Irish commissioner warns against data protection law dilution

Dixon, writing in the annual report of the country’s Data Protection Commission (DPC), said: “It’s becoming an increasing feature of the complaints received by the office that issues are being raised with the DPC that, in truth, have little or nothing to do with data protection.”

Examples she gave were problems at work, with builders, medical treatment, relationships, neighbours’ parking, and how a child was dealt with at school.

“While the DPC delivers meaningful and effective outcomes in those cases where an identifiable data protection issue is discernible from the complaint received, the DPC is concerned that the overall volume of complaints it receives – a growing number of which disclose no identifiable data protection issue at all – reflects a desire on the part of many individuals to have access to an independent and easily-accessible, no-cost dispute resolution service for general grievances originating in a disparate range of personally challenging events.”

 “The risk that arises if both complainants and the DPC over-reach is that data protection regulation as intended is rendered meaningless because it becomes the law of absolutely everything”

 “The DPC, no matter how empathetic it might be to the issues raised, cannot operate beyond its statutory remit.

“And the risk that arises if both complainants and the DPC over-reach is that data protection regulation as intended is rendered meaningless because it becomes the law of absolutely everything.”

She also drew attention to what she described as an unwelcome trend, namely organisations or individuals attempting to misuse the EU’s General Data Protection Regulation (GDPR) to obfuscate or pursue other agendas.

“That said, there can be genuine confusion on the part of many as to how GDPR does and does not apply, and sometimes issues are just not black and white,” Dixon wrote.

“Where inaccurate assertions circulate – whatever the reason or motivation – these will only be resolved over time as we call them out.

“As an example, an ongoing issue arises with organisations deleting CCTV footage after they are on notice of an access request for that footage claiming the GDPR requires them to delete it every seven days.”

The annual report shows that Ireland’s DPC handled 10,151 cases last year, an increase of 8.7% on the previous 12 months.

In total, 4,476 complaints were concluded last year. Among issues covered were securing access to personal data, excessive personal data collection, and unauthorised and unnecessary disclosure of personal data to third parties.

GRC World Forums has previously reported how the Irish DPC asked for more resources and investment to cope with increased caseloads ahead of the Budget in Ireland last October.

“Cases concerning employment law disputes continue to be heavily represented in the range of complaints we received,” said Dixon.

There were 4,660 complaints received under the GDPR and 6,628 valid data security breaches were notified last year.

“The progress the DPC has made in 2020 provides a solid platform on which to build across our enforcement and complaint-handling functions in particular,” she wrote.

“The GDPR must be understood as a project for the now, but equally for the longer-term. The DPC intends to continue as a leader in its full implementation.”

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox