Longtime holdout Ireland issues first GDPR fine

The €75,000 (U.S. $82,000) fine relates to an October 2019 investigation surrounding three cases where information about children was wrongly disclosed, potentially putting them at risk.

In one breach, Tusla accidentally disclosed the contact and location data of a mother and child victim to an alleged abuser. In the next breach, Tusla accidentally disclosed contact, location, and school details of foster parents and children to a grandparent, who then made contact.

In the third breach, Tusla accidentally disclosed the address of children in foster care to their imprisoned father, who used it to correspond with his children.

The Irish Data Protection Commission has another two “advanced stage” ongoing investigations into Tusla—one regarding 71 breaches of personal data and another for a single breach.

In a statement, Tusla said it has “fully engaged” with the data regulator in its three investigations, which the agency says it reported “in a timely fashion.”

The Irish Data Protection Commission lodged papers with the Irish Circuit Court on May 15. The penalty is likely to be confirmed this autumn.

Tusla does not intend to contest the fine and says it will accept and respect the final order of the court.

In Ireland, state bodies can be fined up to €1 million (U.S. $1.09 million) for GDPR-related violations. Companies, on the other hand, can be fined up to €20 million (U.S. $21.9 million) or 4 percent of global turnover (whichever is larger).

Ireland’s data regulator has been the subject of repeated criticism for its lengthy investigations into Big Tech firms including Facebook, Google, Apple, Twitter, and Microsoft.

The Commissioner, Helen Dixon, however, has said that her office is doing the best it can with the resources it has to hand (an annual budget of €16.9 million [U.S. $18.5 million]).

According to a recent report, Ireland is responsible for leading 127 GDPR-related investigations—more than any other country in Europe.