Tusla has been issued with a second fine by the Data Protection Commission (DPC) for a breach of data protection rules.

The decision was issued to the Child and Family Agency yesterday, following the completion of an inquiry that began last year.

It relates to a breach notified to the DPC in November 2019 regarding an unauthorised disclosure of sensitive personal data. 

The disclosure was made to an alleged abuser and the data was subsequently posted on social media.

Tusla now has 28 days to appeal the decision and the corrective measures accompanying it. The DPC would not comment on the size of the fine.

"As the decision referred to has only just been received, we are not in a position to comment further until we have reflected on all of the matters," Tusla said in a statement.

Earlier this week the Sunday Times revealed that Tusla had become the first body to be fined in Ireland by the DPC for a data protection breach under the stricter rules contained in the General Data Protection Regulation (GDPR).

That case related to three breaches reported in February and March of last year.

One of those cases involved the accidental disclosure of the contact and location data of a mother and child to an alleged abuser.

The fine for the three breaches totaled €75,000.

"Tusla has and continues to engage constructively with the DPC and the public on these matters," it said.

"In recent days we commented on a decision in respect of a sanction by the DPC and this followed the period in which we considered that decision when it first issued. We will now reflect on this, the second of what is anticipated will be a total of three decisions. We will at that point issue further comment."

Meanwhile, the DPC has sent a draft decision on an investigation it was conducting into Twitter to other supervisory authorities in Europe.

That inquiry was launched by the regulator in January last year and was initiated following a receipt of a data breach notification by the social media platform.

It relates to its compliance with the requirement under Article 33 of the GDPR to notify the DPC of a breach within 72 hours and provide certain information.

Under GDPR, a company that breaks privacy laws can be fined up to 4% of global revenue or €20 million, whichever is higher.

The DPC also said in a statement that there had been a number of other significant developments this week around its investigations of "big tech" firms.

This includes the sending of a preliminary draft decision of an investigation into WhatsApp to the company.

"The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook," said Deputy Commissioner Graham Doyle in a statement.

The social messaging firm may now make submissions which will then be taken in to account by the DPC before a draft decision is prepared and sent to other European supervisory authorities.  

The regulator said it had also completed the investigation phase of a complaint-based inquiry which focuses on Facebook's obligations to establish a lawful basis for personal data processing. 

This probe is now in the decision-making phase, the DPC said.
Draft inquiry reports have also been sent to complainants and companies in relation to two other inquiries involving Instagram and WhatsApp.

The DPC also revealed that the Court of Justice of the European Union will deliver its decision in the case being taken by it against Facebook and Austrian privacy campaigner, Max Schrems on 16 July.

The case centres on whether Facebook's use of so-called standard contractual clauses to move data from Europe to the US complies with EU privacy standards, and whether the DPC can make a decision on the matter.