The Irish Data Protection Commission (DPC) released its annual report on Thursday and what stands out immediately is the rise of complaints after GDPR’s implementation. DPC, the lead data watchdog, has received 56% more privacy complaints and notifications in the period May 25 (when GDPR came into force) and December 31 2018, compared to the first half of the year.
According to Helen Dixon, Ireland’s commissioner for data protection, the rise of complaints “demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data”.
One of the significant changes that the GDPR brought is the possibility third party organisations to lodge data protection complaints on individuals’ behalf. Such could be consumer right groups for example. This seems to be motivating for individuals since not everybody feels confident enough to undertake an action. Furthermore, the greater number of complaints on the same issue aggregate, the more plausible is the problem to be revisited by responsible bodies.
We have informed you about such case – Google’s record GDPR penalty of 50 million euro due to violation of its obligations of transparency and adequate information, and second, for its failure to have a legal basis for ads personalization processing. Two French associations – La Quadrature du Net (LQDN) and None Of Your Business (NOYB) submitted group complaints to The National Data Protection Commission (CNIL) of France.
The number of reported data breaches against giant tech companies is worth mentioning as well. DPS has received 38 personal data breaches, involving 11 multinational technology companies after GDPR came into force. Commissioner Dixon commented this:
“A substantial number of these notifications involved the unauthorised disclosure of, and unauthorised access to, personal data as a result of bugs in software supplied by data processors engaged by the organisations.”
According to the report, DPC has launched 15 ongoing statutory inquiries since the GDPR came into force. Ten of them concern Facebook and its subsidiaries WhatsApp and Instagram. The massive token breach has itself warranted three separate investigations. Two look at whether Facebook took organisational and technical measures to secure users’ personal data and one into whether it notified the DPC within 72 hours as required by law.
The report also reveals that 23 formal requests have been issued, where detailed information on compliance with various aspects of the GDPR from tech giants has been sought. The following examples are mentioned in the report:
- Google on the processing of location data
- Facebook on issues such as the transfer of personal data from third-party apps to Facebook and Facebook’s collaboration with external researchers
- Microsoft on the processing of telemetry data collected by its Office product
- WhatsApp on matters relating to the sharing of personal data with other Facebook companies
Apparently, GDPR is an invaluable tool for protecting data security and people quickly realise its power. Although the huge increase in breach complaints could be seen as pessimistic sign for an overall deterioration of the cybersecurity realm, it should be analysed further. More probably, people use the directive now actively in order to seek their rights. And as a result, data protection bodies get stronger:
“Over 1000 Data Protection Officers have been appointed by organisations across Ireland and have been notified to the DPC since May. These individuals will play key roles in embedding effective data protection practices in their organisations and driving real improvements in standards of data protection and security” – Commissioner Dixon said.
Nataliya Nikolova, Legal Advisor at AMATAS, commented the complaints boost and the current situation in Bulgaria, which stays away from the described one in DPC’s report:
“The high number of complaints, reflected in the report, is understandable as most of representative European bodies of tech giants are based in Ireland.
However, there is a major difference with the Bulgarian legal framework in terms of the representation of individuals’ complaints by non-governmental organisations. This is not applicable in Bulgaria and hence that part of the GDPR is irrelevant locally. This does not mean that the regulatory bodies here stay unused, quite the contrary indeed, and their overload will continue in the future. With economic growth and the appearance of more tech companies from third countries in Bulgaria, the rise of data privacy complaints and notifications is expected.”