The Irish Data Protection Commission—the European “go to” privacy regulator for the world’s tech giants—has revealed it received 7,215 complaints during the first full year the General Data Protection Regulation (GDPR) was in force, representing a 75 percent increase on 2018’s figures of just over 4,000.
Of that total, 6,904 complaints were dealt with under the GDPR, and 4,554 had been concluded by Dec. 31. Some 5,496 complaints in total were concluded in 2019.
Meanwhile, the Commission received 6,069 valid data security breach notifications, representing a 71 percent increase on the 3,542 recorded in 2018, and 457 cross-border processing complaints.
In its annual report published Thursday, the Irish DPC says as of Dec. 31, 2019, it had opened six statutory inquiries in relation to multinational technology companies’ compliance with the GDPR, bringing the total number of cross-border inquiries to 21 (as compared to 49 that were domestic).
That figure reached 23 earlier this month when the regulator announced two new investigations into Google and MTCH Technology Services—the company behind the dating app Tinder—over complaints users’ personal data is being misused.
Of the ongoing 23 investigations into tech firms, 11 relate to Facebook (seven to Facebook’s Irish subsidiaries, one to the parent company, two to WhatsApp, and one to Instagram); three each to Apple and Twitter; two to Google; and one each to Verizon, Quantcast, Microsoft (relating to LinkedIn), and MTCH.
Much has been said about the resources and expertise the watchdog has access to. The Commission’s budget is €15.2 million (U.S. $16.4 million), with a headcount of 140. Compare those numbers to the resources Big Tech firms have at their disposal.
Ireland’s DPC has not yet issued a fine under the GDPR, but all eyes are upon it to see when it will do so—as well as whether any subsequent fine will move closer to the maximum 4 percent of the offending company’s turnover. Given the size of the companies being investigated—and the seriousness of the complaints being raised—substantial penalties cannot be ruled out.
Speaking to the Irish Independent, Helen Dixon, the Irish Data Protection Commissioner, has indicated her office has recently hired specialist lawyers to advise on the scale of punitive financial measures to be imposed on technology multinationals.
Dixon told the newspaper the decision last year by the U.S. Federal Trade Commission to fine Facebook $5 billion will be a “relevant” gauge in Europe’s response and added fines are an “inevitability.”
Dixon declined to say when fines would occur or when the first major decisions would be finalized. However, her office has previously said the first decisions would be related to WhatsApp and Twitter.
Some experts support the Irish DPC’s slow and cautious approach.
“Given the fact that any fines are going to be extremely high profile, it is hard to fault the approach of the DPC by not taking any shortcuts and fully following the statutory process in relation to the examination and analysis, even though this has led to delays,” says Reza Nazem, data protection solicitor at Irish law firm Gibson & Associates.