Birthday Cake, Google and Data Protection OfficersJune 2019
As Europe voted and Data Protection laws being perceived to be the prerequisite of fair and free democratic elections, Google is facing its first major investigation by its lead Data Protection Supervisory Authority in Europe, the Data Protection Commission (DPC) in Ireland.
Coinciding with the one-year anniversary of Ireland’s implementation of the General Data Protection Regulation (GDPR) into Irish law, the DPC announced it will investigate Google’s alleged unlawful processing of personal data at each stage of its ad-tracking system. The platform which shares behavioural habits of online visitors with hundreds of companies will be scrutinised against GDPR’s relevant provisions of transparency, data minimisation and purpose limitation. The sharing of information is known as a “bid request” and through this process, Google stands accused of failing to protect data against unauthorised access.
The potential financial exposure for a tier 2 penalty means that Google could potentially face a fine of up to 4% of its global annual turnover of the preceding financial year, or an eye watering $5.4 Billion. Under the Data Protection Acts, 2018, once the fine is imposed, Google would have 28 days to pay up or appeal to the High Court. Let them eat cake, indeed!
Helen Dixon, the Data Protection Commissioner, looking back at what can only be deemed a very strategic and eventful year following a successful public awareness campaign, has noted:
“We’re the most rapidly growing data protection authority in the EU.”
Since her appointment in 2014, the DPC’s budget has risen to €15.2 million and over the past 12 months, the new legislation has given rise to a significant increase in workload. According to the DPC’s website:
6,624 complaints were received
5,818 valid data security breaches were notified
48,000 contacts were received through the DPC’s assessment unit
54 investigations were opened- 35 of these domestic, 19 cross border
DPC staff numbers increased from 85 to 137 at the end of May 2019
Current Irish Statutory inquiries into ‘big tech’ multinationals:
WhatsApp (owned by Facebook): 2
Instagram (owned by Facebook): 1
LinkedIn (owned by Microsoft): 1
Yet to issue a fine, what will the next 12 months bring for the DPC and GDPR Compliance? We at RegSol, predict some clarity of GDPR principles, hopefully, as these investigations unfold and are drawn to conclusion. And with a better understanding of this new regulatory landscape, enforcement actions as they relate to compensation and damages awarded will reveal how high the stakes truly are.
The Data Protection Officer (DPO)
With birthday cake, fines and data processing in mind, appointment of a person with responsibility for Data Protection is for most organisations an effective way of mitigating data privacy risk, if only to coordinate responses to data subject requests or coordinate breach reporting.
GDPR formally sets out under Section 4 the designation, position and tasks of the Data Protection Officer. Further, the Data Protection Commissioner had published guidance with respect to the DPO role which comments that:
“The DPO role is an important GDPR innovation and cornerstone of the GDPR’s accountability- based compliance framework.”
Appointment of a DPO is mandatory for the following organisations:
Public bodies (consider private organisations carrying out public tasks)
Data controllers/processors who perform systematic and regular monitoring of data subjects on a large scale
Organisations whose processing involves special category data (medical data for instance) or data relating to criminal convictions and offences on a large scale
Large scale in this context can be interpreted when taking into consideration, the numbers of affected data subjects, the volume of personal data, geographical exposure and the range and duration of the processing of personal data.
As a matter of best practice, all organisations should have documented their rationale as to whether a DPO is required to be nominated. Formally appointing a DPO where it's not mandatory, still brings the role under the full GDPR requirements and standards.
Regardless of whether the GDPR requires organisations to appoint a DPO, data controllers and processors must ensure that their organisations have sufficient staff and resources to discharge their obligations under the GDPR. However, a DPO can help organisations operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in the organisation’s data protection governance structure and to help improve accountability.
Under the GDPR the DPO is afforded statutory protections:
DPO must report to the highest level of management
DPO cannot be dismissed or penalised as a result of performing their duties
DPO must be provided with adequate resources to perform tasks
DPO must be free from influence and conflicts of interest
DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data
BUT the data controller remains accountable for GDPR compliance
Article 37.5 of the GDPR provides that a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices.
For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved (i.e. an internet or insurance company), the DPO may need a higher level of expertise and support.
Bearing in mind that a DPO can be either external or internal, RegSol is here to assist with your GDPR compliance.
by Judy De Castro for RegSol