A year after GDPR, how is Ireland tackling the data giants?

28 May 2019

Helen Dixon, Irish Data Protection Commissioner, speaking at the Data Summit at the Convention Centre in Dublin. Image: Robbie Reynolds

Facebook facing the most probes by Ireland’s Data Protection Commission.

Just a year after the EU’s General Data Protection Regulation (GDPR) came into force, it has been confirmed that 19 tech multinationals are being investigated by Ireland’s Data Protection Commission (DPC) for compliance.

It has emerged that Facebook and its Instagram and WhatsApp subsidiaries are the subject of most of the investigations, with 11 underway.

‘Looking ahead to the next 12 months, the DPC will conclude investigations it has opened into a variety of organisations, including inquiries into certain internet platforms’

Twitter and LinkedIn are also being probed.

Last week, the DPC revealed it has opened an investigation into Google, mounting a statutory inquiry into the processing of personal data by Google Ireland’s Ad Exchange business.

GDPR: A numbers game

Since GDPR came into effect, the DPC revealed that 6,624 complaints were received and that 5,818 valid data security breaches were notified.

The DPC said that more than 48,000 contracts were received through its Information and Assessments Unit.

As a result, 54 investigations were opened. The DPC said that 35 of these are non cross-border investigations and that 19 are cross-border investigations into multinational IT giants and their compliance with the GDPR.

Interestingly, the DPC received 1,206 data protection officer notifications, indicating the number of roles assigned by organisations in Ireland.

In terms of its own staffing, the DPC said that the number of workers rose from 85 at the end of 2017 to 137 in May 2019.

Funding for the DPC increased in recent years from €1.7m in 2013 to €15.2m in 2019.

The DPC said that the next year will test its fining powers against errant data operators.

“Looking ahead to the next 12 months, the DPC will conclude investigations it has opened into a variety of organisations, including inquiries into certain internet platforms,” the DPC stated.

“This will provide welcome clarity on interpretation of key principles of the new law, and showcase how the corrective and fining powers afforded to data protection authorities can be utilised.”

A new epoch in data protection?

GDPR came into force on 25 May 2018, marking the start of a new era in data protection standards in Europe.

Under GDPR rules, EU regulators can fine companies as much as €20m or 4pc of their turnover, whichever is highest.

In January Google became the first major case of a fine being issued to a US tech giant under the GDPR rules when France’s data protection authority, CNIL (Commission Nationale de l’Informatique et des Libertés), hit the search giant with a €50m fine for allegedly breaking EU privacy laws. The heart of that particular case was allegations that Google failed to comply with GDPR in instances where Android users set up a new phone and followed the Android onboarding process.

Facebook, despite a litany of scandals and breaches in the past year, has so far managed to avoid being hit with a major fine (as if that would in any way put a dent in its vast coffers).

Data Protection Commissioner Helen Dixon said that GDPR strengthens the rights of individuals, and increases the obligations on organisations in terms of how they use personal data.

“The GDPR is a strong new platform from which we can all demand and drive higher standards of protection of our personal information. As the national supervisory authority, the Data Protection Commission (DPC) is firmly committed to its role in public enforcement of the new law, while also working hard to provide guidance to sectors as they seek to comply with the new requirements.

“The DPC is grateful for the positive and energetic engagement with the GDPR that we have seen from all quarters, particularly from consumers and concerned persons who have raised queries about the processing of their personal data with the office,” Dixon said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years