Ireland—home EU regulator to Big Tech firms including Google, Twitter, and Facebook—is the key country not to have issued a GDPR-related fine yet, though the regulator has said it has started at least 19 inquiries into the sector.
That includes one into Facebook over its password security measures and another into Google over concerns that its online Ad Exchange violated the GDPR by illegally tapping into sensitive personal information about internet users, such as their race, health, and political leanings, and sharing it with advertisers.
The Google investigation will look at how personal data is being processed, the level of transparency involved in transactions, how data is retained, and whether the company is doing enough to minimize the amount of information it uses.
“The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation,” said the regulator.
This is the Irish Data Protection Commission’s first statutory inquiry into Google since it became the company’s lead European regulator in January. The investigation, which comes nearly exactly one year after the GDPR came into effect, follows a formal complaint by Johnny Ryan, chief policy officer at Brave, a private Web browser that blocks ads and trackers. He has accused Google’s internet ad services business, DoubleClick/Authorized Buyers, of leaking users’ personal data to thousands of companies.
“As Big Tech firms have chosen Ireland as their EU jurisdiction, it falls to the Irish Data Protection Commission to follow up complaints lodged against the likes of Facebook, Twitter, and Google, and these investigations will be very time-consuming and take up a lot of resources.”
Paul Breitbarth, Director of Strategic Research and Regulator Outreach, Nymity
DoubleClick uses Web cookies to track browsing behavior online by IP addresses to deliver targeted ads. Every time users visit a Website that uses the DoubleClick/Authorized Buyers system, personal data—including what users view—is passed onto companies to solicit bids from potential advertisers seeking targeted audiences, according to Ryan.
Similar complaints have been lodged with data protection regulators in the United Kingdom, Poland, the Netherlands, Belgium, Spain, and Luxembourg. Enforcement action is rumored to be announced in the coming weeks, with the first draft decision to go to the European Data Protection Board (EDPB), the EU’s umbrella body for national data protection authorities, this month. If Google is found to be in breach of the GDPR, the maximum fine of 4 percent of global annual revenue would total $5.4 billion.
More generally, Data Protection Commissioner Helen Dixon has said leading technology firms based in Ireland are “lawyering up” and behaving in a “more combative” manner ahead of expected multimillion Euro fines for data breaches.
Paul Breitbarth, director of strategic research and regulator outreach at compliance software provider Nymity, says the focus on Ireland as a key regulator of Big Tech is “entirely justified.”
“It stands to reason that companies that deal with personal data as a core service offering are more liable to fall foul of GDPR, either through the way they pass on that data to third parties or by the robustness of the measures they use to store it,” says Breitbarth.
“As Big Tech firms have chosen Ireland as their EU jurisdiction, it falls to the Irish Data Protection Commission to follow up complaints lodged against the likes of Facebook, Twitter, and Google, and these investigations will be very time-consuming and take up a lot of resources,” he adds.
What we can learn from the biggest GDPR fines so far
- Currently reading
All eyes on how Ireland will handle Big Tech and GDPR