Last week Ireland’s Data Protection Commission (IDPC) released its review of the work it has carried out investigating potential breaches and privacy complaints under the General Data Protection Regulation (GDPR) since the new rules came into effect in 2018.
Reactions to its publication have been muted, namely because of the conspicuous absence of detail surrounding its investigations into Big Tech. One data expert, who declined to be named, dismissed the 72-page document as a “lengthy press release.”
The IDPC is the lead GDPR regulator in Europe for some of the world’s biggest tech firms—notably Apple, Facebook, Google, Microsoft, LinkedIn, and Twitter—and has 24 open cross-border inquiries into their conduct. The report, however, features just seven pages on its investigations into Big Tech, four of which are simply a list of the cases.
“The regulator has gone for ‘low hanging fruit’ instead of trying to tackle the bigger problem,” says one data privacy expert.
Facebook is the subject of 11 statutory inquiries by the IDPC (eight into Facebook, two into WhatsApp, and one into Instagram). Of the other 13 cases, three each relate to Apple and Twitter; two to Google; and one each to Verizon, Quantcast, Microsoft (relating to LinkedIn), dating app Tinder owner Match Group, and online business review app Yelp.
The investigations into Facebook include breach notifications, how the company uses personal data to drive advertising, how it stores user passwords, and whether the company’s terms of service and data policy are GDPR compatible.
But the report provides little detail on their progress other than that the inquiries are ongoing with draft reports sent to the relevant parties in some cases or the investigations are at a “decision-making” process (whatever that means). No timelines are given or explained. The same is true of the other inquiries into tech firms. The IDPC submitted a draft decision on Twitter to other EU data protection authorities on May 22—the most advanced stage it has reached out of all of its cross-border inquiries—but it is unclear what happens next, or when. It is also unclear if the draft decision will be a final decision.
Instead, the report devotes more space to the “quick wins” the IDPC has achieved against some of these firms in a “case study” section. In particular, the data authority discusses how it forced Facebook to pull its rollout of a dating app ahead of Valentine’s Day this year over privacy concerns (which are unspecified in this report) and a failure by the company to give the regulator a data protection impact assessment, as well as dump its Election Day Reminder feature—not just for the Irish general election in February, but for all future elections in the European Union.
The report also talks about the regulator’s “supervisory interactions” with Google (ongoing since late 2018), which have prompted changes to the search engine’s location history and Web and app activity, but which are still not sufficient enough to assuage its concerns. Google again comes up (alongside Microsoft and Apple) over concerns about how users’ voice data is processed. The IDPC says that it is developing pan-European guidelines to make the technology GDPR-compliant, despite tweaks by tech companies.
Another victory involved the IDPC persuading LinkedIn to cease displaying the member-to-guest connection invitation screen on its platform, which was generated by syncing the address books of its European members. The IDPC views the move as “a positive step taken by LinkedIn Ireland in meeting its GDPR requirements, particularly for the processing of non-user data.” LinkedIn was more sanguine, saying that it removed the feature because it no longer provided significant value to EU users.
More space in the report is devoted to how the regulator has reprimanded and engaged with public-sector organizations that have breached GDPR compliance (or think they have, as every single inquiry is a result of self-reporting rather than from a complaint). In fact, the IDPC has launched over twice as many inquiries (53) against national entities—including the police service and the Catholic church—as it has against Big Tech. Local authorities alone account for 31 of the investigations.
Of these investigations, two cases have resulted in Ireland’s first GDPR fines—both against the country’s child and family agency, Tusla, and both small (€75,000 [U.S. $84,203] and €40,000 [U.S. $44,908], respectively).
Some of the key takeaways of the report show that organizations have either failed to understand the GDPR or are worried about non-compliance with it (or both). In the two years since the GDPR came into effect, the IDPC received some 12,437 breach notifications—93 percent (11,567 notifications) of which relate to GDPR.
The regulator says that “despite the high volumes, the cases that have been assessed give no indication that organisations are over reporting.”
Rather, it says, “they suggest that many of the breaches that the IDPC examines could have been prevented by more stringent technical and organisational measures at source”—meaning that an organization’s in-house data protection officer should have reviewed and remedied the issues themselves.
By far the most frequent cause of breaches reported to the IDPC—and which accounts for 80 percent of the total—is “unauthorised disclosure.” The report says manual processing—and consequently an inferred lack of robust processing procedures—is at the root of far more reported breaches than phishing, hacking, or lost devices (which amount to just 5.6 percent of breach notifications collectively).
David Kennefick, product architect at cyber-security software vendor Edgescan, says the worryingly high level of human error points to organizations’ “general low-level of maturity in how to handle people’s data.” Kennefick adds there is also a danger organizations may be downplaying the significance of breaches caused by human error—writing them off as silly errors rather than properly investigating why such breaches occurred, whether the controls put in place to prevent such breaches are working or are being ignored, and whether steps to remediate previous exposures are sufficient.
Some experts believe the data regulator’s priorities may have been skewed toward dealing with routine queries it could turn around quickly, rather than face the more daunting challenge of bringing Big Tech to account, and that the absence of hard detail is “telling.”
“The regulator has gone for ‘low hanging fruit’ instead of trying to tackle the bigger problem,” says one data privacy expert. “The Commission seems to have spent more resources dealing with self-reported incidents that probably affect a relatively small number of people than address the massive privacy concerns that people have with Big Tech that affect millions across the European Union.”
Ryan Dunleavy, partner and head of the media disputes department at law firm Stewarts, says the report shows the IDPC has been dealing with a high-volume of cases that were potentially resolvable at the data protection officer level rather than focusing more on significant data and privacy issues—especially those around Big Tech.
“This report shows how inundated the DPC has been over the two years since the GDPR was introduced across Europe,” says Dunleavy. “The DPC has clearly been working hard, but a large number of these cases look like they could have been resolved by data controllers, data protection officers, and at the corporate level without getting the regulator involved. The DPC has published a significant amount of guidance for data controllers, but perhaps it should have more efficient mechanisms for weeding out these cases before they escalate and take up its time.”
For Dunleavy, “the report skirts around the key questions that everyone wants to know more about: When are we going to see more progress from the regulator on data and privacy issues related to Big Tech?”
“Given its role as lead supervisory authority to the various multinational Big Tech organisations that often have their EU headquarters in Ireland, it is disappointing to see that the DPC’s action against them over the last two years appears to have been limited and that fines against Big Tech by the Irish regulator still seem to be hovering on the horizon,” he adds.
The Irish Data Protection Commission was approached for comment but did not respond.