The Irish Data Protection Commission (DPC) released its 148-page annual report on 29 May 2024 (the Annual Report), highlighting the scope of work and enforcement activities undertaken by the DPC throughout 2023. A full copy of the report is available here.
In this series of articles we decode the report – providing an insight into the key points of focus, emerging themes and potential areas of future regulatory developments.
This Article will aim to provide an overview of what we have learned in respect of data breach notifications from this year’s Annual Report, and what future trends it may indicate.
2023 saw quite a significant increase in the number of breach notifications made to the DPC, under the GDPR and ePrivacy Directive (ePD) regulatory regimes. However, the underlying cause and nature of the reported breaches remained consistent with previous years.
Types of Breach Notifications
GDPR Breach Notifications
Under Article 4(12) of the GDPR, a ‘personal data breach’ means a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’.
In the event that an organisation suffers a security incident which results in a personal data breach, and it is likely that the breach poses a risk to the rights and freedoms of a data subject, Article 33 of the GDPR requires the organisation to send notification to the relevant supervisory authority (which in Ireland is the DPC) without undue delay, and at the latest within 72 hours of the entity becoming aware of the breach. Under Article 34 of the GDPR, where a data breach poses a high risk to the individuals affected, those individuals must also be informed.
The DPC received 6,991 valid GDPR data breach notifications in 2023. This represented a 20% increase on the GDPR data breach numbers reported in 2022. There is no clear, single reason for this sudden change. It could be that there is increasing organisational awareness of the obligation to report breaches to the DPC, as GDPR compliance functions within businesses become more mature. Equally, it could simply be a “bad” year, where a large number of entities experienced some organisational issues.
ePD Breach Notifications
Under the ePD, a personal data breach is afforded the same definition as in the GDPR. In the event of a personal data breach, providers of “publicly available electronic communication services” (which includes services like internet access services and mobile phone services) are obliged to notify the relevant supervisory authority (which in Ireland is the DPC). Providers are obliged to make an initial notification no later than 24 hours after the first detection of the breach.
The DPC received a total of 146 valid data-breach notifications under the e-Privacy Regulations (a 42% increase on the 2022 figure).
This significant increase in ePD breach notifications is not hugely surprising taking into consideration the implementation of the European Union (Electronic Communications Code) Regulations in Ireland (SI 444/2022) in September 2022. Following the amendment of the definition of “electronic communications service” within the ePrivacy-framework, a broader range of services now fall within the data-breach-notification obligation (such as “over-the-top” messaging services).
Law Enforcement Directive Breaches
The Law Enforcement Directive (Directive (EU) 2016/680), was transposed into Irish law by the Data Protection Act 2018 (the Act). The Law Enforcement Directive deals with the processing of personal data by law enforcement authorities for “law enforcement purposes” – which is beyond the scope of the GDPR.
Similar to data breach obligations under the GDPR, under Section 86 of the Act, where a personal data breach occurs in respect of data used for law enforcement purposes, the relevant law enforcement authority must also notify the DPC within 72 hours. ‘Personal data’ is given the same definition as under the GDPR.
The DPC received 59 valid breach notifications in relation to the Law Enforcement Directive in 2023. This is an increase in the number of valid breach notifications received by the DPC, in comparison to 2022.
Nature of Breach Notifications
In line with previous years, the highest category of data breaches notified to the DPC in 2023 related to unauthorised disclosures, accounting for 52% of the total notifications.
Unauthorised disclosures are typically organisational failures arising from human error where personal data is communicated to the wrong recipients – e.g. due to an incorrect postal or email address or even simple failures to appropriately amend “cc” and “bcc” email fields. Such breaches often only affect small numbers of individuals but depending on the circumstances, can have significant impacts for data subjects.
The DPC has categorised data breach notifications by nature under the following headings:
Sectors
In keeping with the trends of previous years, of the total 6,991 breach notifications that the DPC received in 2023, 3,766 related to the private sector, 2,968 to the public sector and the remaining 257 came from the voluntary and charity sector. Of those breach notifications received in 2023, 92% were concluded by year-end.
Public sector bodies and banks were again among the ‘top ten’ organisations with the highest number of breach notifications recorded against them, with a number of insurance and telecom companies also featuring in the top twenty.
For more information on this or any other cybersecurity or data protection matters in Ireland, please reach out to the Technology team at A&L Goodbody.
With thanks to Ellie Graham for her contribution to this article.