Data watchdogs received almost 7,000 complaints from Irish last year

DPC’s €225m fine on WhatsApp was second-highest in Europe, according to survey

Irish people lodged almost 7,000 complaints with data protection watchdogs last year, the sixth-highest number in Europe, lawyers say.

A report from global law firm DLA Piper says European states fined businesses and other organisations €1.1 billion for data breaches in 2021, six times the €158.5 million in penalties imposed by authorities the previous year.

DLA's survey shows that Irish people reported 6,802 breaches to the State's Data Protection Commission (DPC), the body charged with ensuring organisations that hold personal information abide by the law.

The commission fined messaging service WhatsApp €225 million last year for four violations of the EU’s general data protection regulation (GDPR).

WhatsApp's European arm is appealing the ruling and has separately asked the High Court to review it, claiming that the decision was unconstitutional and that it denied the business fair procedures.

The penalty broke previous records set for data protection fines in the Republic and ranked as the second-highest sanction imposed in Europe last year.

The highest was Luxembourg's €746 million fine on internet giant Amazon for a series of offences.

Record-breaking penalty

The online store disagreed with the record-breaking penalty, pledging to challenge it.

Both the Republic and Luxembourg moved to the top of the EU league table for total fines imposed between May 2018, when GDPR became law, and the end of last year.

DLA Piper’s figures show that the DPC fined organisations here a total of €226 million last year. Luxembourg imposed penalties totalling €746.3 million in 2021.

The law firm's Data Breach Report 2022 notes that authorities in the EU, Iceland, Liechtenstein, Norway and the UK, where GDPR applies, received 130,000 complaints last year. This was 8 per cent more than in 2020.

John Magee, partner and head of data protection at DLA Piper, notes that four years after GDPR became law, Europe's authorities are imposing "signficant fines" for breaking the law.

"This year, regulators have issued record fines surpassing €1 billion, and Ireland now ranks second overall for total fines to date, demonstrating the significant position and influence of the DPC in the EU," he says.

Limiting

Mr Magee maintains that a court ruling limiting the information that organisations can pass to countries outside the European Economic Area poses the biggest challenge to businesses.

The July 2020 European court decision, Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II), means organisations risk fines, compensation claims and suspension orders for violating data laws.

“The Schrems II judgment has effectively shifted the problem and burden of a fundamental conflict of laws from the politicians and lawmakers to individual data exporters and importers,” Mr Magee said.

“Meeting the requirements of Schrems II is a challenge even for the most sophisticated and well-resourced organisations.”