The child and family agency, Tusla, has become the first organisation in Ireland to be fined by the Data Protection Commission (the “DPC”) for breaches of the EU General Data Protection Regulation (“GDPR”). The breaches related to three separate incidents where information about children was wrongly disclosed by Tusla to unauthorised parties. In one incident, the contact and location information of a mother and a child were disclosed to an alleged offender, and in the two other incidents, information about children in foster care was improperly disclosed to relatives, including to a father in prison. Tusla reported these data breaches to the DPC in 2018 and 2019, and following separate investigations which were conducted by the DPC, Tusla was fined €75,000.
In accordance with section 143 of the Data Protection Act 2018, when the DPC imposes a fine which is not appealed, it needs to make a summary application in the Circuit Court. In light of this, an application was made by the DPC last week and the fine was confirmed. It has also been confirmed that DPC is continuing to investigate Tusla in respect of a number of other breaches.
Fines
The statutory powers, duties and functions of the DPC are established under the Data Protection Act and provide the DPC with a wide range of enforcement powers to ensure compliance with the GDPR. In Ireland, public bodies or authorities are liable to pay a maximum fine of €1 million for non-compliance with GDPR, while companies are liable to pay a maximum fine €20 million, or 4% of their annual global turnover for the previous year (whichever is higher).
Given that the breaches were serious and related to the unauthorised disclosure of sensitive information about children, the fine handed out to Tusla appears to be relatively small considering that the maximum permitted fine for public authorities is €1 million. This fine is, however, comparable to a recent fine of €73,600 which was imposed by the Norwegian authorities on the Norwegian Supervisory Authority after it improperly made available health information about a number of vulnerable children with physical and mental disabilities on a digital learning platform.
It is also worth remembering that the DPC, similar to the Information Commissioner’s Office in the UK and other regulators, has indicated that its preference is to engage and encourage organisations and to use ‘the carrot’ and not ‘the stick’ approach.
Impact
In line with the GDPR, the DPC is due to report on its implementation later this year and will assess the progress made after two years of application.
From an Irish perspective, it would certainly appear that the GDPR’s objective to provide a uniform interpretation and application of data protection standards across the EU is on track. Irish and EU citizens are increasingly aware of data protection rules and their rights. Indeed, in its most recent annual report, the DPC announced that there had been a 75% increase in the total number of complaints received by the office. In addition, the DPC has announced that it is conducting a number of statutory inquiries into companies including Facebook, Twitter and Apple, and as of 31 December 2019, the office had 70 ongoing statutory inquiries, including 49 domestic inquiries. Going forward, we are likely to see an increase in the amount of fines being imposed as well as investigations taking place – particularly having regard to the number of large multinational companies that have based their European headquarters in Ireland.
Although this is the first fine handed out in this jurisdiction for breaches of the GDPR it shows that, in appropriate circumstances, the DPC will exercise its enforcement powers to ensure compliance with data protection laws. It should serve as a welcome reminder to all Irish companies and state bodies of their obligations as data controllers and processors under the GDPR.
DAC Beachcroft Breach Response Planner
The DAC Beachcroft Breach Response Planner provides a step-by-step guide to building a practical plan for managing data breaches and other cyber incidents. The planner includes helpful tips and default content that can be easily customised. Your plan is easily and securely accessed at any time, from anywhere, on any device. It connects all your key stakeholders keeping them informed and engages with best-practice breach response.