Breach reports rise sharply, but country has growing backlog of Big Tech data handling enquiries
Ireland’s Data Protection Commission (DPC) handled thousands of data breach reports during GDPR’s first full calendar year in force, but is yet to conclude any cases against multinational tech firms.
According to the DPC’s 2019 Annual Report (PDF), the regulator received more than 6,000 valid data breaches last year, up 71% on 2018.
More than eight in 10 of these incidents related to unauthorized information disclosure, often occurring through basic human errors such as mis-sent emails, lost documents, and administrative oversights.
Many organizations, particularly in the financial sector, suffered repeated breaches of this nature, with the DPC calling for greater staff training, stronger password policies, and multi-factor authentication.
By contrast, there were only 223 reported cybersecurity incidents, with 108 reports of ‘hacking’, 24 of malware, and 161 of phishing, along with 17 ransomware incidents and 13 software development vulnerabilities.
In one ransomware example, a leisure industry organization fell victim to an attack which potentially affected the personal data of up to 500 customers and staff.
Big Tech battleground
With so many major tech companies having their European headquarters in Ireland, it’s unsurprising that they feature heavily in the report.
The DPC says it currently has 21 open enquiries into multinational tech firms, including Facebook, Twitter, Apple, and Instagram.
While most of these are still being investigated, two are now in the decision-making phase: a bug in Twitter’s Android app that made some users’ protected tweets public, and a lack of transparency over WhatsApp’s data sharing with Facebook.
“At the Data Protection Commission, we have been busy during 2019 issuing guidance to organisations, resolving individuals’ complaints, progressing larger-scale investigations, reviewing data breaches, exercising our corrective powers, cooperating with our EU and global counterparts and engaging in litigation to ensure a definitive approach to the application of the law in certain areas,” said the Commissioner for Data Protection, Helen Dixon.
But, she added: “Much more remains to be done in terms of both guiding on proportionate and correct application of this principles-based law and enforcing the law as appropriate.”
And one data protection consultant working closely with the DPC told The Daily Swig she believed the organization is lagging behind other nations.
“We are one of the only countries in Europe who has failed to fine anyone under GDPR, yet we have all the big multinationals processing their data through Ireland,” said the consultant, who did not wish to be named.
“Reports of enquiries that were supposed to be published last summer are still outstanding.”
France, for example, has imposed fines of €51.1 million ($55 million) and Germany €24.6 million ($27 million) since GDPR was introduced, according to a recent report. By contrast, Ireland has so far collected nothing from GDPR transgressors.
Part of the problem is under-resourcing: In 2019 the DPC had a budget of just €15.3 million ($16.5 million). And, says Dixon, “At least 40% of our resources are devoted to the handling of individual complaints, as opposed to large-scale and more systemic investigations”.
However, the DPC has been able to increase its staff numbers from 110 to 140, and says it expects to make its first major decisions on multinational firms “early this year”.