Irish data regulator racks up GDPR cases against Big Tech

Complaints soared by 75% in 2019 and multinational tech probes climbed to 21, although no fines were collected

The Irish Data Protection Commission (DPC) extended the number of investigations against Silicon Valleys biggest companies to 21 last year, although there’s no indication as to when any of these cases will be closed.

Six inquiries were opened into multinational tech companies throughout 2019, the first full year that’s passed since the General Data Protection Regulation (GDPR) was introduced, according to its annual review. 

Advertisement - Article continues below

This is in addition to 15 inquiries into the likes of Facebook and Google the watchdog had opened previously, with ten opened into companies owned by the former entity alone. 

The new inquiries include an examination of whether Facebook breached rules by allegedly storing hundreds of millions of passwords without encryption. Since the end of last year, the DPC has also opened a probe into Google and Match Group, which runs Tinder, for violations concerning the data procession of users’ location data.

“We have been busy during 2019 issuing guidance to organisations, resolving individuals’ complaints, progressing larger-scale investigations, reviewing data breaches, exercising our corrective powers, cooperating with our EU and global counterparts and engaging in litigation to ensure a definitive approach to the application of the law in certain areas,” said the commissioner for data protection, Helen Dixon.

Advertisement - Article continues below

“Much more remains to be done in terms of both guiding on proportionate and correct application of this principles-based law and enforcing the law as appropriate. 

“But a good start is half the battle and the DPC is pleased at the foundations that have been laid in 2019. We are already expanding our team of 140 to meet the demands of 2020 and beyond.”   

Advertisement - Article continues below

The watchdog received 7,215 complaints throughout 2019, which represents a sharp 75% rise against the total number of complaints received the previous year, during which GDPR was first introduced. 

Of the complaints received in 2019, a total of 5,496 concluded, leaving 1,719 unresolved - including all those against multinational tech giants. 

Valid data security breaches, meanwhile, hit 6,069 during 2019, representing a 71% increase on the total for 2018, 3,542. The largest category in this segment was “unauthorised disclosers”.

Moreover, due to a litany of organisations, including tech firms, basing their headquarters in Ireland to minimise tax liability, the DPC has found itself serving as the lead investigator for cross-border GDPR probes. Under this one-stop-shop mechanism, 457 complaints were received during 2019

Despite opening and concluded a wealth of investigations, however, the DPC has also collected nothing in fines since May 2018, according to a study released in January.

Advertisement - Article continues below

The slow progress on administering fines, and in investigating the larger tech companies, can be explained by the fact that a new legal framework with significant penalties “is always going to take time to implement correctly”.  

The DPC currently has 30 live litigation cases as of the end of 2019, and passages from the report suggest the organisation wants to take its time in order to get its rulings right and ensure they cannot be legally challenged.

“There is certainly no shortage of commitment and capability at the Irish DPC,” the report said. “But equally there is a keen awareness of the legal requirement to apply fair procedures and what it takes to bring cases over the line and the DPC remains focussed on this job. 

“As we have consistently said, there would be little benefit in mass producing decisions only to have them overturned by the courts.”

Looking forward, Dixon added that the business culture can move into the realm of “data protection by design” to ensure next-gen technologies don’t suffer from the problems “we sleep-walked into” over the last 20 years.

Advertisement - Article continues below

The DPC is hoping to have encouraged big tech firms to adopt a code of conduct to protect children online by the end of 2020. 

These aims are similar to that of the UK government, which has recently nominated Ofcom as the statutory regulator charged with overseeing content hosted on social media platforms like Facebook and Instagram.

The move formed part of the government’s response to the ‘Online Harms’ white paper, which was published last year. These proposals, however, were significantly stronger than those released in 2019, including the establishment of an entirely new regulatory organisation, with powers to fine tech giants heavily.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular


Ransomware collective claims to have hacked NASA IT contractor

3 Jun 2020

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020

How data science is transforming business

29 May 2020