Ireland’s data regulator has 27 ongoing cross-border inquiries into Big Tech firms, with Facebook and its associated companies accounting for 14 of them.
According to the 2020 annual report from the Irish Data Protection Commission (DPC), there are nine investigations into Facebook for potential violations of the General Data Protection Regulation (GDPR), with three more into Instagram and two into WhatsApp.
There are also three live investigations into Apple, three into Twitter, two into Google, and one each for LinkedIn (owned by Microsoft), MTCH, Quantcast, Verizon, and Yelp.
Much has been made of the Irish DPC’s slow progress with its cross-border caseload, but the regulator is realistic about its prospects of concluding all these cases quickly.
Graham Doyle, deputy commissioner, says several Big Tech cases are likely to be resolved in the coming year, with two cases relating to Facebook currently at decision-making process and one investigation each into WhatsApp and Instagram being finalized. An investigation into Google is at an “advanced” stage.
“Fines will happen. But they’re not everything, and they’re not the only punishment and deterrent we have available. Our approach is one of enforcement and engagement. What is important for us is to have the processes behind the sanction stopped so the same complaints and harms do not occur again. Our focus is compliance and changing behaviors.”
Graham Doyle, Deputy Commissioner, Irish Data Protection Commission
Another draft decision regarding WhatsApp and its user transparency obligations was sent out to the EU’s other 26 supervisory authorities in December under the GDPR’s Article 60 process. The Irish DPC is currently trying to resolve concerns some authorities have raised.
Last October, WhatsApp set aside €77.5 million (U.S. $91.8 million) for possible fines arising from the Irish DPC’s investigation into the way the messaging platform shares data with parent company Facebook.
Doyle says the regulator is reticent about saying when the decision will be finalized, given that it took seven months to finalize last December’s Twitter fine following the company’s failure to report a data breach within the required 72 hours and document it properly. The penalty was set at €450,000—a figure considered too low by some data protection authorities (DPAs) and privacy campaigners.
“As we have said before, these cases take time, and the whole way of working with other European data regulators is new and needs time to bed in,” says Doyle. “With the Twitter case, the only objection we were not able to get agreement on was the level of fine—all other concerns were resolved either by ourselves or under the European Data Protection Board’s Article 65 complaint resolution mechanism.”
Part of the reason for the slow progress has been the regulator’s budget: at just €16.9 million (U.S. $20.6 million) for this year—and with a staff of 145—the Irish DPC’s resources pale in comparison to those of the companies it is meant to regulate. A report earlier this month also suggested the agency’s IT systems are outdated.
Doyle is reticent about predicting whether any of the cases will result in the headline-grabbing penalties that are possible under the GDPR.
“Fines will happen,” says Doyle. “But they’re not everything, and they’re not the only punishment and deterrent we have available. Our approach is one of enforcement and engagement. What is important for us is to have the processes behind the sanction stopped so the same complaints and harms do not occur again. Our focus is compliance and changing behaviors.”
Doyle says closer engagement with companies has paid off. He points to Facebook pulling its dating app in the run-up to Valentine’s Day in 2020 over concerns about how personal data was being handled, and the social media firm also pulling its Irish “election day reminder” feature over concerns personal data might be used for targeted advertising. The Irish DPC also helped change the way Google’s voice assistant technology operates so it is GDPR-compliant.
During 2020, the Irish DPC handled a total of 10,151 cases—up 9 percent on 2019 figures (9,337). Of these, the regulator received 4,660 complaints under the GDPR. The total number of valid breach notifications received was 6,628—up 10 percent. The most frequent cause of breaches reported to the DPC was unauthorized disclosure (86 percent).
Some 354 cross-border processing complaints were received by the DPC through the “one stop shop” mechanism from other EU DPAs in which Ireland was identified as the lead supervisory authority. Along with the 27 ongoing cross-border investigations it is carrying out, the Irish DPC is also conducting 56 domestic inquiries.
The report also shows the DPC has reduced the turnaround time on some of its caseload—though Big Tech investigations are unlikely to follow that trend.
In August, social media platform TikTok announced plans to open its first European data center in Ireland. Other EU DPAs that had already started probes into the company have said they will hand them over to the Irish DPC to pursue—though this has not happened yet, says Doyle.