sole or main establishments in Ireland ahead of implementation of the Proposed Regulation. Consequently the ODPC foresees increased regulatory oversight of multinational companies.
In response to Billy Hawkes’ request for additional resources, the Irish Government has announced a 20 percent increase in the ODPC’s budget and additional staff, including a Chief Technology Advisor, specialist legal advisor and additional administrative staff.
Complaints
The ODPC received 1,349 complaints which were opened for investigation during 2012, marking a new record and an increase of 16 percent compared to last year’s 1,161 complaints. 606 of the 1,349 complaints related to unsolicited direct marketing via SMS text messages, phone calls, fax messages and emails, and 442 complaints related to data subject access rights. The vast majority of complaints were resolved without the need for a formal decision, and only a total of 36 formal decisions were taken. The majority of enforcement notices related to data subject access rights.
Security Breach Notifications
During 2012, the ODPC received 1,666 personal data security beach notifications, up from 1,167 received last year. Since July 2011, telecommunication companies and Internet service providers (“ISPs”) have been required to notify data security breaches under S.I. 366 of 2011 (implementing the European E-Privacy Directive). In September 2012, two telecommunication companies were prosecuted for failure to notify.
The Report provides a breakdown of types of breaches and shows that the most common cause of a breach is postal mailing breaches (e.g., mailing information to the incorrect recipient). Theft of IT equipment and website security account for the two least common causes of personal data security breach notifications.
ODPC Audits
Under the Irish Data Protection Acts 1988 and 2012, the Commissioner is empowered to conduct privacy audits and inspections to ensure compliance with the Acts and to identify possible breaches. During 2012, the ODPC conducted 40 audits, representing an increase of 21 percent from the previous year. Audited organizations included Facebook Ireland, county and city councils, and a number of Irish banks. The ODPC’s follow-up audit of Facebook Ireland, completed in September 2012, found that the great majority of recommendations had been fully implemented, although full implementation of the ODPC’s recommendations had not been achieved in relation to new user education, deletion of social plug-in impression data for EU users, account deletion, and minimizing ad targeting based on sensitive personal data.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code