Facebook is the subject of 10 investigations by Ireland’s privacy regulator into whether the company and its subsidiaries have violated European Union privacy law—part of 15 probes that the regulator has opened up against major tech firms headquartered in the country.
Some of the investigations, disclosed as part of the Irish Data Protection Commission’s annual report released at the end of February, focus on whether Facebook is breaking the law over the way it gathers and processes individuals’ data. Others are looking into whether the company and its subsidiaries—WhatsApp and Instagram—are sufficiently transparent about how they handle data, why they need it, and whether they have done enough to safeguard it.
Of the 10 inquiries into Facebook’s data practices, four relate to data breaches (three are described as “token” breaches, while another concerns a series of large breaches), and another four relate to whether personal data was processed unlawfully when consumers consented to use its services on Facebook, WhatsApp, and Instagram.
Facebook also faces one inquiry into whether the company abused the right of access to personal data under the EU General Data Protection Regulation (GDPR) and another inquiry regarding whether the social media company’s WhatsApp service was fully transparent and told users about how their personal data may be shared (and for what purpose) among Facebook’s other platforms and companies.
In a written statement, Facebook said it is “in close contact” with the Irish Data Protection Office to ensure it is “answering any questions they may have.” It added: “We spent over 18 months working to ensure we comply with the GDPR. We made our policies clearer, our privacy settings easier to find, and introduced better tools for people to access, download, and delete their information.”
Separately, computer giant Apple is being investigated over how personal data is used and whether it too has been transparent about its privacy and data policies, while two investigations into Twitter centre on a spate of data breaches that took place last year, as well as concerns over right of access regarding links accessed on its platform. Meanwhile, Microsoft’s professional networking service LinkedIn is being investigated over the way personal data is tracked, mined, and used to influence targeted advertising on its platform.
The regulator said it has concerns in particular about how companies may profile individuals, particularly those with sensitive data, and whether individuals are aware of which parties hold their data. “The protection of personal data is a prerequisite to the processing of any personal data within this ecosystem and ultimately the sector must comply with the standards set down by the GDPR,” the regulator said.
The report, which details what the authority has been focusing on since the introduction of the GDPR on 25 May 2018 up until 31 December, says the regulator received 2,864 data privacy complaints and 3,542 data security breach notifications (38 of which related to 11 multinational technology companies). While there are no comparative figures for the same period the year before, the data protection authority does say that—in terms of year-on-year analysis—the number of data complaints has risen by 56 percent, while security breach notifications have gone up by 70 percent for the whole of 2018.
Ireland’s Data Protection Commission is the lead privacy regulator in the European Union for Facebook, Apple, Microsoft, and Twitter since all of these companies have their European headquarters located there. The country has proved attractive to large multinational companies because of its low tax environment, its proximity to the United Kingdom and mainland Europe, and its status as the only English-speaking country in the eurozone.
Cynics have also suggested Ireland appeals to major companies as a European base because of its lax approach to compliance and aversion to strictly enforce rules, as seen in its favourable tax treatment with Apple (since corrected by the European Commission with a €14.3 billion tax charge). Ireland’s data regulator, in particular, has been rebuked by privacy campaigners such as Max Schrems in the past for not having the resources (or appetite) to investigate cases properly.
According to Schrems, when he brought his very first complaints against Facebook to the Irish data regulator in 2011, the office was based in a small town outside of Dublin and was situated above a supermarket. It had a staff of just 20 people—none of which was a lawyer or a trained technical expert.
The situation today, however, is very different. With the onset of the GDPR, the regulator has bumped its staff numbers up to 135 people and now has in-house legal and technical experts. It is also set to recruit an additional 30 people during the year to cope with the expected volume of GDPR-related work.