Facebook faces seven separate data-protection probes in Ireland as the country’s privacy regulator looks to take advantage of new rules that allow it to impose hefty fines.
The investigations are among 16 cases targeting big technology companies including Twitter, Apple, LinkedIn, and also Facebook’s WhatsApp and Instagram, Helen Dixon, Ireland’s data protection commissioner, said in an interview.
Many of the probes opened by the Irish and other EU regulators “are centered on the activities of very big internet companies with tens and hundreds of millions of users,” she said following a conference in Brussels this week. That could ultimately be “a very large factor when looking at the scale of a fine”.
Regulators throughout Europe are looking to increase the level of fines they issue under the EU’s new General Data Protection Regulation, which allow penalties as large as 4% of a company’s annual revenue. A record 50 million-euro ($57 million) French fine against Google last month showed that watchdogs took the new guidelines seriously.
“Undoubtedly, the Google fine is not the last of them,” said Dixon, who has been in the post since 2014.
Dixon may be the region’s key regulator because of the fact that so many American tech companies have their European headquarters in Ireland, including Facebook, Twitter, Google and Apple.
Google has appealed its French fine. Facebook didn’t immediately respond to a request for comment and Twitter declined to comment.
Facebook in October became the first big test case under the EU new rules when the Irish authority opened a probe into a security breach that affected as many as 50 million accounts. In December, Dixon’s office announced a second probe into several other breach notifications by Facebook. That probe also looks at a breach caused by a software bug that gave outside developers broader access to the photos of millions of users.
Dixon says she’s aware that many of the decisions her office will make will act as a precedent for the rest of the sector.
“They’re not trivial, the cases we’re deciding,” she said, indicating that first decisions in open cases may come as soon as this summer.
“We’re at various concrete stages in all of them, but they’re all substantially advanced,” she said. “The soonest I am going to see an investigation report on my desk, which is when my role kicks in” to make a final decision on sanctions in case of an infringement “is likely to be June or July in the bigger cases”.
Scrutiny of Facebook has intensified with the revelations last year that the data of millions of users, mostly in the US and UK, could have ended up in the hands of Cambridge Analytica, a consulting firm that was linked to Donald Trump’s US presidential campaign. Antitrust regulators in Germany have also been looking closely at the company and could call on Facebook to change privacy terms in its contracts within weeks.
Many of the breach notifications Dixon’s office has received since May 25 are related to coding errors, she said. This results in issues such as posts being made public that should have been private, or in a major breach. “No company seems to be immune from this,” she said.
Companies do reach out to regulators quickly. Apple has already been in touch about the FaceTime video chat service bug which allowed hackers to eavesdrop on conversations.
Dixon said the glitch “sounds frightening”.
Her office will have to look at the circumstances in which the bug manifested itself and whether any users actually got affected. She said that the issues with Apple “are very different with the broader internet companies” because of the vertical integration between their devices and services.
“Apple has been in touch with us” this week “but the information we have at this point is preliminary,” she said. “We need a lot more facts, we need to hear a lot more from Apple.”
The company didn’t immediately respond to a request for comment.
GDPR rules require regulators to consider a sanction and a possible administrative fine, whenever a probe finds there has been a violation of the rules.
“If there are infringements that will have affected hundreds of millions of users potentially, then that is the certainty rather than the likelihood,” said Dixon, who has postgraduate qualifications in European economic and public Affairs, governance, computer science, official statistics for policy evaluation, and judicial skills and decision making.
Going down a purely punitive route, however, won’t change behavior, she said. This requires using the new powers regulators now have, plus engaging more and educating oneself about these companies, their industry and technology “while making sure you’re not subject to regulatory capture”.
Still, having the ability to threaten with a “very big punitive fine is a very useful tool,” Dixon said. And GDPR has brought other changes, too.
“Companies are lawyering up and we’re typically dealing with more litigators and lawyers on the side of any inquiry that we conduct,” she said. “It does show the power that they have in terms of the size. But we have all the cards in terms of the powers to investigate, to compel and ultimately to conclude and make findings.”