GDPR Penalties are Coming According to Irish Data Protection Commissioner

Today the Irish Data Protection Commission (DPC) has released the Data Protection  2019 Annual Report and has also suggested that the resolutions of a number of high profile investigations may results in large scale General Data Protection Regulation (GDPR) fines being applied.

The report, which can be accessed here, included many revelations in relation to the complaints submitted to the Commission such as:

  • 2019 saw 7,215 complaints submitted – a 75% increase on the overall number of complaints (4,113) on the previous year
  • 2019 witnessed the settling of 5,496 complaints
  • 71% increase on the total number of valid data security breaches (3,542) to 6,069 valid data security breaches being notified
  • Approximately 48,500 contacts filed using the DPC’s Information and Assessment Unit, including 22,200 telephone calls and 22,300 emails.
  • The DPC completed an in-depth consultation on the processing of children’s personal data, resulting in 80 responses. The feedback from the consultation will be used to formulate guidance on the processing of children’s personal data, which is a DPC objective for 2020.
  • Six statutory inquiries were kicked off linked to multinational technology companies’ compliance with the GDPR, bringing the total number of cross-border investigations to 21.

The Data Protection Commissioner Helen Dixon, commented that the Irish data protection security landscape has undergone a lot of change in the last 12 months. She said: “2019 has been the first full calendar year of the GDPR. There have been many positive changes, including organisations across Ireland appointing Data Protection Officers who can assist the public in exercising their data protection rights and also an increased awareness on the part of individuals and organisations alike as to the importance of protecting personal data. At the Data Protection Commission, we have been busy during 2019 issuing guidance to organisations, resolving individuals’ complaints, progressing larger-scale investigations, reviewing data breaches, exercising our corrective powers, cooperating with our EU and global counterparts and engaging in litigation to ensure a definitive approach to the application of the law in certain areas.”

In relation to the plans for 2020, Ms Dixon said: “Much more remains to be done in terms of both guiding on proportionate and correct application of this principles-based law and enforcing the law as appropriate. But a good start is half the battle and the DPC is pleased at the foundations that have been laid in 2019. We are already expanding our team of 140 to meet the demands of 2020 and beyond.”

Ms Dixon also conducted an interview with The Irish Independent Ms Dixon where she spoke about potential monetary fines that may arise out of ongoing investigations of the DPC. She use the  $5bn fine sanctioned by the Federal Train Commission (FTC) against Facebook in the US as a measuring stick to hold future irish fines against. She said: “A very relevant factor in terms of what quantum will create deterrence is the level of fines already existing globally in the area. So if you ask whether the FTC [Federal Trade Commission] fine is relevant, it is. Under the GDPR, deterrence is a particularly important reason why the fines are included. They could have stopped at the corrective measures. But the fines are there to be punitive and give rise to deterrence. And deterrence is based on what’s already in the [fine] landscape.” You can read the full interview here.


About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.