Facebook and Twitter Among the Technology Giants Being Probed
A newly released report offers a glimpse into how European Union authorities are applying the General Data Protection Regulation to some of the biggest U.S. technology firms, including social media giants Facebook and Twitter.
Ireland’s Data Protection Commission recently released its annual report, which shows that the country’s privacy watchdog had 21 open inquiries into several of the world’s largest technology firms.
Of these, the report showed that two probes – a 2019 investigation into a flaw in Twitter’s Android app that exposed protected tweets and a 2018 investigation of how WhatsApp shares user data with Facebook – had shifted from an investigative stage to the decision-making phase, which could include recommendations of fines against the companies (see: 15 GDPR Probes in Ireland Target Facebook, Twitter, Others).
Under GDPR, companies can face fines of 4 percent of their global revenue, or €22 million ($20 million), whichever is greater, if regulators find that organizations violated Europeans’ privacy rights.
Even if Ireland’s Data Protection Commission concludes that privacy laws were violated, under GDPR, the investigating supervisory authority must first share any draft decision with all other concerned EU supervisory authorities and consider their views before reaching its final verdict.
Ireland’s GDPR Role
What makes Ireland a bellwether for GDPR is that many U.S. technology firms, including Apple, Facebook and Google, have designated Ireland as their “main establishment” in the EU. Under GDPR, that enables them to qualify for a one-stop-shop mechanism, which ensures that the data protection authority in that country takes the lead on any EU privacy investigations (see: 15 GDPR Probes in Ireland Target Facebook, Twitter, Others).
Ireland’s DPC says in its report that it’s currently conducting investigations of Verizon, Quantcast, LinkedIn, Apple and Twitter. In addition, the commission is examining Facebook and its subsidiaries Instagram and WhatsApp.
Earlier this month, the Data Protection Commission launched an investigation into how Google uses customer data for its location services after the privacy watchdog received numerous complaints from consumer rights organizations across the European Union (see: Ireland’s Privacy Watchdog Probing Google’s Data Use).
In its annual report, Ireland’s Data Protection Commission reported that it had received 7,215 data privacy complaints in 2019, a 75 percent increase over the 4,113 received in 2018.
The commission enforces GDPR as well as about 20 other laws pertaining to privacy rights.
Since GDPR went into full effect in May 2018, EU data protection authorities have received more than 160,900 data breach reports, according to the law firm DLA Piper, which published new statistics in January. During that time, Ireland’s Data Protection Commission received more than 10,500 breach and privacy complaints.
Unlike many other EU countries, however, Ireland has yet to issue a GDPR fine (see: GDPR: $126 Million in Fines and Counting).
But Helen Dixon, Ireland’s commissioner for data protection, says in the DPC report that the country has been taking a slower approach to imposing fines and penalties against some of these bigger technology firms because GDPR is a fairly new law and investigations take time and manpower.
“At the Data Protection Commission, we have been busy during 2019 issuing guidance to organizations, resolving individuals’ complaints, progressing larger-scale investigations, reviewing data breaches, exercising our corrective powers, cooperating with our EU and global counterparts and engaging in litigation to ensure a definitive approach to the application of the law in certain areas,” Dixon says. “Much more remains to be done in terms of both guiding on proportionate and correct application of this principles-based law and enforcing the law as appropriate. But a good start is half the battle, and the DPC is pleased at the foundations that have been laid in 2019.”