Ireland’s Data Protection Commission (DPC), headed by the Commissioner for Data Protection, Helen Dixon, has published its first annual report since the General Data Protection Regulation (GDPR) came into force in May 2018. It shows that Europeans are taking their new privacy rights very seriously. In the five months of 2018 pre-GDPR, the DPC received 1,249 privacy complaints. In the seven months post-GDPR, it received a further 2,864. The total of more than 4,000 complaints in 2018 is up from less than 1000 in 2015.
The section of the report (PDF) most relevant to Americans and American firms operating in Europe, however, is Section 7: Technology Multinationals Supervision. Many of the big American tech companies have their European headquarters in Ireland, primarily attracted by Ireland’s low corporate tax rate of 12.5%. Many of these are centered around the Dublin area that has come to be known a Silicon Docks.
Headquartered in Ireland means that the Irish regulator will have primary role in enforcing GDPR compliance; and the DPC is taking this role seriously. “As of 31 December 2018, the DPC had 15 statutory inquiries (investigations) open in relation to multinational technology companies compliance with the GDPR.” These investigations result from complaints received, from breaches notified, and “at the DPC’s own volition having identified matters that warranted further examination.”
Nine of the investigations are described as ‘complaint-based’; six as an ‘own-volition inquiry’. Seven relate to Facebook Ireland Limited (one of them being more specifically Instagram); one to Facebook Inc; two to WhatsApp Ireland Ltd; two to Twitter International Co; two to Apple Distribution International, and one to LinkedIn Ireland Unlimited Company.
The most common complaint-based cause of investigation is an examination of the lawful basis for processing personal information, sometimes at all, but often in the context of behavioral analysis and targeted advertising. Facebook and Twitter are also being investigated under GDPR’s ‘right of access’ obligations. One of the Apple investigations, complaint-based, is examining whether Apple has discharged its transparency obligations.
It is worth considering that complaint-based investigations still carry the full weight of the law. The 50 million euro fine levied on Google by the French regulator stemmed from complaints by NOYB and La Quadrature du Net; both not-for-profit organizations representing private individuals. (Like the Apple complaint, the Google complaint focused on ‘transparency’ obligations.) GDPR allows individuals to authorize such bodies to lodge complaints on their behalf. This Apple complaint is possibly one of eight further complaints raised by NOYB in January 2019.
Of the six own-volition enquiries, four relate directly to Facebook and one more via WhatsApp. The WhatsApp/Facebook enquiry is examining whether WhatsApp has discharged its transparency obligations to users, including details on the transfer of personal data between the two organizations. Facebook is currently in the process of integrating the underlying structures of its three messaging services: Messenger, Instagram and WhatsApp. Noticeably, the four founders of Instagram and WhatsApp all left Facebook between late 2017 and early 2018, with privacy thought to be the primary motive.
Three of the four directly Facebook-related own-volition enquiries relate to the 2018 token breach. Facebook Ireland Ltd and Facebook Inc are each being investigated over whether they had implemented organizational and technical measures to safeguard the personal data of users, and Facebook Ireland is being investigated over its breach notification compliance for that incident.
The fourth own-volition Facebook enquiry “commenced in response to large number of breaches notified to the DPC during the period since 25 May 2018 (separate to the token breach).”
The final own-volition investigation is against Twitter, and like the previous investigation against Facebook, is because of the large number of breaches notified to the DPC.
What this section of the DPC’s annual report tells us is that Helen Dixon is not afraid to investigate even the largest tech company — and the sheer number of investigations against Facebook should be a concern to that company.
These investigations are proof, says Jean-Michel Franco, senior director of data governance products at Talend, that companies in the digital economy are still getting the management of personal data wrong. “Having already been fined £500,000 by the UK data regulator, the ICO, for the Cambridge Analytica debacle, Facebook has now been called out by Ireland’s data regulator.”
He notes that the same massive user base that makes Facebook so powerful also makes it vulnerable. “With so many users, complaints against the social media behemoth are likely stack up with regulators, who may then feel compelled to act,” he suggests. “The onset of the GDPR and the increasing focus on data breaches and the misuse of data could create a vicious cycle, where every penalty issued leads to more attention and more possible legal and enforcement action.”
The real solution, he says, is not in trying to simply comply with regulations, but to change the nature of the relationship with customers. “Compliance should not be the end goal in and of itself,” he says. “Instead, companies have to nurture relationships with their customers in which data transparency and trust are central pillars. This is crucial from both an economic standpoint and for the customer experience — especially within a digital, data-driven world.”