Irish data watchdog reveals 20% increase in data cases handled in 2023

The DPC reports a busy year with increasing cases and GDPR breaches, and a record fine on Meta.

The Data Protection Commission (DPC) in Ireland had a busy year in 2023, processing a total of 11,200 new cases – a 20% increase on the 9,370 cases in 2022.

The Commission also announced in its Annual Report 2023 that valid GDPR breach notifications increased from 5,828 in 2022 to 6,991 in 2023 – also a 20% increase. The top five subject to feature in queries and complaints for GDPR breaches were:

  • access requests;
  • fair-processing;
  • disclosure;
  • direct marketing; and
  • right to erasure.

The Commission had also 89 statutory inquiries, including 51 cross-border inquiries, and called 2023 a “landmark year”. Commissioner Dale Sunderland said: “2023 was a busy year in personal data rights protection. The year saw a significant increase in complaints dealt with by the Data Protection Commission with record fines issued and corrective orders imposed following cross-border and national inquiries.”

Unlawful CCTV

Another big topic in 2023 was CCTV, with a significant increase in the number of queries regarding surveillance of individuals in public and private spheres. The Commission also took enforcement action against local authorities and companies that had processed individuals’ data via CCTV without a lawful basis.

“Organizations who collect CCTV footage must have a clear justification and lawful basis to do so. Subsequent sharing of that information/imagery similarly requires a clear, lawful basis,” Des Hogan, Chairperson, Commissioner for Data Protection, said.

One action was taken against Kildare County Council, which was fined €50,000 ($54,160) and handed a temporary ban on CCTV cameras. Galway County Council was also handed a temporary ban on CCTV cameras, plus temporary bans on ANPR (Automatic Number Plate Recognition), and on use of body worn cameras.

Record Meta fine

During the year, the DPC issued seven administrative fines against five different organizations – totalling more than €1.5 billion ($1.6 billion). That is a slight decrease on 2022 when nine fines totalling over €1.6 billion ($1.7 billion) were imposed. The most notable fine was the record €1.2 billion ($1.3 billion) penalty served on Meta in May 2023 for breaching Article 46(1) GDPR when transferring personal data from the EU to the USA.

Second biggest fine of €345m ($374m) was made against TikTok in September 2023 because of multiple GDPR failures in how children’s personal data was processed by the social media giant.

The DPC also concluded a total of 237 electronic direct marketing investigations, and four companies were prosecuted for the sending of unsolicited marketing communications without consent. 

In 2023 the DPC concluded the following inquiries under the GDPR and the Data Protection Act (DPA) 2018:

OrganizationsDecision IssuedFine ImposedCorrective Measure Imposed
WhatsApp Ireland LtdJanuary€5.5m ($6m)Order re: Articles 5(1)(a) and 6(1) GDPR.
Kildare County CouncilJanuary€50,000
Temporary ban on CCTV cameras at a number of locations.
Order re: Articles 5(1)(a), 6(1), 13, and 32(1) GDPR.
Sections 71, 72, 76, 78, and 82 DPA 2018.
Airbnb Ireland UCJanuary N/ANo infringement found.
Centric Health FebruaryFebruary€460,000
Reprimand re: Articles 5(1)(f), 5(2) and 32(1) GDPR.
Bank of IrelandFebruary€750,000
Reprimand re: Articles 5(1)(f) and 32(1) GDPR.
Order re: Articles 5(1)(f) and 32(1) GDPR.
Archbishop of DublinFebruaryN/AOrder re: Article 5(1)(a) GDPR.
Meta (Facebook)May€1.2 billion
($1.3 billion)
Suspension of data flows re: Article 46 GPDR.
Order re: Article 46 GDPR.
Department of HealthJune 16€22,500Ban re Articles 5(1)(c), 6(1), 6(4), and 9(1) GDPR.
Reprimand re Articles 5(1)(c), 5(1)(f), 6(1), 6(4), and 32(1) GDPR.
Airbnb Ireland UCJuneN/ANo infringement found.
Airbnb Ireland UC JuneN/AReprimand re Articles 5(1)(c) and 5(1)(e).
Order re Articles 5(1)(c) and 5(1)(e).
Airbnb Ireland UCJulyN/AReprimand re: Articles 5(1)(c), 6(1)(f), 15(1), 12(1) and 12(3).
Order re: Article 12(1).
Galway County CouncilAugustN/ATemporary ban on CCTV cameras and ANPR at a number of locations.
Temporary ban on use of body worn cameras.
Order re: Article 35 GDPR and Sections 71, 72, 76, 78, 82, 90(1) DPA 2018.
Reprimand re: Article 24 GDPR.
TikTokSeptember €345m
Reprimand re: Articles 5(1)(a), 5(1)(c), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR.
Order re: Articles 5(1)(a), 5(1)(c), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR .
Airbnb Ireland UCSeptember N/AReprimand re: Article 12(4).
Airbnb Ireland UCSeptemberN/AReprimand re: Articles 6(1)(f), 5(1)(c) and 5(1)(e).
Orders re: Articles 5(1)(c) and 5(1)(e).
Airbnb Ireland UCSeptemberN/AReprimand re: Articles 6(1)(f) and 5(1)(c).
Order re: Article 6(1)(f) and 5(1)(c).
Apple Distribution International LimitedNovemberN/ANovember 2023 N/A No infringement found.
Microsoft Operations Ireland LimitedNovemberN/AReprimand re: Articles 12(4) and 17.
Order re: Article 12(4) and Article 17.
Meta (Facebook and Instagram)NovemberN/ABan on processing personal data for behavioral advertising purposes on the basis of Article 6(1)(b) or (f) GDPR.
Source: Data Protection Commission’s 2023 Annual Report