Irish data regulator racks up GDPR cases against Big Tech
Complaints soared by 75% in 2019 and multinational tech probes climbed to 21, although no fines were collected
The Irish Data Protection Commission (DPC) extended the number of investigations against Silicon Valleys biggest companies to 21 last year, although there’s no indication as to when any of these cases will be closed.
Six inquiries were opened into multinational tech companies throughout 2019, the first full year that’s passed since the General Data Protection Regulation (GDPR) was introduced, according to its annual review.
This is in addition to 15 inquiries into the likes of Facebook and Google the watchdog had opened previously, with ten opened into companies owned by the former entity alone.
The new inquiries include an examination of whether Facebook breached rules by allegedly storing hundreds of millions of passwords without encryption. Since the end of last year, the DPC has also opened a probe into Google and Match Group, which runs Tinder, for violations concerning the data procession of users’ location data.
“We have been busy during 2019 issuing guidance to organisations, resolving individuals’ complaints, progressing larger-scale investigations, reviewing data breaches, exercising our corrective powers, cooperating with our EU and global counterparts and engaging in litigation to ensure a definitive approach to the application of the law in certain areas,” said the commissioner for data protection, Helen Dixon.
“Much more remains to be done in terms of both guiding on proportionate and correct application of this principles-based law and enforcing the law as appropriate.
“But a good start is half the battle and the DPC is pleased at the foundations that have been laid in 2019. We are already expanding our team of 140 to meet the demands of 2020 and beyond.”
The watchdog received 7,215 complaints throughout 2019, which represents a sharp 75% rise against the total number of complaints received the previous year, during which GDPR was first introduced.
Of the complaints received in 2019, a total of 5,496 concluded, leaving 1,719 unresolved - including all those against multinational tech giants.
Valid data security breaches, meanwhile, hit 6,069 during 2019, representing a 71% increase on the total for 2018, 3,542. The largest category in this segment was “unauthorised disclosers”.
Moreover, due to a litany of organisations, including tech firms, basing their headquarters in Ireland to minimise tax liability, the DPC has found itself serving as the lead investigator for cross-border GDPR probes. Under this one-stop-shop mechanism, 457 complaints were received during 2019
Despite opening and concluded a wealth of investigations, however, the DPC has also collected nothing in fines since May 2018, according to a study released in January.
The slow progress on administering fines, and in investigating the larger tech companies, can be explained by the fact that a new legal framework with significant penalties “is always going to take time to implement correctly”.
The DPC currently has 30 live litigation cases as of the end of 2019, and passages from the report suggest the organisation wants to take its time in order to get its rulings right and ensure they cannot be legally challenged.
“There is certainly no shortage of commitment and capability at the Irish DPC,” the report said. “But equally there is a keen awareness of the legal requirement to apply fair procedures and what it takes to bring cases over the line and the DPC remains focussed on this job.
“As we have consistently said, there would be little benefit in mass producing decisions only to have them overturned by the courts.”
Looking forward, Dixon added that the business culture can move into the realm of “data protection by design” to ensure next-gen technologies don’t suffer from the problems “we sleep-walked into” over the last 20 years.
The DPC is hoping to have encouraged big tech firms to adopt a code of conduct to protect children online by the end of 2020.
These aims are similar to that of the UK government, which has recently nominated Ofcom as the statutory regulator charged with overseeing content hosted on social media platforms like Facebook and Instagram.
The move formed part of the government’s response to the ‘Online Harms’ white paper, which was published last year. These proposals, however, were significantly stronger than those released in 2019, including the establishment of an entirely new regulatory organisation, with powers to fine tech giants heavily.