From the Data Protection Commission:
The Data Protection Commission has today launched its Annual Report for 2023.
Highlights of the 2023 Annual report include:
- The DPC issued 19 finalised decisions resulting in administrative fines totalling €1.55 billion, along with multiple reprimands and compliance orders being imposed, including:
- In May 2023, the DPC announced the conclusion to a GDPR inquiry into Meta Platforms Ireland Limited concerning Data Transfers from the EU to the USA. The decision imposed a fine of €1.2 billion on Meta Ireland, in addition to an order to bring its processing operations into compliance.
- In September 2023, the DPC issued its final decision in its inquiry into TikTok Technology Limited. The inquiry examined the processing of personal data relating to children by TikTok. The Decision ordered TikTok to bring its processing into compliance and imposed fines totalling €345 million.
- In 2023 the DPC had its decisions to impose administrative fines on five different organisations, ranging between €15,000 and €750,000, confirmed in the Dublin Circuit Court. All of these fines have been collected and transferred to the central exchequer in Ireland.
- In February 2023, the DPC issued its final decision in its inquiry into Bank of Ireland. This inquiry was in relation to a series of data breaches on the Bank of Ireland 365 app. The corrective powers exercised in this decision included a reprimand, a fine of €750,000 and an order to bring processing into compliance.
- In January 2023, the DPC issued its final decision in its inquiry into Centric Health. The Inquiry was commenced following a ransomware attack affecting patient data held on Centric’s patient administration system where over 70,000 patients were affected. Some 2,500 patients were permanently affected as their data was deleted with no backup available. The Decision reprimanded Centric and imposed fines totalling €460,000
- The DPC received 11,200 new cases from individuals in 2023, representing a 20% increase on 2022. The DPC concluded 11,147 cases in 2023.
- Of all cases received in 2023, 2,600 progressed to the complaint handling process, with 8,600 being dealt with relatively expeditiously.
- The DPC resolved 3,218 complaints through the formal complaint-handling process (This figure includes complaints received prior to 2023).
- The DPC received 156 valid cross-border complaints (as EU/EEA Lead Supervisory Authority). 82.5% of cross-border complaints received since 2018, where DPC is Lead Supervisory Authority, have been concluded.
- Total valid breach notifications received in 2023 was 6,991, representing a 20% increase on 2022, while 92% of notifications received in 2023 were concluded by year end.
- The DPC provided input and observations on over 37 pieces of proposed legislation, including statutory consultation on the Codes of Practice introduced under the Circular Economy and Miscellaneous Provisions Act 2022, which will provide a clear legal basis for Local Authorities to use recording devices such as CCTV and Body-worn Cameras for the prevention, investigation, detection, and prosecution of litter and waste management offences.
- The DPC brought about the postponement or revision of four scheduled internet platform projects with implications for the rights and freedoms of individuals.
- A total of 237 electronic direct marketing investigations were concluded in 2023 and the DPC prosecuted four companies for the sending of unsolicited marketing communications without consent. The Court returned convictions on all charges and it imposed fines totalling €2,000.
- The DPC continued to be an active member of Ireland’s Digital Regulator’s Group, along with ComReg, the Competition and Consumer Protection Commission and Coimisiún na Meán (formerly the Broadcasting Authority of Ireland) as part of Ireland’s implementation of recent EU digital legislative developments.
For comments by the commissioners, read more at dataprotection.ie.