Helen Dixon, who leads Ireland’s Data Protection Commission, said her office is on track to make draft decisions in roughly half a dozen privacy cases involving big technology companies this year, compared with just two last year.
“The pipeline is very strong. The momentum is building in terms of concluding these inquiries,” Ms. Dixon said in an interview.
Ms. Dixon is one of the world’s most influential privacy regulators because the data commission she leads is in charge enforcing the EU’s General Data Protection Regulation, or GDPR, for companies that have their regional headquarters in Ireland.
Two cases, involving Facebook, are already on Ms. Dixon’s desk for draft decisions, she said. Five others, including one involving Google and others involving Facebook subsidiaries, are nearing the end of their investigations, with final reports either submitted to the companies for a final round of comments or received back, she added.
Ireland in December also submitted a draft decision in a case involving WhatsApp, a Facebook subsidiary, for approval to fellow EU privacy regulators. The Irish data commission is currently considering a number of their objections, Ms. Dixon said. A final decision is possible in the coming months.
A Google spokesman confirmed the company had received Ireland’s investigative report, adding: “We are continuing to cooperate fully with the office of the Data Protection Commission in its inquiry.” Facebook declined to comment.
The plans to ramp up the Irish data commission’s output come as Silicon Valley is coming under unprecedented scrutiny around the globe.
U.S. federal and state officials have filed antitrust lawsuits against Google and Facebook, while competition regulators in the EU are examining other cases involving Amazon and Apple. A showdown between tech companies and Australia over a new law has given added prominence to the question of whether publishers should get paid for news available via tech platforms—and if so, how much.
But Ms. Dixon is facing increasing pressure from some privacy activists to speed up her enforcement of the EU’s flagship privacy law. Nearly three years after the GDPR went into effect, there have been few major decisions or fines against big tech companies. The first cross-border fine against a prominent tech company under the law was Ireland’s 450,000-euro fine, equivalent to about $547,000, in December against Twitter Inc.
Instead, the largest European privacy fines against big tech companies in recent years were issued last fall by France’s privacy regulator, CNIL, which used a separate law, called the ePrivacy directive, to fine Google and Amazon.com Inc. a combined $163 million.
Ms. Dixon says fines are important but only part of the picture. She said Wednesday that Ireland’s cases take a long time because they have so far involved novel, complex law, and companies must be given their due-process rights to respond substantively to all allegations during an investigation.
“There are unrealistic expectations about the nature of these inquiries and how quickly they can conclude,” Ms. Dixon said. “There tends to be a view that just because somebody tweets that something is a breach—I should have written a decision and slapped on a fine the day before—and this is just nonsense.”
In addition, Ireland’s draft decisions in cross-border cases like those involving tech giants must be reviewed and finalized along with the EU’s other privacy regulators as part of the GDPR’s power-sharing rules. In the Twitter case, that process, including squabbling over the amount of the fine, added half a year between the draft decision and the final fine.
Bigger fines may be coming from Ireland’s data commission. WhatsApp’s Irish unit in November reported in corporate filings that it had set aside €77.5 million for potential fines from the commission. Ms. Dixon declined to comment on the amount of any fine she recommended in the draft decision that she shared with her EU counterparts in December.
Some of the cases also drive toward the core of some tech companies’ business model. One set of cases nearing decisions looks at allegations from a privacy-advocacy group that users are forced to consent to Facebook’s terms and conditions, and whether the company actually needs personal data for advertising to provide its service.
Also on Ms. Dixon’s plate: a separate battle with Facebook over whether the social network will have to suspend at least some transfers of data about its EU users to servers in the U.S. The commission told Facebook in August that it believed a ruling from the EU’s top court last summer required Facebook to suspend some such transfers, because of concerns about U.S. surveillance authorities’ access to the data.
Facebook appealed to stop Ireland from issuing an order, which is now paused pending a judicial review in Ireland. Ms. Dixon said the regulator fully defended its position in a December court hearing, and that a decision is expected in coming months.
This story has been published from a wire agency feed without modifications to the text.