The Data Protection Commission (DPC) in Ireland had a busy year in 2023, processing a total of 11,200 new cases – a 20% increase on the 9,370 cases in 2022.
The Commission also announced in its Annual Report 2023 that valid GDPR breach notifications increased from 5,828 in 2022 to 6,991 in 2023 – also a 20% increase. The top five subject to feature in queries and complaints for GDPR breaches were:
- access requests;
- fair-processing;
- disclosure;
- direct marketing; and
- right to erasure.
The Commission had also 89 statutory inquiries, including 51 cross-border inquiries, and called 2023 a “landmark year”. Commissioner Dale Sunderland said: “2023 was a busy year in personal data rights protection. The year saw a significant increase in complaints dealt with by the Data Protection Commission with record fines issued and corrective orders imposed following cross-border and national inquiries.”
Unlawful CCTV
Another big topic in 2023 was CCTV, with a significant increase in the number of queries regarding surveillance of individuals in public and private spheres. The Commission also took enforcement action against local authorities and companies that had processed individuals’ data via CCTV without a lawful basis.
“Organizations who collect CCTV footage must have a clear justification and lawful basis to do so. Subsequent sharing of that information/imagery similarly requires a clear, lawful basis,” Des Hogan, Chairperson, Commissioner for Data Protection, said.
One action was taken against Kildare County Council, which was fined €50,000 ($54,160) and handed a temporary ban on CCTV cameras. Galway County Council was also handed a temporary ban on CCTV cameras, plus temporary bans on ANPR (Automatic Number Plate Recognition), and on use of body worn cameras.
Record Meta fine
During the year, the DPC issued seven administrative fines against five different organizations – totalling more than €1.5 billion ($1.6 billion). That is a slight decrease on 2022 when nine fines totalling over €1.6 billion ($1.7 billion) were imposed. The most notable fine was the record €1.2 billion ($1.3 billion) penalty served on Meta in May 2023 for breaching Article 46(1) GDPR when transferring personal data from the EU to the USA.
Second biggest fine of €345m ($374m) was made against TikTok in September 2023 because of multiple GDPR failures in how children’s personal data was processed by the social media giant.
The DPC also concluded a total of 237 electronic direct marketing investigations, and four companies were prosecuted for the sending of unsolicited marketing communications without consent.
In 2023 the DPC concluded the following inquiries under the GDPR and the Data Protection Act (DPA) 2018:
| Organizations | Decision Issued | Fine Imposed | Corrective Measure Imposed |
|---|---|---|---|
| WhatsApp Ireland Ltd | January | €5.5m ($6m) | Order re: Articles 5(1)(a) and 6(1) GDPR. |
| Kildare County Council | January | €50,000 ($54,160) | Temporary ban on CCTV cameras at a number of locations. Order re: Articles 5(1)(a), 6(1), 13, and 32(1) GDPR. Sections 71, 72, 76, 78, and 82 DPA 2018. |
| Airbnb Ireland UC | January | N/A | No infringement found. |
| Centric Health February | February | €460,000 ($498,467) | Reprimand re: Articles 5(1)(f), 5(2) and 32(1) GDPR. |
| Bank of Ireland | February | €750,000 ($812,721) | Reprimand re: Articles 5(1)(f) and 32(1) GDPR. Order re: Articles 5(1)(f) and 32(1) GDPR. |
| Archbishop of Dublin | February | N/A | Order re: Article 5(1)(a) GDPR. |
| Meta (Facebook) | May | €1.2 billion ($1.3 billion) | Suspension of data flows re: Article 46 GPDR. Order re: Article 46 GDPR. |
| Department of Health | June 16 | €22,500 | Ban re Articles 5(1)(c), 6(1), 6(4), and 9(1) GDPR. Reprimand re Articles 5(1)(c), 5(1)(f), 6(1), 6(4), and 32(1) GDPR. |
| Airbnb Ireland UC | June | N/A | No infringement found. |
| Airbnb Ireland UC | June | N/A | Reprimand re Articles 5(1)(c) and 5(1)(e). Order re Articles 5(1)(c) and 5(1)(e). |
| Airbnb Ireland UC | July | N/A | Reprimand re: Articles 5(1)(c), 6(1)(f), 15(1), 12(1) and 12(3). Order re: Article 12(1). |
| Galway County Council | August | N/A | Temporary ban on CCTV cameras and ANPR at a number of locations. Temporary ban on use of body worn cameras. Order re: Article 35 GDPR and Sections 71, 72, 76, 78, 82, 90(1) DPA 2018. Reprimand re: Article 24 GDPR. |
| TikTok | September | €345m ($374m) | Reprimand re: Articles 5(1)(a), 5(1)(c), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR. Order re: Articles 5(1)(a), 5(1)(c), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR . |
| Airbnb Ireland UC | September | N/A | Reprimand re: Article 12(4). |
| Airbnb Ireland UC | September | N/A | Reprimand re: Articles 6(1)(f), 5(1)(c) and 5(1)(e). Orders re: Articles 5(1)(c) and 5(1)(e). |
| Airbnb Ireland UC | September | N/A | Reprimand re: Articles 6(1)(f) and 5(1)(c). Order re: Article 6(1)(f) and 5(1)(c). |
| Apple Distribution International Limited | November | N/A | November 2023 N/A No infringement found. |
| Microsoft Operations Ireland Limited | November | N/A | Reprimand re: Articles 12(4) and 17. Order re: Article 12(4) and Article 17. |
| Meta (Facebook and Instagram) | November | N/A | Ban on processing personal data for behavioral advertising purposes on the basis of Article 6(1)(b) or (f) GDPR. |
