Who We Are

Inquiry into Airbnb Ireland UC - 28 September 2023

Area: Cross Border Private Company

Topic: DS Rights

Articles: 17

Decision Date: 28 September 2023

On 28 September 2023, following an inquiry concerning a complaint received against Airbnb Ireland UC (“Airbnb”), the Data Protection Commission (“the DPC”) adopted a decision.

The DPC had commenced this inquiry on 7 September 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the Complainant’s ID (“ID”) in order to verify their identity in order to complete a booking on the platform. The complainant stated that he had concerns in relation to identity theft given the volume of personal data that he was required to submit in order to complete his accommodation booking. In this particular instance the complainant stated that Airbnb would not accept his booking until he verified his identity by providing a copy of his ID in addition to a newly taken photograph to ensure that the ID related only to the person making the booking. ID submitted by the Complainant was rejected as he had redacted certain information. Ultimately however the Complainant was successfully able to verify his identity by submitting a copy of his ID with only the online access code redacted.

In a further submission the Complainant stated that Airbnb initially misunderstood what he wanted to do and thought he wanted to erase his Airbnb account. He stated that Airbnb requested another copy of ID. In addition to the complaint regarding ID verification the Complainant also wanted Airbnb to delete his ID card, both redacted and unredacted versions.

The scope of the inquiry concerned an examination and assessment of the following:

  1. Whether Airbnb had a lawful basis for requesting a copy/copies of the Complainant’s ID and/or photograph/s in order to verify his identity, so that he could complete his booking on the platform.

  2. Whether Airbnb complied with the principle of data minimisation when requesting an unredacted copy of the Complainant’s ID and/or photograph/s in order to verify his identity and when processing personal data relating to same processing.

  3. Whether Airbnb had a lawful basis for retaining a copy of the Complainant’s ID after it had verified his identity.

  4. Whether Airbnb complied with the principles of transparency and provision of information where the Complainant’s personal data was collected.

  5. Whether Airbnb received an Article 17 erasure request from the data subject and if so, whether Airbnb’s handling of the Complainant’s erasure request complied with the GDPR and the Act.

As the processing under examination constituted “cross border “ processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.

The decision, which was adopted on Thursday 28 September 2023, records findings of infringement as follows:

  • Article 5(1)(c) , Article 5(1)(e) and Article 6(1)(f) of the GDPR

The DPC found that Airbnb did not validly rely on Article 6(1)(f) of the GDPR as the legal basis for processing the Complainant’s photographic ID and supplemental photographs; that Airbnb’s requirement that the Complainant verify his identity by submitting a complete and unredacted copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c); that by retaining, after the identity verification process was successfully completed and until 2 February 2021 a copy of the Complainant’s un-redacted ID documents, Airbnb infringed the principle of data minimisation in Article 5(1)(c) and the principle of storage limitation in Article 5(1)(e); by retaining, after the identity verification process was successfully completed and for the duration of the user’s account, a copy of the Complainant’s supplemental images, Airbnb infringed the principle of data minimisation and the principle of storage limitation; and that Airbnb’s processing and retention until 2 February, 2021 of identity documents that it deemed inadequate or insufficient to verify the identity of the Complainant infringed the principle of data minimisation and the principle of storage limitation.

In light of the infringements of Article 5(1)(c), Article 5(1)(e) and Article 6(1)(f) the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR. In addition, the DPC made the following orders against Airbnb pursuant to Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements occurring with regard to data subjects in the future in similar circumstances.

  • delete from all of its systems and records the supplemental photographs that the Complainant uploaded (keeping only a record that such documentation was submitted and the date of submission). Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023.

  • revise its internal policies and procedures to ensure that the seeking of photographic ID and supplemental photographs in the verification process for users is used only where necessary, proportionate and in accordance with the GDPR for the purpose for which the personal data is collected and processed, having regard, in particular, to Airbnb’s legal obligations and the issue of whether less privacy intrusive verification methods are available and effective. Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023.

For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - 28 September 2023 (PDF, 3mb)

Inquiry into Airbnb Ireland UC

Area: Cross Border Private Company

Topic: DS Rights

Articles: 12

Decision Date: 14 September 2023

On 14 September 2023, the Data Protection Commission (DPC) adopted a decision in relation to a complaint against Airbnb Ireland UC (Airbnb), which was submitted to the Cypriot DPA, in its capacity as the concerned supervisory authority and thereafter referred to the DPC in its capacity as lead supervisory authority.

The DPC commenced this inquiry on 7 October 2022, on foot of a complaint that Airbnb did not properly comply with its obligations and the complainant’s rights under the GDPR. In particular:

  • That Airbnb did not properly comply with his erasure request,
  • That Airbnb unlawfully retained his personal data,
  • That it did not comply with the data minimisation principle, and
  • That Airbnb failed to comply with the principles of transparency and provision of information.

In this case, the data subject had submitted an erasure request to Airbnb. Airbnb responded to the data subject requesting that he verify his identity for the purpose of authenticating his erasure request, and once authenticated it informed the data subject that his personal data would be deleted unless it was permitted or required to retain data.

Airbnb did not further update the data subject in respect of his erasure request and as far as he was concerned his accounts and personal data had been deleted on foot of his erasure request. Airbnb ultimately retained the complainant’s accounts and did not delete any personal data in relation to the accounts on the advice of legal counsel following an alleged serious incident at an Airbnb listing that was the subject of a police investigation and legal proceedings.

The DPC first attempted through complaint handling to facilitate the amicable resolution of the complaint between the parties. However ultimately an inquiry and an Article 60 decision was required to bring the case to a conclusion.

Airbnb stated that it retained the complainant’s data on the basis of the legitimate interests of those involved in or otherwise connected with the underlying police investigation and legal proceedings, including the wider public interest in preserving the integrity of police investigations and judicial processes, and the legitimate interests of Airbnb, its users, partners and those otherwise associated with the platform in keeping the Airbnb platform safe.

In its decision, the DPC:

  • Was satisfied that Airbnb validly relied on Article 6(1)(f) as the lawful basis for the retention of the complainant’s personal data;
  • Found that Airbnb validly relied on Article 17()(e) and that it did not infringe Article 17(1) when it restricted the complainant’s right of erasure of his personal data;
  • Found that Airbnb’s retention of the complainant’s personal data in its entirety across a number of his accounts did not infringe the principle of data minimisation in Article 5(1)(c).

Following the investigation of the complaint against Airbnb Ireland UC, the DPC was of the opinion that, in the circumstances of the complainant’s case, Airbnb Ireland UC:

  • Infringed Article 12(4) of the GDPR with respect to its handling of the complainant’s erasure request by failing to inform him without delay and at the latest within one month of receipt of the request of the reasons for not taking action on it and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Following consultation and agreement from the supervisory authorities concerned, the DPC has now adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. The decision of the DPC also applied the following corrective power:

  • The DPC issued a reprimand to Airbnb Ireland UC, pursuant to Article 58(2)(b) of the GDPR.

 

For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - September 2023 (PDF, 8mb)

 

 

Inquiry into TikTok Technology Limited

Area: Cross Border Private Company

Topic: Children

Articles: 5, 24, 25

DPC Reference: IN-21-9-1

Decision Date: 1 September 2023

The Data Protection Commission (DPC) adopted its final decision regarding its inquiry into TikTok Technology Limited (TTL) on 1 September 2023.

This own-volition inquiry sought to examine the extent to which, during the period between 31 July 2020 and 31 December 2020 (the Relevant Period), TTL complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform in the context of:

  1. Certain TikTok platform settings, including public-by-default settings as well as the settings associated with the ‘Family Pairing’ feature; and
  2. Age verification as part of the registration process.

As part of the inquiry, the DPC also examined certain of TTL’s transparency obligations, including the extent of information provided to child users in relation to default settings.

At the conclusion of its investigation, the DPC submitted a draft decision to all Supervisory Authorities Concerned (CSAs), for the purpose of Article 60(3) GDPR, on 13 September 2022. The DPC’s draft decision proposed findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1) and 13(1)(e) GDPR, in relation to the above processing. While there was broad consensus on the DPC’s proposed findings, objections to the draft decision were raised by the Supervisory Authorities (each an SA, collectively SAs) of Italy and Berlin (acting on behalf of itself and the Baden-Württemberg SA).

The objection raised by the Berlin SA sought the inclusion of an additional finding of infringement of the Article 5(1)(a) GDPR principle of fairness as regards ‘dark patterns’ while the objection raised by the Italian SA sought to reverse the DPC’s proposed finding of compliance with Article 25 GDPR, as regards TTL’s approach to age verification during the Relevant Period. The DPC was unable to reach consensus with the CSAs on the subject-matter of the objections and, in the circumstances, decided to refer the objections to the EDPB for determination pursuant to the Article 65 GDPR dispute resolution mechanism.

The European Data Protection Board adopted its binding decision on the subject matter of the objections on 2 August 2023 with a direction that the DPC must amend its draft decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness, further to the objection raised by the Berlin SA, and to extend the scope of the existing order to bring processing into compliance, to include reference to the remedial work required to address this new finding of infringement.

The DPC’s decision, which was adopted on 1 September 2023, records findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) GDPR.

The decision further exercises the following corrective powers:

  • A reprimand;
  • An order requiring TTL to bring its processing into compliance by taking the action specified within a period of three months from the date on which the DPC’s decision is notified to TTL; and
  • Administrative fines totalling €345 million.

For more information, you can download the full decision at this link: Inquiry into TikTok Technology Limited - September 2023 (PDF, 5.9mb).

 

Infographic: TikTok Decision Key Takeaways

Inquiry into Galway County Council

Area: Public Authority

Topic: LED

Articles: 24

Decision Date: 22 August 2023

This inquiry sought to assess whether Galway County Council was processing personal data in compliance with the GDPR and the Data Protection Act 2018. The inquiry examined a number of the Council’s processing operations including its use of CCTV cameras in public places used for the purposes of prosecuting crime or other purposes.

The findings made in the decision include:

  • Findings that Galway County Council lacked a valid legal basis for processing of personal data from CCTV, ANPR and body-worn cameras.
  • Findings that Galway County Council failed to erect appropriately worded and located signage in respect of the processing of personal data collected via these CCTV cameras for purposes related to law enforcement.

The other findings in the decision include infringements relating to Galway County Council’s obligations to carry out data protection impact assessments, to maintain data logs for specific accesses to CCTV recordings, and to implement appropriate technical and organisational measures.

Corrective Powers Exercised:

  • A temporary ban on the processing of personal data through CCTV cameras and ANPR cameras at a number of locations until a valid legal basis can be identified.
  • A temporary ban on the processing of personal data through body-worn cameras until a valid legal basis can be identified.
  • An order to Galway County Council to bring its processing of personal data into compliance taking certain actions specified in the decision.
  • A reprimand in respect of Galway County Council’s infringement of Article 24 GDPR.

For more information, you can download the full decision at this link: Inquiry into Galway County Council - August 2023 (PDF, 2.6mb).

Inquiry into Airbnb Ireland UC

Area: Cross Border Private Company

Topic: DS Rights

Articles: 5, 6, 12, 15

Decision Date: 20 July 2023

On 20 July 2023, following an inquiry the Data Protection Commission (DPC) adopted a decision to exercise corrective powers on Airbnb Ireland UC (Airbnb).

The DPC commenced this inquiry on 22 December 2022, on foot of a complaint that Airbnb failed to comply with an access request and subsequent erasure request within the statutory timeframe and, further, that when the Complainant submitted their access and erasure requests, Airbnb requested that they verify their identity by providing a photocopy of their identity document (ID), which they had not previously provided to Airbnb.

The scope of the inquiry concerned an examination and assessment of the following:

1) Whether Airbnb’s provision of the personal data and information concerning the processing of that personal data in response to the Complainant’s access request was compliant with the GDPR and the Data Protection Act 2018.

2) Whether Airbnb’s handling of the Complainant’s access request was compliant with the GDPR and the Act insofar as the information provided to the Complainant was in a concise, transparent, intelligible and easily accessible form using clear and plain language as specified by Article 12(1) of the GDPR.

3) Whether Airbnb’s handling of the Complainant’s erasure request was compliant with the GDPR and the Act.

4(a) Whether Airbnb had a lawful basis for requesting a copy of the Complainant’s ID, and upon their refusal to provide same, whether Airbnb had a lawful basis to thereafter request a telephone call in order to verify the Complainant’s identity in circumstances where he had submitted a request for access and erasure pursuant to Articles 15 and 17 GDPR; and

4(b) Whether Airbnb’s obligation to provide information on action taken in response to the access and erasure requests without undue delay pursuant to Article 12(3) GDPR was suspended until after the verification of the Complainant’s identity by phone call.

As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion.

As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR.

The DPC adopted its decision in respect of this Complaint in accordance with Article 60(7) of the GDPR.

The decision, which was adopted on 20 July 2023, records findings of infringement as follows:

  • Article 5(1)(c) of the GDPR

The DPC finds that Airbnb’s request that the Complainant verify their identity by way of submission of a copy of their ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR. This infringement occurred in circumstances where less data-driven solutions to the question of identity verification were available to Airbnb.

  • Article 6(1)(f) of the GDPR

The DPC finds that, in the specific circumstances of this Complaint, the legitimate interest pursued by Airbnb did not constitute a valid lawful basis under Article 6(1)(f) of the GDPR for seeking a copy of the Complainant’s ID in order to process the Complainant’s access and erasure requests.

  • Article 15(1) of the GDPR

The DPC finds that Airbnb infringed Article 15(1) of the GDPR at the time of first processing the Complainant’s access request by not providing the Complainant with access to all of their personal data that was being processed by Airbnb on the date of receipt of their access request.

  • Article 12(1) of the GDPR

The DPC finds that Airbnb infringed Article 12(1) of the GDPR at the time of first processing the Complainant’s access request by failing to provide the Complainant with an access file that was of a concise, transparent, intelligent and easily accessible form.

  • Article 12(3) of the GDPR

The DPC finds that Airbnb failed to provide information to the Complainant on the actions taken on their access and erasure requests within one month of receipt of the requests and therefore failed in its obligations under Article 12(3) of the GDPR.

Corrective Powers Exercised:

  • An order for Airbnb to revise its internal policies and procedures as regards the default position to provide a cover email in English when a data protection rights request is received outside the privacy portal.
  • A reprimand to Airbnb Ireland UC pursuant to Article 58(2)(b) of the GDPR.

For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - July 2023 (PDF, 4.5mb).

Inquiry concerning Airbnb Ireland UC

Area: Cross Border Private Company

Topic: Legal Basis

Articles: 5

Decision Date: 21 June 2023

On 21 June 2023, following an inquiry concerning a complaint received against Airbnb Ireland UC (Airbnb), the Data Protection Commission (the DPC) adopted a decision.

The DPC commenced this inquiry on 4 March 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the Complainant’s ID (ID) in order to verify their identity which had not been previously requested by Airbnb. The Complainant further contended that this went against the principles of data minimisation and that Airbnb had also failed to comply with the principles of transparency and provision of information. Initial attempts by the Complainant to verify their identity had been rejected by Airbnb as the ID provided did not meet their criteria. Ultimately the Complainant verified their identity.

The scope of the inquiry concerned an examination and assessment of the following:

  1. Whether Airbnb had a lawful basis for processing a copy/copies of the Complainant’s ID and/or photograph/s in order to verify their identity, in particular in circumstances where they, as a registered member/host with Airbnb, had not previously provided their ID to Airbnb.
  2. Whether Airbnb complied with the principle of data minimisation when requesting a copy of the Complainant’s ID and/or photograph/s in order to verify their account and when processing data relating to same.
  3. Whether Airbnb complied with the Conditions for Consent by making the Complainant’s continued use of/access to their account and the service conditional on the Complainant submitting their ID and/or photograph/s in order to verify their identity and the processing of this personal data.
  4. Whether Airbnb complied with principles of transparency and provision of information where the Complainant’s personal data was collected.

As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.

The decision, which was adopted on Wednesday, 21 June 2023, records findings of infringement as follows:

  • Article 5(1)(c) and Article 5(1)(e) of the GDPR

The DPC found that Airbnb’s retention of a copy of the Complainant’s identity documentation following the successful completion of the identity verification process infringed the principles of data minimisation in Article 5 (1)(c) and the principle of storage limitation in Article 5(1)(e).Furthermore the DPC found that the continued processing and retention of partially redacted and out-of-date identity documents that had been deemed inadequate or insufficient to verify the identity of the Complainant infringed the principle of data minimisation that is set out in Article 5(1)(c) and the principle of storage limitation that is set out in Article 5(1)(e).

Following consultation with the supervisory authorities concerned, the DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. In light of the infringements of Article 5(1)(c) and Article 5(1)(e) the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR. In addition, the DPC made the following orders against Airbnb pursuant to Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements occurring with regard to data subjects in the future in similar circumstances:

  • Delete from all of its systems and records the redacted and out-of-date copies of the Complainant’s identity documents that the Complainant attempted to upload.
  • Delete from all of its systems and records the identity documents that the Complainant uploaded (keeping only a record that such documentation was submitted as well as the date of submission).
  • Subject to compliance with EU and Member State law, revise its internal policies and procedures concerning user identity verification to ensure that (i) once the identity of data subjects has been verified to Airbnb’s satisfaction, Airbnb discontinues the practice of retaining improperly redacted and/or out-of-date identity documents that may be submitted by data subjects as part of the identity verification process, and (ii) the period for which valid or fraudulent/illegitimate identification documents (which includes identification documents validly redacted in accordance with laws which require certain redactions) submitted by data subjects as part of the identity verification process are stored is limited to a strict minimum (in accordance with Recital 39 of the GDPR).

For more information, you can download the full decision at this link: Inquiry concerning Airbnb Ireland UC - June 2023 (PDF, 6.24mb).

Inquiry concerning the Department of Health

Area: Public Authority

Topic: Legal Basis

Articles: S 41, S 47

DPC Reference: IN-21-3-2

Decision Date: 16 June 2023

The Data Protection Commission (DPC) has completed an inquiry into certain aspects of the Department of Health’s processing of personal data in 29 litigation files. The inquiry was commenced following public allegations in 2021 that the Department had unlawfully collected and processed personal data about plaintiffs and their families in special educational needs litigation.

On the files examined, the DPC found evidence that the Department sought information from the HSE about services that were provided to plaintiffs and their families. The Department also included broadly worded questions asking the HSE to share “any other issues HSE feels worth mentioning.” This broad question resulted in the provision of private information about the lives of plaintiffs and their families.

The Department told the DPC that they processed this personal data for the purposes of determining whether an approach should be made to the plaintiff to seek to settle the case. The DPC considered whether it complied with data protection law for the Department to process the personal data for this reason. Under sections 41 and 47 of the Data Protection Act 2018, controllers can process personal data where it is necessary to provide or obtain legal advice or in the context of legal proceedings. In order to determine whether personal data had been lawfully processed by the Department under this provision, the DPC applied the EU law principles of necessity and proportionality. 

The DPC found that the Department did not infringe data protection law by seeking information about the services that were being provided to plaintiffs in relation to cases where there was open litigation. However, the DPC found that the Department did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families. This information included details about plaintiff’s jobs and living circumstances, information about their parents’ marital difficulties and in one case, information received directly from a doctor about the services that were being provided to the plaintiff.

The DPC found that the processing of information obtained in response to broad scoping questions sent to the HSE for the purposes of seeking to settle a case was excessive and disproportionate to the aims pursued by the Department and that the processing for this reason was not necessary for the purposes of litigation. Therefore the DPC found that there was no lawful basis for this processing in the files examined, and that the Department had infringed the principle of data minimisation by processing this personal data.

Having regard to the relevant factors under the GDPR and the fining cap for public authorities under the Data Protection Act 2018, the DPC decided to impose a fine of €22,500 for these infringements. The DPC also imposed a ban on further processing the sensitive data in the files examined for the purposes of determining an appropriate time to settle a case.

During the inquiry, the DPC found that the Department retained other information that it had collected from the HSE and that it had received from other government departments on its files. The DPC did not find evidence on the 29 litigation files examined that the Department had proactively sought information from other government departments. The DPC also did not find an infringement of data protection law arising from the fact that the Department stored this information for the purposes of defending litigation. The files relate to active litigation and the DPC recognised that there are a number of obligations that require defendants to retain documents that relate to open litigation.

Additionally, the DPC found infringements of the transparency obligations under the GDPR. The inquiry found that the Department did not include details of its practices in its privacy notice. In particular, the privacy notice did not convey the extent of information sharing that took place between the Department and the HSE. The DPC found that the Department could not rely on any exemptions under the Data Protection Act 2018 to avoid providing summary information about those practices in its privacy policy.

The DPC also found that the Department had infringed the requirements to process personal data securely. The inquiry found that the Department ought to have ensured that better internal access restrictions were in place in relation to the files. 

In addition to the fine and ban on processing outlined above, a reprimand was imposed for all of the infringements.

For more information, you can download the full decision at this link: Inquiry concerning the Department of Health - June 2023 (PDF, 1.35mb).

Inquiry concerning data transfers from the EU/EEA to the US by Meta Platforms Ireland Limited for its Facebook service

Area: Cross Border Private Company

Topic: Transfers

Articles: 58

DPC Reference: IN-20-8-1

Decision Date: 12 May 2023

This inquiry examined the basis upon which Meta Platforms Ireland Limited (“Meta Ireland”) transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service.

The decision records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the Court of Justice of the European Union’s (CJEU’s) judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.

The inquiry was initially commenced in August 2020, and was subsequently stayed by Order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021. Following a comprehensive investigation, the DPC prepared a draft decision dated 6 July 2022. Notably, it found that:

  1. The data transfers in question were being carried out in breach of Article 46(1) GDPR; and
  2. In these circumstances, the data transfers should be suspended.

Under a cooperation procedure mandated by the GDPR (Article 60), the draft decision prepared by the DPC was submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”).  The nature of the processing under examination by the inquiry was such that all other EU/EEA Supervisory Authorities were engaged as CSAs for the purpose of the cooperation procedure.

On the question of Meta Ireland’s non-compliance with the GDPR, and the DPC’s proposal to make an order to suspend the data transfers, the CSAs agreed with the DPC’s decision.

A small number (four) of the 47 CSAs raised objections in relation to the corrective power that the DPC proposed to exercise by way of the draft decision. Within this subset of CSAs, all four CSAs took the view that Meta Ireland should be subject to an administrative fine for the infringement that was found to have occurred. Two of those CSAs also took the view that Meta Ireland should be ordered to take action to address the personal data that had already been unlawfully transferred to the US, i.e. the data transferred from July 2020 to the present.

The DPC disagreed, reflecting its view that the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being “appropriate, proportionate and necessary” to address the infringement of Article 46(1) GDPR.

Following an informal consultation process, it became clear that consensus could not be reached. Consistent with its obligations under the GDPR, the DPC referred the objections to the European Data Protection Board (“the EDPB”) for determination pursuant to the Article 65 dispute resolution mechanism.

The EDPB adopted its decision on 13 April 2023.

Corrective Powers Exercised:

Consistent with its obligations to adopt its final decision “on the basis of” the EDPB’s decision, the DPC’s decision of 12 May 2023 records the exercise of the following corrective powers by the DPC:

  1. An order, made pursuant to Article 58(2)(j) GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland;
  2. An administrative fine in the amount of €1.2 billion (reflecting the EDPB’s determination that an administrative fine ought to be imposed, to sanction the infringement that was found to have occurred. The DPC determined the amount of the fine to be imposed by reference to the assessments and determinations that were included in the EDPB’s decision); and
  3. An order, made pursuant to Article 58(2)(d) GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC’s decision to Meta Ireland.

For more information, you can download the full decision at this link: Inquiry into Meta Platforms Ireland Limited (previously known as Facebook Ireland Limited) - May 2023 (PDF, 1.48mb).

Inquiry into processing of Church Records by the Archbishop of Dublin

Area: Not Profit/Charity

Topic: Legal Basis

Articles: 15

DPC Reference: IN-19-7-6

Decision Date: 27 February 2023

The DPC commenced the Inquiry following receipt of a number of complaints from data subjects who wished to obtain erasure in relation to their personal data processed in church registers. All of the data subjects had written to either their parish or to the Archdiocese asking for the erasure of their data pursuant to Article 17 GDPR.

Key findings within the Decision include that:

  • The Archbishop may lawfully rely on legitimate interests under Article 6(1)(f) GDPR as a legal basis for the processing of personal data of data subjects which are recorded in the Baptism Register, even in such instances where a data subject no longer wishes to be associated with the Catholic Church;
  • Subject to safeguards, the Archbishop’s interests in retaining the personal data contained in the Baptism Registers are not overridden by the interests or fundamental rights and freedoms of the data subjects;
  • The Archbishop may rely on the legal basis under Article 9(2)(d) of the GDPR for the processing of data subjects’ special category data during the course of their lifetime; The Archbishop, in processing the special category personal data in the Baptism Registers, has in place appropriate safeguards for such processing as required under Article 9(2)(d) GDPR;
  • Data subjects may exercise the right to request rectification of the personal data contained in the Baptism Registers, in accordance with Article 16 GDPR;
  • The Archbishop must comply with his obligations under Article 12(3) and Article 12(4) of the GDPR in order to facilitate requests in relation to data subject’s rights under Articles 15 to 22 of the GDPR;
  • Data subjects who no longer consider themselves to be members of the Catholic Church do not have the right to obtain erasure of their personal data in the Baptism Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR;
  • In circumstances where a data subject no longer wishes to be a member of the Catholic Church, a supplementary statement could be added by the Archbishop to the Baptism Register entry stating “No longer wishes to be identified as a Roman Catholic”.

Corrective powers exercised

The Archbishop should now make clear that all personal data collected and recorded and otherwise processed for the purposes of the administration of sacraments is permanently retained. The Archbishop is to:

i. update the Privacy Policy of the Archdiocese to identify that the Archbishop is the data controller for the processing of personal data and special category data held in all Baptism Registers within his Archdiocese;

ii. set out in the Privacy Policy the lawful basis of such processing together with the retention periods for such personal data;

iii. set out in the Privacy Policy that the subsequent administration of certain sacraments to an individual such as confirmation, marriage/annulment and ordination/laicisation (or adoption) are marked on the record in the Baptism Register, explaining why this is so;

iv. ensure that the parishes within the Archdiocese make the relevant Privacy Policy accessible and available to those undertaking sacraments.

For more information, you can download the full decision at this link: Inquiry into processing of Church Records by the Archbishop of Dublin ('the Archbishop') - February 2023

Inquiry into Bank of Ireland 365

Area: Bank/Credit/Insurance

Topic: Data security

Articles: 5, 32

DPC Reference: IN-20-7-2

Decision Date: 27 February 2023

The inquiry was commenced after BOI notified the DPC of a series of 10 data breaches relating to the BOI365 banking app. The data breach notifications concerned individuals gaining unauthorised access to other people’s accounts via the BOI365 app.

The decision considered whether BOI had complied with Articles 5(1)(f) and 32(1) GDPR and, in particular, whether BOI had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing of data via the BOI365 app. After investigation, the decision found that BOI had infringed its obligations under Articles 5(1) and 32(1) GDPR as the technical and organisation measures in place at the time were not sufficient to ensure the security of the personal data processed on the BOI365 app.

Corrective Powers Exercised:

  • The decision issued BOI with a reprimand in respect of the infringements Articles 5(1)(f) and 32(1) GDPR.
  • The decision ordered BOI to bring its processing into compliance with Articles 5(1)(f) and 32(1) GDPR.
  • The decision imposed an administrative fine on BOI in the amount of €750,000 in respect of the infringement of Article 5(1)(f) GDPR.

For more information, you can download the full decision at this link: Inquiry into Bank of Ireland 365 - February 2023 (PDF, 1.8mb).