Data Protection Commission publishes 2023 Annual Report

29th May 2024

The Data Protection Commission has today launched its Annual Report for 2023.

Highlights of the 2023 Annual report include:

  • The DPC issued 19 finalised decisions resulting in administrative fines totalling €1.55 billion, along with multiple reprimands and compliance orders being imposed, including:
    • In May 2023, the DPC announced the conclusion to a GDPR inquiry into Meta Platforms Ireland Limited concerning Data Transfers from the EU to the USA. The decision imposed a fine of €1.2 billion on Meta Ireland, in addition to an order to bring its processing operations into compliance.
    • In September 2023, the DPC issued its final decision in its inquiry into TikTok Technology Limited. The inquiry examined the processing of personal data relating to children by TikTok. The Decision ordered TikTok to bring its processing into compliance and imposed fines totalling €345 million.
  • In 2023 the DPC had its decisions to impose administrative fines on five different organisations, ranging between €15,000 and €750,000, confirmed in the Dublin Circuit Court. All of these fines have been collected and transferred to the central exchequer in Ireland.
    • In February 2023, the DPC issued its final decision in its inquiry into Bank of Ireland. This inquiry was in relation to a series of data breaches on the Bank of Ireland 365 app. The corrective powers exercised in this decision included a reprimand, a fine of €750,000 and an order to bring processing into compliance.
    • In January 2023, the DPC issued its final decision in its inquiry into Centric Health. The Inquiry was commenced following a ransomware attack affecting patient data held on Centric’s patient administration system where over 70,000 patients were affected. Some 2,500 patients were permanently affected as their data was deleted with no backup available. The Decision reprimanded Centric and imposed fines totalling €460,000
  • The DPC received 11,200 new cases from individuals in 2023, representing a 20% increase on 2022. The DPC concluded 11,147 cases in 2023.
    • Of all cases received in 2023, 2,600 progressed to the complaint handling process, with 8,600 being dealt with relatively expeditiously.
    • The DPC resolved 3,218 complaints through the formal complaint-handling process (This figure includes complaints received prior to 2023).
  • The DPC received 156 valid cross-border complaints (as EU/EEA Lead Supervisory Authority). 82.5% of cross-border complaints received since 2018, where DPC is Lead Supervisory Authority, have been concluded.
  • Total valid breach notifications received in 2023 was 6,991, representing a 20% increase on 2022, while 92% of notifications received in 2023 were concluded by year end.
  • The DPC provided input and observations on over 37 pieces of proposed legislation, including statutory consultation on the Codes of Practice introduced under the Circular Economy and Miscellaneous Provisions Act 2022, which will provide a clear legal basis for Local Authorities to use recording devices such as CCTV and Body-worn Cameras for the prevention, investigation, detection, and prosecution of litter and waste management offences.
  • The DPC brought about the postponement or revision of four scheduled internet platform projects with implications for the rights and freedoms of individuals.
  • A total of 237 electronic direct marketing investigations were concluded in 2023 and the DPC prosecuted four companies for the sending of unsolicited marketing communications without consent. The Court returned convictions on all charges and it imposed fines totalling €2,000.
  • The DPC continued to be an active member of Ireland’s Digital Regulator’s Group, along with ComReg, the Competition and Consumer Protection Commission and Coimisiún na Meán (formerly the Broadcasting Authority of Ireland) as part of Ireland’s implementation of recent EU digital legislative developments.

 

Dr Des Hogan, Chairperson, Commissioner for Data Protection commented:

“My fellow Commissioner, Dale Sunderland, and I would like to take this opportunity to acknowledge with deep gratitude for Commissioner Helen Dixon’s stewardship of the Commission over the past ten years. Commissioner Dixon was the sole Commissioner for Data Protection during her tenure which concluded in early 2024. Thanks to her leadership, and the commitment and tireless work of the DPC’s staff, we find ourselves taking over a respected and outward looking regulator; one with the values of vindicating the rights of the individual through fair and proportionate regulation.”

 

Commissioner Dale Sunderland reflected on what was a landmark year:

“2023 was a busy year in personal data rights protection. The year saw a significant increase in complaints dealt with by the Data Protection Commission with record fines issued and corrective orders imposed following cross-border and national inquiries. Throughout 2023, the DPC sought to uphold the individual’s right to the protection of their personal data. This critical work was greatly supported  by Data Protection Officers and data protection staff and teams in organisations across the public, private and voluntary sectors who play a critical role in championing data protection rights, acting as a critical friend to those organisations by keeping the compliance conversation front and centre.”

 

Notes to editors

For cross-border inquiries, the DPC acts as the Lead Supervisory Authority (“LSA”) under the GDPR and works with its peer EU/ EEA Supervisory Authorities to conclude inquiry decisions in accordance with the cooperation mechanism set out in Articles 60 to 65 of the GDPR. Article 60 of the GDPR outlines a procedure designed to facilitate the conclusion of decisions on the basis of consensus between LSA and Concerned Supervisory Authority (“CSAs”) CSAs.  Through this mechanism, CSAs are enabled to share their views on the matter with the LSA.  Where those views take the form of a relevant and reasoned objection, exchanged in response to the LSA’s draft decision, the LSA must take account of those objections by amending its draft decision, failing which it must refer the objections to the European Data Protection Board for determination pursuant to the Dispute Resolution process set out in Article 65 of the GDPR.

The Data Protection Commission is the national independent authority in Ireland responsible for upholding the fundamental right of EU persons to have their personal data protection. Accordingly, the DPC is the Irish supervisory authority tasked with monitoring the application of the General Data Protection Regulation (GDPR)(Regulation (EU) 2016/679).

 

The Data Protection Commission Annual Report 2023 is now available.