Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Ireland’s Data Protection Commission Reports Multiple GDPR Investigations on Tech Giants

Ireland’s Data Protection Commission (DPC), headed by the Commissioner for Data Protection, Helen Dixon, has published its first annual report since the General Data Protection Regulation (GDPR) came into force in May 2018. It shows that Europeans are taking their new privacy rights very seriously. In the five months of 2018 pre-GDPR, the DPC received 1,249 privacy complaints. In the seven months post-GDPR, it received a further 2,864.

Ireland’s Data Protection Commission (DPC), headed by the Commissioner for Data Protection, Helen Dixon, has published its first annual report since the General Data Protection Regulation (GDPR) came into force in May 2018. It shows that Europeans are taking their new privacy rights very seriously. In the five months of 2018 pre-GDPR, the DPC received 1,249 privacy complaints. In the seven months post-GDPR, it received a further 2,864. The total of more than 4,000 complaints in 2018 is up from less than 1000 in 2015.

The section of the report (PDF) most relevant to Americans and American firms operating in Europe, however, is Section 7: Technology Multinationals Supervision. Many of the big American tech companies have their European headquarters in Ireland, primarily attracted by Ireland’s low corporate tax rate of 12.5%. Many of these are centered around the Dublin area that has come to be known a Silicon Docks.

Headquartered in Ireland means that the Irish regulator will have primary role in enforcing GDPR compliance; and the DPC is taking this role seriously. “As of 31 December 2018, the DPC had 15 statutory inquiries (investigations) open in relation to multinational technology companies compliance with the GDPR.” These investigations result from complaints received, from breaches notified, and “at the DPC’s own volition having identified matters that warranted further examination.”

Nine of the investigations are described as ‘complaint-based’; six as an ‘own-volition inquiry’. Seven relate to Facebook Ireland Limited (one of them being more specifically Instagram); one to Facebook Inc; two to WhatsApp Ireland Ltd; two to Twitter International Co; two to Apple Distribution International, and one to LinkedIn Ireland Unlimited Company.

The most common complaint-based cause of investigation is an examination of the lawful basis for processing personal information, sometimes at all, but often in the context of behavioral analysis and targeted advertising. Facebook and Twitter are also being investigated under GDPR’s ‘right of access’ obligations. One of the Apple investigations, complaint-based, is examining whether Apple has discharged its transparency obligations.

It is worth considering that complaint-based investigations still carry the full weight of the law. The 50 million euro fine levied on Google by the French regulator stemmed from complaints by NOYB and La Quadrature du Net; both not-for-profit organizations representing private individuals. (Like the Apple complaint, the Google complaint focused on ‘transparency’ obligations.) GDPR allows individuals to authorize such bodies to lodge complaints on their behalf. This Apple complaint is possibly one of eight further complaints raised by NOYB in January 2019.

Of the six own-volition enquiries, four relate directly to Facebook and one more via WhatsApp. The WhatsApp/Facebook enquiry is examining whether WhatsApp has discharged its transparency obligations to users, including details on the transfer of personal data between the two organizations. Facebook is currently in the process of integrating the underlying structures of its three messaging services: Messenger, Instagram and WhatsApp. Noticeably, the four founders of Instagram and WhatsApp all left Facebook between late 2017 and early 2018, with privacy thought to be the primary motive.

Three of the four directly Facebook-related own-volition enquiries relate to the 2018 token breach. Facebook Ireland Ltd and Facebook Inc are each being investigated over whether they had implemented organizational and technical measures to safeguard the personal data of users, and Facebook Ireland is being investigated over its breach notification compliance for that incident.

Advertisement. Scroll to continue reading.

The fourth own-volition Facebook enquiry “commenced in response to large number of breaches notified to the DPC during the period since 25 May 2018 (separate to the token breach).”

The final own-volition investigation is against Twitter, and like the previous investigation against Facebook, is because of the large number of breaches notified to the DPC.

What this section of the DPC’s annual report tells us is that Helen Dixon is not afraid to investigate even the largest tech company — and the sheer number of investigations against Facebook should be a concern to that company. 

These investigations are proof, says Jean-Michel Franco, senior director of data governance products at Talend, that companies in the digital economy are still getting the management of personal data wrong. “Having already been fined £500,000 by the UK data regulator, the ICO, for the Cambridge Analytica debacle, Facebook has now been called out by Ireland’s data regulator.”

He notes that the same massive user base that makes Facebook so powerful also makes it vulnerable. “With so many users, complaints against the social media behemoth are likely stack up with regulators, who may then feel compelled to act,” he suggests. “The onset of the GDPR and the increasing focus on data breaches and the misuse of data could create a vicious cycle, where every penalty issued leads to more attention and more possible legal and enforcement action.”

The real solution, he says, is not in trying to simply comply with regulations, but to change the nature of the relationship with customers. “Compliance should not be the end goal in and of itself,” he says. “Instead, companies have to nurture relationships with their customers in which data transparency and trust are central pillars. This is crucial from both an economic standpoint and for the customer experience — especially within a digital, data-driven world.”

Related: Facebook Paid Users to Track Smartphone Use: Report 

Related: Facebook Closes Hundreds of ‘Inauthentic’ Russia-Linked Pages 

Related: German Competition Watchdog Demands More Control for Facebook Users 

Related: Report: Facebook’s Privacy Lapses May Result in Record Fine 

Related: Is Facebook Out of Control? Investigations and Complaints Are Rising 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...