Eoghan O'Keeffe Knowledge Consultant
2024 AT A GLANCE
- The last few months have been a busy period of regulatory activity for the Irish Data Protection Commission. Its Annual Report noted a marked increase in the number of cases opened and it was party to a number of significant proceedings in the Irish courts.
- The Court of Justice of the EU provided further guidance on a number of important data protection issues, including the calculation of administrative fines and the right to non-material damages under the GDPR.
- The interconnected network of EU legislation regulating the use of data and technology continues to develop with the further progression of the Data Act, the AI Act, the Regulation on GDPR cross-border enforcement, and the planned transposition of the NIS2 Directive.
UPDATE ON THE IRISH DATA PROTECTION COMMISSION - REGULATORY ACTIVITY IN 2023
In May 2024, the Irish Data Protection Commission (the DPC) published its Annual Report for 2023 (the Report), which reviews the regulatory work completed by the DPC, and provides some interesting statistical insights.
The DPC opened 11,200 new cases in 2023, which is a 20% increase on 2022, and the most cases received by the DPC in any year since the GDPR took effect. It’s difficult to pinpoint any one reason for this significant increase but it is clear that the GDPR framework is firmly established in the public consciousness, and there is, perhaps, a growing awareness of how to report personal data issues.
The most frequent topic of complaint, by a considerable margin, was once again data subject access requests, making up 39% of the total number. The other major topics of complaint included right to erasure (14%), fair processing (13%), direct marketing (12%) and disclosure (5%).
DPC DECISIONS 2024
€310m fine issued to LinkedIn in respect of targeted advertising processes
On 24 October 2024, the DPC issued its decision following its inquiry into the data processing operations of LinkedIn Ireland Unlimited Company (LinkedIn). The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising of users.
The DPC found that a number of GDPR infringements had occurred in respect of the lawful basis and transparency requirements associated with LinkedIn's targeted advertising processes. The decision included an order for LinkedIn to bring its processing into compliance with the GDPR and three administrative fines totalling €310m.
€91m fine issued to Meta Platforms Ireland Limited (Meta)
On 27 September 2024, the DPC issued its final decision in respect of the inquiry it opened in April 2019. This inquiry followed Meta’s notification to the DPC that it had inadvertently stored certain users’ passwords on its internal systems briefly in “plaintext” format (i.e. those passwords were without cryptographic protection or encryption and could therefore have been at risk).
Although the DPC did not find that harm had occurred as a direct result of this occurrence, the DPC found that Meta had failed to ensure appropriate security measures and infringed a number of the GDPR provisions. Accordingly, the DPC considered it appropriate to issue a fine of €91m.
DPC dismisses complaint against media outlets on freedom of expression grounds
On 7 June 2024, the DPC issued its decision in respect of a complaint made by politician Maria Bailey in respect of how her personal medical data had been processed by the media enterprise, Mediahuis Ireland Group Limited (Mediahuis) in a series of newspaper articles concerning injuries suffered by Ms Bailey and her subsequent claim for compensation.
Under section 43 of the Data Protection Act 2018, controllers are exempt from complying with certain GDPR provisions where compliance with the provision would be incompatible with the purpose of exercising the right to freedom of expression and information.
The DPC ultimately dismissed the complaint, finding that the Mediahuis reporting fell within the section 43 exemption.
DPC ACTIONS IN THE IRISH COURTS
High Court ruling on admissibility test for complaint-based DPC inquiries
Google Ireland Limited v DPC [2024] IEHC 577 concerned a judicial review application, taken by Google, objecting to the DPC’s decision to commence an inquiry on foot of certain complaints, which had been lodged by consumer agencies from six EU countries.
Google argued that the DPC had not established that necessary criteria for admissibility were met before beginning the inquiry. Specifically, Google contended that the DPC had not obtained sufficient information about the complaints, such as account identifiers, mandates from complainants, and evidence that the consumer agencies met the criteria to act as representative bodies under GDPR.
The Court found that the DPC had failed to ensure the complaints met the statutory criteria before commencing the inquiry. It held that essential information, such as account identifiers and mandates, was necessary to establish the admissibility of the complaints. However, the Court acknowledged that evidence which was subsequently provided to the DPC established that the necessary criteria were met. Consequently, the Court decided not to strike down the notice of commencement, as it would be futile given the DPC could immediately issue a new notice.
The judgment is likely to impact the DPC’s approach to admissibility and could have significant consequences for existing and future inquiries.
DPC applies for order to suspend data processing in relation to training of AI and requests EDPB opinion
In August 2024, the DPC issued urgent proceedings in the High Court, requesting an order to require the operator of the social media platform X (formerly Twitter) to suspend the processing of certain personal data in relation to its AI tool Grok. This was the first time the DPC had taken such action, utilising its powers under section 134 of the Data Protection Act 2018.
The proceedings were initially paused and ultimately struck out by the Court, without granting an order, as the DPC and X reached an agreement whereby X undertook to suspend processing of certain personal data for the purposes of training its AI model. (See the DPC press release.)
Although no order was ultimately granted, the proceedings show a willingness on the part of the DPC to take drastic measures, where it considers that there is a significant and immediate risk to data protection rights.
Following those proceedings, the DPC also made a request to the European Data Protection Board (the EDPB), pursuant to article 64(2) GDPR, for an opinion on some of the core issues that arise in the context of processing for the purpose of developing an AI model. The DPC stated that it hopes this opinion will bring some much-needed clarity to this complex area.
DECISIONS OF THE COURT OF JUSTICE OF THE EU (CJEU)
Data Protection Authorities (DPAs) not obliged to issue fines in event of an infringement
In Land Hessen (Case C-768/21), the CJEU held that, in the event of a personal data breach, supervisory authorities are not obliged to exercise their corrective powers (such as imposing an administrative fine) as a matter of course; it will depend on the specific circumstances of the case.
Purely commercial interest can constitute “legitimate interests”
In Case C-621/22, the CJEU confirmed that marketing and other purely commercial interests can constitute “legitimate interests” within the meaning of article 6(1)(f) GDPR. The CJEU noted that legitimate interests do not need to be specifically provided for in law but must be lawful.
The CJEU also emphasised the importance of a controller considering the data subject’s reasonable expectations when seeking to rely on “legitimate interests” as a lawful basis for processing personal data.
Calculating administrative fines under the GDPR
In two decisions issued in December – Case C-683/21 (NVSC) and Case C-807/21 (Deutsche Wohnen) – the CJEU provided an assessment of the criteria which should be applied when calculating administrative fines under the GDPR.
In both cases, the Court confirmed that, for an administrative fine to be imposed under article 83, it must be established that the infringement was committed intentionally or negligently by the controller. The existence of fault or culpability is a necessary condition to the imposition of a GDPR fine.
The Deutsche Wohnen decision seemed to endorse the view that the concept of an “undertaking”, developed in EU competition cases, should be applied when assessing the turnover relevant to the calculation of a GDPR fine. Such reasoning would suggest that DPAs could have regard to the turnover of the parent of a corporate group rather than just that of the controller entity. This could have a very significant impact when calculating fines for certain controllers who may form part of a large, global corporate structure.
The consideration of administrative fines continued in September 2024, when the Advocate General delivered her opinion in Case C‑383/23. The Opinion endorsed the view in Deutsche Wohnen that the EU competition law concept of undertaking may apply for the purpose of calculating the maximum percentage-based fine under article 83.
However, the Opinion rejected the European Commission’s argument that the turnover of the undertaking must be used for calculating both the maximum and actual fine, stating that the maximum fine should not be “the main or only reference” in calculating the fine. The Opinion set out a list of factors which should be the principal considerations when calculating a GDPR fine. We must wait to see if the CJEU follows the Opinion.
Further developments in the interpretation of the right to non-material damages
Over the last few months, the CJEU has issued a string of judgments on the right to non-material damages under article 82 GDPR. (See: Case C-687/21, Case C-741/21, Case C-340/21, Joined Cases of C-182/22 and C-189/22, Case C‑200/23 and Case C‑507/23). The interpretation of this right has the potential to have significant consequences for the liability risk of all data controllers and data processors.
The Austrian Post decision (Case C-300/21) in 2023 set out the initial principles in this area and these more recent cases have built on that decision. The Austrian Post judgment included the potentially worrying dicta that there is no threshold of seriousness which GDPR damages must reach in order to be recoverable – this raised some concern that floodgates might open for more scrupulous litigants to make claims based on the most minor infringements.
However, subsequent judgments have caveated this position slightly by repeatedly emphasising that merely establishing an infringement of the GDPR is not, in itself, sufficient to give rise to a right to non-material damage. Applicants must be able to show that actual damage has been suffered. A purely hypothetical risk cannot give rise to compensation.
The CJEU has also repeatedly emphasised that any non-material damages should have a purely compensatory function – there should be no deterrent or penalising element to the amount awarded.
IRISH COURT RULINGS ON RIGHT TO NON-MATERIAL DAMAGES UNDER THE GDPR
High Court decision
In April 2024, in Dillon v Irish Life [2024] IEHC 203, the High Court determined that claims of stress and anxiety due to a data breach fell within the definition of a “personal injury” under the Personal Injuries Assessment Board Act 2003.
Accordingly, the plaintiff was required to make an application to the Personal Injuries Assessment Board (PIAB) prior to commencing the proceedings for damages. As she had failed to do so, her claim was struck out.
This decision was welcomed by some, as the administrative hurdle of having to go through the PIAB process could possibly act as a helpful deterrent against more speculative or frivolous GDPR claims.
Circuit Court decision
July 2024 saw a Circuit Court judgment in McCabe v AA Ireland [2024] IECC 6, where the Judge considered it appropriate to award €5,500 in non-material damages for a GDPR infringement, without the plaintiff having made any application to PIAB.
Disappointingly, the Circuit Court’s judgment does not address how this decision fits with the decision in Dillon (above), or how the amount of damages was arrived at; an aspect of particular relevance given the CJEU’s focus on the compensatory function of such damages.
The decision in Dillon has been appealed to the Supreme Court, which we hope will provide some much-needed clarity to this area of law.
EDPB GUIDANCE AND OPINIONS
The EDPB has issued guidance on a number of significant issues over the last few months, including the following of particular note:
- new Guidelines on processing of personal data based on Article 6(1)(f) GDPR (legitimate interest) and completing legitimate interest assessments
- Opinion on certain obligations following the reliance on processor(s) and sub-processor(s)
- updated Guidelines on Technical Scope of Article 5(3) of ePrivacy Directive (which concerns tracking tools like cookies)
LOOKING AHEAD
- The EU Data Act entered into force on 12 January 2024, but the majority of its provisions will only apply from 12 September 2025. The Data Act applies to both personal and non-personal data and includes a wide range of obligations including in respect of: (i) business-to-business data sharing agreements, (ii) requiring minimum standards of interoperability for data and data sharing mechanisms, and (iii) removing technical obstacles to allow businesses and consumers to switch between data processing services.
- The EU AI Act entered into force on 1 August 2024. The first set of provisions will apply from 2 February 2025, but most of its provisions will not apply until 2 August 2025. A detailed breakdown of the AI Act is available in ALG’s Guide to the AI Act.
- NIS2 Directive and Ireland’s National Cyber Security Bill: The NIS2 Directive is a major piece of EU legislation, aimed at enhancing the cybersecurity and resilience of critical infrastructure within the EU by imposing security requirements on industry sectors of critical social importance.
- The required date for transposition of NIS2 into national law was 17 October 2024. Unfortunately, Ireland was among the many Member States who missed that date, but plans are afoot to complete transposition through the adoption of the National Cyber Security Bill after the General Election.
- EU Regulation on GDPR cross-border enforcement: In July 2023, the European Commission tabled a proposed regulation aimed at improving GDPR enforcement. The proposal seeks to support the smooth functioning and timely completion of the enforcement procedures in cases involving cross-border processing. The Council of the EU and the European Parliament have both considered the Regulation and adopted negotiating positions, but negotiations have been delayed due to the European elections earlier this year. Finalising and adopting the Regulation is expected to be among the legislative priorities for the new European Commission in 2025.