The DPC’s 2020 report reveals that 14 of its 27 cross-border investigations relate to Facebook, WhatsApp or Instagram.
Ireland’s Data Protection Commission (DPC) received more than 6,600 valid breach notifications in 2020, up 10pc on the previous year, according to its latest report. Of the 6,628 breaches, 90pc were concluded in 2020.
The report also detailed a number of ongoing investigations. As of 31 December 2020, the DPC had 83 statutory inquires on hand, including 27 cross-border inquiries.
More than half of these cross-border inquiries relate to Facebook or Facebook-owned Instagram and WhatsApp.
This includes a draft decision that the DPC sent to European authorities in December in relation to WhatsApp’s compliance with its transparency obligations under GDPR. This outcome of this inquiry could lead to a ‘large’ fine for Facebook.
DPC versus Big Tech
Outside of Facebook’s companies, Google Ireland and Twitter are also the subjects of ongoing DPC inquiries.
According to the report, the DPC is examining Google’s compliance with transparency, data minimisation and retention under GDPR. It is also examining whether there is a valid legal basis for Google processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency.
In an interview with The Irish Times today (25 February), Data Protection Commissioner Helen Dixon said that two inquiries into Facebook are in the decision-making process and two further investigations into WhatsApp and Instagram have completed their inquiry phases.
She also said progress has been made on three other investigations, adding that she estimates “six or seven” will reach draft decisions in 2021.
Twitter became the first company to be fined by the DPC in a cross-border case, receiving a fine totalling €450,000 at the end of last year.
In her introduction to the 2020 DPC report, Dixon said the final decision for Twitter provides “an important analysis of the data breach notification and documentation requirements imposed on organisations by Article 33 GDPR”.
Article 33 requires companies to notify supervisory authorities of a personal data breach without undue delay. In its decision, the DPC said that Twitter failed to notify the commission of a breach on time and didn’t adequately document it.
The challenge of EU-US data transfers
Along with the commission’s annual breach figures, the report also highlights a number of actions it took in 2020 and discusses the challenges for the year ahead.
In July 2020, the Court of Justice of the European Union made a landmark ruling that invalidated the Privacy Shield agreement for EU-US data transfers.
Following that ruling, the DPC informed Facebook that standard contract clauses used by its Dublin HQ for EU-US data transfers did not offer sufficient data protection for EU-based users. This inquiry was the subject of a judicial review from Facebook, which was heard before the High Court in December 2020 and a decision is yet to be made.
Speaking to Reuters this week, Dixon said efforts to resolve the issue between EU and US officials remain at a “very early stage”.
“In very general terms, removing from that specific [Facebook] case, there would be massive disruptions for individual companies and organisations.” She added that while there would be solutions to overcome those issues in some cases, “there wouldn’t be easy solutions” in other cases.