Data watchdog close to decisions on fines in up to seven ‘Big Tech’ investigations

Privacy regulator says data breach notifications rose 10 per cent to 6,628 last year

The State’s data-privacy watchdog expects to share draft decisions on possible fines arising from up to seven investigations into big tech companies with other European regulators this year.

Helen Dixon, the commissioner, said that among 27 investigations into large social media and internet companies, she expects to share "six or seven" decisions with fellow European Union regulators on inquiries into Facebook and its subsidiaries Instagram and WhatsApp, along with Google and Verizon.

Ms Dixon was speaking on the publication of the Data Protection Commission's 2020 annual report which shows the DPC received 354 complaints on cross-border data issues under a one-stop-shop mechanism that makes it the EU regulator for tech multinationals under the General Data Protection Regulation (GDPR), the sweeping privacy law passed in 2018. This was down from 457 complaints in 2019.

The regulator recorded a total of 6,628 valid data-protection breaches last year, an increase of 604, or 10 per cent, on the figure for 2019. Some 5,932 breach cases were concluded.

In addition to the 27 cross-border inquiries, the DPC is carrying out 56 domestic inquiries.

Unauthorised disclosures accounted for 86 per cent of the breach notifications.

The child and family agency Tusla was hit with fines totalling €200,000 last year, including the first fine issued in the State under GDPR: €75,000 in May 2020 for three personal data breaches.

These included the agency unintentionally providing an individual accused of child sex abuse with the address of the child who made the complaint and her mother’s telephone number.

Tusla was fined a further €40,000 fine for a breach where a letter sent to a third party included the identify of individuals who had made allegations of abuse and the details of the allegations.

The agency was fined €85,000 last year over a further 71 personal data breaches.

HSE fined

The Health Service Executive was fined €65,000 last year after personal data from Cork University Maternity Hospital was found by a member of the public in a recycling area and medical records for 15 patients from Our Lady of Lourdes Hospital were discovered in a housing estate in Drogheda.

Ms Dixon said that many unauthorised disclosures arose from human error but advised organisations to identify high-risk processes and design systems to eliminate human errors.

“That maybe where you need two people checking what’s gone into an envelope. It may be as low-tech as that. It’s not acceptable for organisations to say that mistakes happen,” she said.

The DPC imposed its first fine in a “cross-border” case last year – €450,000 against Twitter – under the EU’s 2018 data privacy law.

The regulator circulated its second preliminary decision in a cross-border inquiry, made in 2020 against WhatsApp, Facebook’s messaging app, to other EU regulators last month.

Ms Dixon said that two inquiries into Facebook were already in the decision-making process and two further investigations into WhatsApp and Instagram have completed their inquiry phases.

Progress has made in another three investigations, into Instagram, Google and Verizon.

“It is on that basis that I am estimating that six or seven will go to article 60 [draft decisions circulated to other EU regulators] in this calendar year,” she said.