A decision by the State’s data protection watchdog on whether to issue the first fines against big tech companies has been delayed by “procedural queries” raised by the firms. These include issues around company information it will share with other EU regulators.
Data Protection Commissioner Helen Dixon said the regulator's decision-making on whether to fine big tech firms over potential data breaches has been delayed by "a lot of procedural queries" around information sharing with other EU regulators as part of the Irish regulator's EU-wide inquiries.
Investigations
The watchdog has undertaken 23 investigations into big tech companies, including eight into Facebook, three each into Apple and Twitter, and two each into WhatsApp and Google.
The commissioner can fine companies as much as €20 million or 4 per cent of global turnover, whichever is higher, under powerful new EU data privacy laws, but has yet to issue a fine.
Two investigations, into Facebook-owned WhatsApp and Twitter, have been concluded and are at the decision-making process on whether to impose a fine once the commissioner has consulted with other EU data regulators.
Speaking at the launch of the commissioner’s 2019 annual report, Ms Dixon said that the commissioner was looking at situations where companies in general have signalled “commercially sensitive” and “confidential” information during investigations.
She was assessing whether there were issues around the Irish regulator sharing this information with other EU data protection authorities in draft decisions arising from its investigation on whether to fine the companies.
“It is lots of lawyers on both sides,” Ms Dixon told The Irish Times, referring to the nature of the interactions between the data protection regulator and companies it has investigated.
Requirements
The rules on sharing information with other EU watchdogs – a requirement as part of the commissioner’s regulation of multinationals with EU headquarters in Dublin – was “not a particularly detailed process” and “not prescriptive” in order to allow the other regulators to express “a relevant and reasoned objection,” she said.
“We have to carefully make sure we have resolved those so that we are not later subject to a challenge on them or indeed subject to a challenge on them before we even get the draft decision to our EU counterparts,” Ms Dixon said.
WhatsApp had no comment to make. Twitter said that it had “an open relationship” with the commission and continued to work closely with it “to support their investigation as part of our shared commitment to security and privacy”.
Tech firms are said to be keen to clarify questions on any possible fine-imposing processes where precedent is set in the conclusion of an investigation case.
At the end of 2019, the regulator had 21 "cross-border" statutory inquiries ongoing into big tech companies under the General Data Protection Regulation, the new EU law that is designed to give people more control over their personal data in the digital age.
Inquiries
The regulator added two more inquiries, into search company Google and dating app Tinder, earlier this month.
Ms Dixon said that her office was “well advanced” in the decision-making process on whether to impose fines.
She insisted that the delay in issuing a fine was not a question around a shortage of resources but legal complexities around the new regulations.
She pointed out that only three EU cross-borders investigations have led to fines under GDPR: two in Malta and one in Lithuania, and the largest fine was €62,000.
“It has nothing to do with not being faster to the blocks; it is to do with the complex new legal framework that has to be stepped through carefully, particularly the first time we do it,” she said.
The commissioner had 140 staff at the end of 2019 and an annual budget of €15 million. Ms Dixon said the regulator would seek an incremental increase in staff and budget later this year.
The watchdog was receiving about 150 new complaints from the public every week. Ms Dixon said individuals were finding “quite novel ways” to apply the new EU data rules.
She referred to people who have complained about trying to “essentially defect from the Catholic Church” and want to exercise their rights to have the church erase personal records about them.