15 GDPR Probes in Ireland Target Facebook, Twitter, OthersFacebook Alone the Focus of 10 Separate Regulatory Investigations by Privacy Watchdog
Ireland's privacy watchdog has its eye on Facebook. Of 15 major investigations that the Data Protection Commission has underway, 10 focus on the social network.
All of the investigations have been launched since the EU's strong new privacy law, the General Data Protection Regulation, went into full effect on May 25, 2018.
"In 2018, the DPC opened inquiries into data-processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram, looking at issues ranging from large-scale data breaches to legal bases for processing to transparent presentation to users," the DPC says in its annual report for 2018 released on Thursday. "All these inquiries should reach the decision and adjudication stage later this year, and it's our intention that the analysis and conclusions in the context of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services."
The regulator says it's focusing on some of the world's biggest data processors first so that it can extract lessons from which others can learn. "There are undoubtedly areas of risk to be examined in sectors beyond the free internet services, but initial complaints and breaches have focused the DPC in this area and warrant attention in light of the hundreds of millions of users implicated," the DPC's report says.
Facebook didn't immediately respond to a request for comment. But Facebook told NBC that it spent more than 18 months working to comply with GDPR.
"We made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download and delete their information," the company said. "We are in close contact with the Irish Data Protection Office to ensure we are answering any questions they may have."
Twitter says it's also continuing to work with the DPC. "We are fully committed to working with the Data Protection Commissioner's Office to improve the already strong data and privacy protections we offer to the people who use our services," Twitter tells Information Security Media Group in a statement. "As always, our approach is one of transparency and openness."
In Ireland, the DPC is in charge of enforcing GDPR and about 20 other national laws that touch on privacy rights.
Any EU member state can initiate a GDPR investigation into an organization's data security and privacy practices. But Ireland's DPC takes the lead on all European investigations under GDPR that involve Facebook. That's because Facebook has its EU "main establishment" in Dublin, and so it qualifies for a one-stop-shop mechanism under GDPR that ensures that only the privacy watchdog in the country in which it is headquartered conducts any privacy investigations (see: Ireland's Privacy Watchdog Probes Facebook Data Breaches).
Other foreign technology companies that have their EU main establishments in Ireland include Apple, Microsoft, Twitter, Dropbox, Airbnb, LinkedIn, Oath, WhatsApp, Yelp and MTCH Technology, which owns Match, OkCupid, PlentyOfFish and Tinder. Google is also in the process of making Ireland its EU main establishment.
Breach Notifications Increase
Beyond revealing that Ireland's privacy watchdog has more than a dozen major GDPR investigations underway, the DPC's annual report also counts all of the data breach notifications and privacy complaints it has received (see: Data Breach Reports in Europe Under GDPR Exceed 59,000).
Last year, after GDPR went into full effect in May, the DPC received 3,542 valid data security breach reports. It received 4,740 for all of 2018, up 70 percent from 2017. The increase is not surprising because GDPR for the first time required all organizations to disclose any breach involving Europeans' personal data.
Breaches were blamed on a wide range of causes, including the loss in the mail of USB storage devices storing personal data, phishing attacks, the loss of physical files in transit by a courier - for which no backups had been kept - and SIM swap attacks against online bank account holders.
From May 25 to Dec. 31, 2018, the DPC also received 38 data breach notifications involving 11 multinational technology companies. Some of these, such as the Facebook single sign-on breach, resulted in the DPC launching investigations (see: Facebook Submits GDPR Breach Notification to Irish Watchdog).
In December 2018, ISMG reported that the number of data breach reports filed since GDPR went into effect had hit about 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K. (see: GDPR: EU Sees More Data Breach Reports, Privacy Complaints).
Security experts say the increase in breach reports does not necessarily mean that the frequency of data breaches is rising. Rather, GDPR's mandatory breach reporting requirement is for the first time beginning to provide visibility into the actual prevalence of data breaches in Europe.
Privacy Complaints Spike
Last year after GDPR went into full effect, the DPC received 2,864 privacy complaints. Under GDPR, as with prior European privacy rules, any European can file a complaint with their country's privacy watchdog if they believe that their personal data has been misused.
For all of 2018, the DPC said it received 4,113 privacy complaints, which was a 56 percent increase from 2017 (see: GDPR Effect: Data Protection Complaints Spike).
"The rise in the number of complaints and queries demonstrates a new level of mobilization to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data," says Helen Dixon, Ireland's data protection commissioner.
Irish Regulator is Hiring
Given Ireland's status as the main EU establishment for so many overseas technology firms, the DPC says it's been continuing to expand.
"The Irish DPC has been in expansion mode for the past four years, and we are not stopping now," Dixon says. "Following a major recruitment campaign in 2018, 30 new staff had joined the DPC by the end of December, with a further 20 coming on board in January 2019, so that the DPC has grown to 135 staff. We will recruit an additional 30 staff this year in order to meet the demands of the tasks assigned under the GDPR and to deliver public value in what is an area of critical importance to society."