Ireland's Data Protection Commission Reports Multiple GDPR Investigations on Tech Giants
Ireland's Data Protection Commission (DPC), headed by the Commissioner for Data Protection, Helen Dixon, has published its first annual report since the General Data Protection Regulation (GDPR) came into force in May 2018. It shows that Europeans are taking their new privacy rights very seriously. In the five months of 2018 pre-GDPR, the DPC received 1,249 privacy complaints. In the seven months post-GDPR, it received a further 2,864. The total of more than 4,000 complaints in 2018 is up from less than 1000 in 2015.
The section of the report (PDF) most relevant to Americans and American firms operating in Europe, however, is Section 7: Technology Multinationals Supervision. Many of the big American tech companies have their European headquarters in Ireland, primarily attracted by Ireland's low corporate tax rate of 12.5%. Many of these are centered around the Dublin area that has come to be known a Silicon Docks.
Headquartered in Ireland means that the Irish regulator will have primary role in enforcing GDPR compliance; and the DPC is taking this role seriously.
"As of 31 December 2018, the DPC had 15 statutory inquiries (investigations) open in relation to multinational technology companies compliance with the GDPR." These investigations result from complaints received, from breaches notified, and "at the DPC's own volition having identified matters that warranted further examination."
Nine of the investigations are described as 'complaint-based'; six as an 'own-volition inquiry'. Seven relate to Facebook Ireland Limited (one of them being more specifically Instagram); one to Facebook Inc; two to WhatsApp Ireland Ltd; two to Twitter International Co; two to Apple Distribution International, and one to LinkedIn Ireland Unlimited Company.
The most common complaint-based cause of investigation is an examination of the lawful basis for processing personal information, sometimes at all, but often in the context of behavioral analysis and targeted advertising. Facebook and Twitter are also being investigated under GDPR's 'right of access' obligations. One of the Apple investigations, complaint-based, is examining whether Apple has discharged its transparency obligations.