Tuesday 19 March 2019

Data protection cases soar: three times as many breaches reported to commissioner as five years ago

In all, there were 4,740 data breach notifications recorded by Commissioner Helen Dixon's office during 2018

Data Protection Commissioner Helen Dixon. Picture: Steve Humphreys
Data Protection Commissioner Helen Dixon. Picture: Steve Humphreys
Adrian Weckler

Adrian Weckler

The number of reported data breach notifications to Ireland's Data Protection Commissioner (DPC) has almost doubled over the last year and is more than three times the number of five years ago.

In all, there were 4,740 data breach notifications recorded by Commissioner Helen Dixon's office during 2018, the bulk of which came after the introduction of the General Data Protection Regulation (GDPR) into Irish law in May of last year.

That figure was up from 2,795 reported data breaches in 2017 and 1,407 in 2013.

Thirty-eight of the breaches related to 11 multinational companies, according to a newly-released report from the DPC's office covering the period from May 25 to the end of 2018.

The report also disclosed that there were five successful prosecutions in the District Court under e-privacy laws, mostly for marketing abuses. Companies prosecuted included Vodafone, Dixons, the Kilkenny Group, Viking Direct and Starrus Holdings (Panda and Greenstar).

In all, the DPC received 31,000 'contacts', including 15,000 emails, 13,000 phone calls and 3,000 letters in the seven months to the end of 2018.

The watchdog also revealed that its staffing has grown from 85 at the start of 2018 to 135 by the beginning of February 2019.

And 1,000 new data protection officers (DPOs) around Ireland have been created since GDPR, the report claims.

"We will recruit an additional 30 staff this year in order to meet the demands of the tasks assigned under the GDPR and to deliver public value in what is an area of critical importance to society," said Ms Dixon.

The DPC opened 15 statutory inquiries into tech multinational companies, 10 of which relate to Facebook or its subsidiaries.

The DPC report says that some of the investigations were "commenced in response to a large number of breaches notified to the DPC during the period since May 25".

These include last September's so-called 'token breach', where up to five million Irish and European users were affected with some 30 million accounts worldwide put at risk to hackers.

Under the EU's new GDPR rules, Facebook faces a fine of over €2bn in a worst-case scenario.

Under European GDPR privacy law, offences come with a potential fine of up to 4pc of annual turnover or €20m. The regulation also facilitates the Irish DPC as Facebook's European regulator.

Other DPC investigations into multinational firms include two inquiries into Twitter, also being probed "in response to a large number of breaches notified to the DPC" and one inquiry into Linkedin.

Ms Dixon's office also has 31 separate statutory inquiries under way into local authorities around CCTV and the surveillance of citizens.

Dublin DataSec 2019, Ireland's data security conference takes place at the RDS on April 30. For more information and tickets click here. It is an Independent News & Media event.

Irish Independent

Also in Business