Irish Data Protection Authority Questions Impact of New Service
Mockup of Facebook’s dating service (Source: Facebook)
Any lonely hearts in Europe hoping to meet the person of their dreams via Facebook’s dating service this Valentine’s Day will have to wait a little longer.
Facebook has delayed the rollout of its dating service across the EU, following a Monday “dawn raid” by Irish privacy investigators.
“The step up in enforcement activity comes at a time when many are concerned about new technological developments including AI, surveillance and facial recognition”
—Cordery’s Jonathan Armstrong and André Bywater
The Irish Data Protection Commission, which takes the lead on all General Data Protection Regulation probes of Facebook, says it was informed on Feb. 3 by the social network of its plan to introduce its dating service in the EU.
“We were very concerned that this was the first that we’d heard from Facebook Ireland about this new feature, considering that it was their intention to roll it out [on Thursday],” the DPC says in a statement. “Our concerns were further compounded by the fact that no information/documentation was provided to us on Feb. 3 in relation to the data protection impact assessment or the decision-making processes that were undertaken by Facebook Ireland.”
Under the EU’s GDPR, organizations must submit a data protection impact assessment to assess the risk of new services or features.
The DPC says its investigators gathered documentation from Facebook’s offices in Dublin on Monday. Subsequently, Facebook announced that it would delay the rollout of its dating service in the EU.
“It’s really important that we get the launch of Facebook Dating right so we are taking a bit more time to make sure the product is ready for the European market,” a Facebook spokeswoman tells Information Security Media Group. “We worked carefully to create strong privacy safeguards, and complete the data processing impact assessment ahead of the proposed launch in Europe, which we shared with the IDPC when it was requested.”
Facebook’s dating service is now available in 20 countries, including the U.S., Argentina, Singapore and Thailand. “It will be in Europe by early 2020,” according to Facebook’s site.
Data Protection Impact Assessments
Attorneys Jonathan Armstrong and André Bywater, who focus on compliance for the London-based firm Cordery, say one big takeaway here is the importance of preparing a data protection impact assessment – DPIA – in a timely manner. Such assessments are required by GDPR.
“It is usually best to start the DPIA process at the start of a project,” they wrote in a September 2018 research note on DPIAs. “If you do that, you are more likely to be able to put remedial measures in place to deal with risk more easily and more cost-effectively. If you need to consult with a regulator that process can take four to five months; this might be another reason for starting early.”
They also emphasize that DPIAs serve as a discussion point for an organization and a data protection authority, and that organizations that fail to correctly prepare such documentation and share it with regulators in a timely manner may be penalized.
The dawn raid by Ireland’s data protection authority highlights how DPAs have extensive enforcement powers.
“Do DPAs have dawn raid powers? Essentially yes,” Armstrong and Bywater say in a research note issued Thursday. Technically, they’re not called dawn raids under GDPR, but DPAs have the ability to access premises in the course of an investigation whenever they choose. “GDPR doesn’t just give DPAs the power to fine,” they say. “GDPR article 58 gives DPAs a host of other powers.”
Excerpt of GDPR article 58 (Source: EUR-Lex)
Those powers include the ability to order a company’s data controller to provide any information the DPA requires to complete its work, to audit a company’s data protection processes, to access an organization’s premises and equipment – including servers – as well as to temporarily and even permanently ban an organization’s right to process Europeans’ personal data.
This raid could also represent an escalation in the Irish data privacy watchdog’s enforcement efforts.
“The step up in enforcement activity comes at a time when many are concerned about new technological developments, including AI, surveillance and facial recognition,” Armstrong and Bywater say. “New technologies like this almost always need a DPIA. It takes some skill to do a DPIA for something cutting edge, but that isn’t an excuse for not trying.”
Ireland takes the lead on all GDPR investigations into Facebook under a provision of the privacy law that allows an organization to designate having its “main establishment” in a European country – in other words, a European headquarters. Any organization that does so can qualify for a one-stop-shop mechanism under GDPR that ensures that only the privacy watchdog in the country in which it is headquartered conducts any privacy investigations.
Facebook – like Apple, Microsoft, Twitter and many other technology giants – has made Ireland its EU main establishment (see: 15 GDPR Probes in Ireland Target Facebook, Twitter, Others).
Ireland has been criticized by some other EU countries for not being tough enough on technology giants that have their headquarters there. While numerous GDPR investigations remain underway in Ireland, the DPC has yet to fine any organizations for violating the privacy law, unlike numerous other EU member states (see: GDPR: $126 Million in Fines and Counting).
GDPR fines levied across the EU from May 25, 2018, to Jan. 27, 2020 (Source: DLA Piper)
Ireland’s Enforcement May Be Stepping Up
But Ireland’s approach could be changing.
“The raid is significant as it may signal a get-tough era on enforcement in Ireland, which has been criticized as being too slow to investigate,” Armstrong and Bywater write. “This is a special concern given that so many large technology operations have the DPC as their lead regulator under GDPR.”
And while this month the regulator has gotten tough with Facebook’s new dating service, the DPC’s future investigations, as noted, could easily extend to organizations’ attempts to roll out facial recognition or machine learning tools, if they have a potential impact on Europeans’ privacy rights.
If there’s a silver lining in this case, meanwhile, it’s that when it comes to social networks and dating, other options remain available. As Armstrong and Bywater say: “On a lighter note, as a result of the raid, those seeking a date on Valentine’s Day might need to try real-life socializing instead.”