Social media giant Facebook and its subsidiaries Instagram and WhatsApp have been the subject of most data investigations in the Republic of Ireland since the European Union’s new data protection regulation came into force a year ago.
Most of the major US tech companies, including Facebook, Google, Microsoft, Twitter, Apple, LinkedIn, Airbnb and Dropbox, are registered for processing personal data in Ireland.
Ireland’s Data Protection Commission says it has launched 19 statutory investigations, 11 of which focus on Facebook, WhatsApp and Instagram.
Twitter and LinkedIn are also under investigation, and last week the commission launched a probe in to Google over the way it uses personal data to provide targeted advertising.
This follows on from Google’s €50m ($56m; £44m) fine imposed by French data regulator CNIL for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
Google is appealing against the decision.
So the responsibility for policing their compliance with the EU’s General Data Protection Regulation (GDPR) – which started in May 2018 – falls on the country’s Data Protection Commission (DPC).
Nine of the DPC’s investigations were launched after complaints from individuals or businesses, while 10 have been instigated by the DPC itself.
The most common concerns are about the legal basis for processing personal data, lack of transparency about how a company collects personal data, and people’s right to access their data.
“There has been a huge increase in awareness among individuals about their data rights since GDPR came in,” says Graham Doyle, the DPC’s head of communications.
This has led to a steep rise in complaints, with the number increasing from 2,500 in 2017 to more than 6,500 now, says Mr Doyle.
An office of 27 staff has had to be beefed up to more than 130. Mr Doyle expects the number to rise eventually to more than 200 over the next year or so.
A Facebook spokesperson said: “We spent more than 18 months working to ensure we comply with the GDPR.
“We made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. We are in close contact with the Irish Data Protection Office to ensure we are answering any questions they may have.”
The General Data Protection Regulation (GDPR) took effect in May 2018 and gives EU citizens more rights over how their personal data is collected, used and stored.
We have the right to demand a copy of our personal data from companies, and they have to comply within a month.
That data must be easy to understand and should also be presented in a machine-readable format, so that a customer could transfer all their data to a competitor.
We can ask for any incorrect data to be corrected or for the whole lot to be deleted if we want.
And companies have a responsibility to keep our data safe. If any is stolen or unwittingly shared with unauthorised organisations, companies have to inform the national data regulator within 72 hours.
“Big tech is well and truly in the spotlight at the moment following the Facebook-Cambridge Analytica scandal and other well-publicised data breaches,” says Anthony Lee, data privacy expert and partner at law firm DMH Stallard.
“A lot of these big tech companies are consumer facing so handle a lot of personal data, but come from the US which doesn’t have as strong privacy laws as Europe,” he adds.
“If they weren’t well attuned to the requirements that GDPR imposes, they certainly are now.”
According to the International Association of Privacy Professionals (IAPP), fines levied for GDPR breaches now top €56m. Fines can be as high as €20m or 4% of annual turnover.
“In the first year, we’ve seen tens of thousands of complaints and data breaches,” says Omer Tene, the IAPP’s vice president and chief knowledge officer.
“But we’ve yet to see much evidence that the GDPR has led to an improvement in organisations’ data practices.”
IAPP estimates that organisations have appointed more than 500,000 data protection officers with specific responsibility for handling GDPR-related issues.
But it thinks many companies still need to do much more to bring themselves fully into compliance.
And Ann Bevitt, partner at law firm Cooley, believes that while some companies have instigated a “wholesale change in their culture around privacy and data protection”, many others have simply engaged in “a box-ticking exercise with little to no embedded change in practice”.
A year after GDPR came in to force, she warns that “to some extent, the impact has yet to be felt, in that we haven’t yet seen significant enforcement activity, both in terms of volume and amount”.
This is likely to change over the next year as the number of completed investigations – and potential fines – rises.
There is a time lag because investigations can take many months. All parties need to be consulted before the data protection authority can reach a conclusion. Then the decision has to be circulated to all the other EU data protection authorities for approval.
And the company under investigation has the right to appeal against the final decision.
Ireland’s Data Protection Commissioner, Helen Dixon, is expected to circulate her decisions on some cases by July or August, with final rulings made by the end of the year, Mr Doyle predicts.
Big tech firms may be feeling the heat for some time to come.