Section 134 of the Data Protection Act 2018 allows the DPC, where it considers there is an urgent need to act to protect the rights and freedoms of data subjects, to make an application to the High Court for an order requiring a data controller to suspend, restrict, or prohibit the processing of personal data.

The High Court proceedings were issued on foot of a complaint to the DPC raised by consumer rights organisations Euroconsumers, and Altroconsumo on behalf of data subjects in the EU/EEA. The complainants argued that the Grok chatbot was being trained with user data in a manner that did not sufficiently explain the purposes of data processing, and that more data than necessary was being collected. They further argued that X may have been handling sensitive data without sufficient reasons for doing so.

Much of the complaint stemmed from X’s initial approach of having data sharing automatically turned on for users in the EU/EEA, which it later mitigated by adding an opt-out setting. X claimed that it had relied on the lawful basis of legitimate interest under the GDPR, but the complainants argued that X’s privacy policy – dating back to September 2023 – was insufficiently clear as to how this applied to the processing of user data for the purposes of training AI models such as Grok.

This development follows a similar chain of events involving Meta in June. Complaints from privacy advocacy organisation NOYB were made against Meta’s reliance on ‘legitimate interest’ in relation to the use of data to train AI models. This led to engagement with the DPC and the eventual decision in June by Meta to pause relevant processing (without the need for the authority to invoke s134).

The DPC and other European supervisory authorities strive to emphasise the principles of lawfulness, fairness and transparency at the heart of the GDPR, and their actions illustrate that any activities which purport to threaten these values will be dealt with directly.

The DPC has previously taken the approach of making informal requests and has stated that the exercise of its powers in this case comes after extensive engagement with X on its model training. The High Court proceedings highlight the DPC’s willingness to escalate action where there remains a perceived risk to data subjects.

The DPC has, in parallel, stated that it intends to refer the matter to the EDPB although there has been no confirmation of such referral as of this date.

Such referral will presumably form part of a thematic examination of AI processing by data controllers. The topic is also the subject of debate from individual DPAs, as evidenced by the Discussion Paper on Large Language Models and Personal Data recently published by the Hamburg DPA.

The fact much of the high profile activity relating to regulation of AI is coming from the data protection sphere will no doubt bolster the EDPB’s recommendation in a statement last month that Data Protection Authorities (DPAs) are best placed to regulate high risk AI.

It is expected that regulatory scrutiny and activity will only escalate and accelerate in tandem with the increase in integration of powerful AI models into existing services by ‘big tech’ players to enrich data. This is particularly the case where it is perceived that data sets are being re-purposed and further processing is taking place. In such circumstances, it is essential that an appropriate legal basis is being relied upon – noting the significant issues that can arise if there is an over-reliance on legitimate interest. The DPC and other regulators are likely to investigate, engage and ultimately intervene where it believes that data subjects’ rights under the GDPR are threatened. Perhaps in anticipation of more cross-border enforcement activity, last month, the European Commission proposed a new law to  streamline cooperation between DPAs when enforcing the GDPR in such cases.

A fundamental lesson from these developments is that, in the new AI paradigm, ensuring there is a suitable legal basis for any type of processing and the principles of fairness and transparency are complied with should be an absolute priority.

The Data Protection Commission (DPC) has published its 2023 Annual Report, highlighting a record year with DPC fines accounting for 87% of all GDPR fines issued across the EU. A busy year for the DPC also saw a 20% increase in reported personal data breaches as Helen Dixon steps down after 10 years in the job, with Dr. Des Hogan and Dale Sunderland taking over the reins.

The past year has seen the DPC progress ongoing large-scale inquiries in particular against social media platforms, defend cross-border decisions in legal proceedings brought forward by appealing regulated entities and increase its interaction with the European Data Protection Board (EDPB). As a result, the DPC fines account for 87% of the GDPR fines issued by EU data protection authorities last year.

The DPC received a total of 6,991 valid notifications of personal data breaches in 2023, an increase of 20% against the previous year. The DPC also handled 43 complaints relating to alleged personal data breaches which were not notified to the DPC in line with Article 33.

Unauthorised disclosure of personal data continues to be the leading reason for breach notifications, accounting for 52% of the overall total in 2023. 146 of thevalid data breach notifications were received under the ePrivacy Regulations, an increase of 42% and 59 notifications in relation to the Law Enforcement Directive. In line with previous years, most incidents reported originate from the private sector (3,766), followed by the public sector (2968), with the remaining coming from the voluntary and charity sector (275).  

Complaints Handling

The Annual Report notes another year of extensive enforcement work by the DPC. In total, 11,147 cases were concluded by the DPC in 2023. As of 31 December 2023, the DPC had 89 statutory inquiries on-hand, including 51 cross-border inquiries. In addition to its cases and inquiries, the DPC also handled over 25,130 electronic contacts, 7,085 phone calls and 1,253 postal contacts. 

The Annual Report highlights that once again the most frequent GDPR topics for queries and complaints in 2023 were access requests; fair-processing; disclosure; direct marketing and right to erasure (delisting and/or removal requests).

Administrative Fines and Large-Scale Inquiries

The Annual Report highlights 19 inquiries that concluded in 2023 resulting in fines totaling €1.55 billion. From the tables below, what we see is a consistent enforcement strategy being implemented by the DPC focusing on international and domestic companies and their compliance with core principles of the GPDR (e.g. transparency, lawful basis, security measures) as well as targeted thematic focuses (e.g. children’s personal data and video surveillance).

Since the implementation of the GDPR, the DPC has been established as the Lead Supervisory Authority for 87% of cross-border complaints.

Notable large scale cross border inquiries that concluded in 2023 were:

Notable domestic inquires that concluded in 2023 were:

Ongoing Inquiries

The breadth and scale of the inquiries being undertaken by the DPC shows no signs of abating in its report. Notable inquires that have been progressed by the DPC include:

Litigation  

At the outset of its Annual Report, the DPC recognizes the continued focus on domestic litigation before the Irish Courts. The DPC was awarded a considerable number of legal costs orders in 2023. The threat of a legal cost order may act as a deterrent to those considering challenging the DPC in the future.

There were 7 national judgments or final orders in 2023 split almost evenly between the Irish Circuit Court and the Irish High Court. The cases involved: 1 plenary matter, 5 appeals (with 4 statutory appeals and 1 appeal on a point of law) and 1 judicial review. 2 cases issued against the DPC were discontinued and a further 5 were concluded. The legal costs of 5 proceedings were awarded in favour of the DPC, with no reference to costs made in the reports for the other 2 proceedings. These awards enable the DPC to seek the legal costs it incurred in defending the proceedings against the claimant(s).

The DPC uses the Annual Report to showcase its supervisory and enforcement functions in relation to the processing of personal data in the context of electronic communications under the e-Privacy Regulations. The Annual Report highlights 4 successful prosecutions involving unsolicited marketing messages. In all 4 cases, the DPC had the legal costs of the prosecution discharged by the defendants, two of whom were companies in the telecommunications and insurance sectors.  

Children  

Prioritising the protection of children and other vulnerable groups forms one of the five core pillars to the DPC’s Regulatory Strategy 2022 – 2027, so it was no surprise that the DPC continued to be proactive in safeguarding children’s data protection rights this year. This is reflected in the list of matters that were prioritised for direct intervention by the DPC during 2023, which included CCTV in school toilets and posting of images of children online. The DPC issued a Final Decision and imposed a large fine of €345 million against a major social media company for infringements of GDPR related to the processing of personal data relating to children.

The DPC also produced guidance for organisations and civil society to enhance the protection of children’s personal data. An example of this is the data protection toolkit for schools, which was devised by the DPC after it noticed in the course of supervisory and engagement activities that the sectors was finding certain aspects of data protection compliance challenging.

Interestingly, the DPC has been nominated to represent the EDPB on the newly formed Task Force on Age Verification under the Digital Services Act and act as co-rapporteur in the preparation at EDPB level of guidance on children’s data protection issues. This leadership role follows the DPC’s publication of a guidance note on the Fundamentals of children’s data protection and the DPC’s enforcement activity in this area over recent years.

Data Protection Officers  

The DPC has continued its efforts to bring together the DPO community in Ireland, recognising the importance of the DPO’s role in data protection compliance for organisations. As at the end of 2023, the DPC has been notified of 3,520 DPOs. The DPC is actively engaging with DPO networks across a number of key sectors and has contributed to several events aimed at DPOs including a new course run by the Institute of Public Administration, ‘GDPR and Data Protection Programme for DPOs in the Public Service’.

Importantly, the DPC participated in the 2023 Coordinated Enforcement Framework (CEF) Topic ‘The Designation and Position of Data Protection Officers’. The DPC contacted 100 DPOs and identified three substantive issues in its national report:

• Resources available to DPOs – a third of respondents noted they do not have sufficient resources to fulfill their role;
• Conflicts of interests – over a third indicated their role is split with other core governance roles within their organisations; and
• Tasks of the DPO – it was noted that many tasks of the DPO do not actually compliment the role of the DPO within many organisations.

Supervision  

A sectoral breakdown notes that of the 751 supervision engagements during 2023, 391 were from multinational technology companies. The DPC also provided guidance and observations on 37 proposed legislative measures.

Supervisory engagements undertaken by the DPC in 2023 included identifying data protection issues arising in the context of adult safeguarding and service provision to at-risk adults and an examination of the use of technology in sport and the processing of health data for performance monitoring (questionnaire due to issue to voluntary and professional sports).

The DPC also engaged with the Local Government Management Authority in relation to three draft codes of practice prepared in relation to the use of CCTV and mobile recording devices to investigate and prosecute certain waste and litter pollution related offences. Separately, given the significant increase in use of CCTV in areas of an increased expectation of privacy the DPC published a detailed update of its  CCTV Guidance in November 2023.

In February 2024, Helen Dixon stepped down from her role as Data Protection Commissioner and Dr. Des Hogan, who serves as Chairperson, and Mr. Dale Sunderland commenced their new roles.

The DPC continues to focus on systemic non-compliance and children’s data protection rights in 2024 as well as participating in the EDPB’s ongoing coordinated enforcement action on the right of access. With the level of enforcement action taking place as well as the rapid pace of AI and technology development, organisations are advised to review and update their privacy frameworks to ensure compliance with the GDPR.