Irish eyes are sighing: Data protection office notes olagoanin'* up 79%

Annual report reveals boost in complaints, breach notifications

By Rebecca Hill


The Irish Data Protection Commissioner received 79 per cent more complaints last year than in 2016, while data breach notifications rose 26 per cent.

The figures, released in the commissioner's annual report for 2017 (PDF), show that the DPC's office received a record 2,642 complaints in 2017.

That's a 79 per cent increase on the 1,479 received the previous year, and much greater than in 2013, 2014 or 2015, when there were on average 930 complaints each year.

Some 52 per cent (1,372) of the complaints in 2017 were about access rights, while 312 were about unfair processing of data, 77 about the use of CCTV footage, and 21 were related to the right to be forgotten.

The office received 215 complaints about electronic direct marketing, and 146 were investigated – of these 80 were related to email marketing, 58 to SMS and just eight to phone.

Overall, the office concluded some 2,594 complaints, meaning there were 556 outstanding at the end of the year. At the moment, the office has 40 days to resolve a complaint; this drops to one month under the European Union's General Data Protection Regulation, which comes into effect in May.

Meanwhile, some 2,973 data security breaches were reported in 2017, of which 178 were classified as non-breaches. The 2,795 valid breach reports represented a 26 per cent increase on 2016's figure.

Most breaches – about 59 per cent – were related to unauthorised disclosures, and the majority of them were in the financial sector, the commissioner said.

Some 6 per cent of all reported cases were in the telecommunications sector, which was 25 per cent more than in 2016; there was also an increase in the number of network security compromises – these rose from 23 to 49, and usually included ransomware and malware attacks.

The report said that the commissioner's multinationals team had investigated 19 data breaches in 2017, noting that its investigation into the Yahoo! data breach was "largely concluded" in 2017 and would be finalised in the first half of this year.

A central part of that work will assess the extent to which the EMEA controller – Yahoo! EMEA in Dublin – had complied with its obligations to ensure that the processing of EU users' personal data by its processor, Yahoo! Inc., was sufficiently secure in terms of technical and organisational measures to safeguard the data.

Elsewhere, the report set out the main issues it had faced in 2017 and plans for 2018.

Among these, it noted the ongoing litigation between Facebook and Max Schrems, which the Irish High Court agreed to refer up to the Court of Justice of the EU but has yet to finalise the specific questions.

The report also noted the extra cash the government has promised the body, which rose to €7.5m in 2017 and will increase again to €11.7m this year, allowing it to recruit an extra 55 staff on top of the existing 85.

However, it was – rather unsurprisingly – GDPR that topped commissioner Helen Dixon's agenda.

"The phrase 'game-changer' is so frequently used that it has to some extent lost its potency," she wrote in the foreword.

"I truly believe that May 2018 will be a seminal milestone in ensuring that the rapid technological change and importance of data in our daily lives is now backed by a transparent and flexible but robust regime for the protection of individuals." ®

* Grumbling and complaining – from the Gaelic olagón (lament).

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

Why, hello Rubrik's Trello: Data protection biz leaves productivity tool open to world+dog

Anyone with URL could see lists of case study projects's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al

UK regulator moots data protection sandbox for organisations to play in

ICO strategy outlines plans to slurp up academic expertise

Austrian privacy chief handed leash to EU's data protection beast

Group warms up for greater powers once GDPR hits

Facebook smartmobe app's pre-ticked privacy settings violate German data protection law

Court favours consumer group in long-running dispute

Don't sweat Brexit, big biz told: Your shiny data protection sticker will remain intact

Survey reveals GDPR training and investment is on the rise told: Scrap immigration exemption from Data Protection Bill or we'll see you in court

Campaigners say proposed law would create a 'discriminatory' system for data access rights