The office of the Irish Data Protection Commissioner has opened investigations into 17 multinational technology companies headquartered in Ireland, eight of which involve Facebook, commissioner Helen Dixon has said.
Speaking to The Irish Times after her appearance at a hearing of the Senate committee on commerce, science and transportation in the US Congress on Wednesday, Ms Dixon said the other investigations concern WhatsApp, Google, LinkedIn, Instagram and Twitter.
In total the office has opened more than 50 investigations spanning domestic companies, public sector bodies and the US tech giants, she said. Some of these investigations are expected to conclude by the end of the summer, though the final decision on the multinational tech companies must be approved by all 28 EU data protection commissioners. Ireland has become the regulator for a host of US multinational companies because it is the European base for many tech giants.
Ms Dixon was part of a four-member panel invited by the Senate committee to testify as part of the committee's inquiry into data privacy as the United States considers introducing a federal law on internet privacy. Much of the questioning focused on Ireland's implementation of GDPR, the EU's data privacy law which came into effect last year.
Speaking after the hearing Ms Dixon said that her office’s investigations into US tech giants included an investigation into last September’s “token” breach by Facebook which may have exposed millions of accounts, a Twitter breach which saw posts marked as private publicly disclosed, and the recent disclosure that Facebook stored hundreds of millions of users’ passwords in plain text format.
As well as focusing on security issues, the office is also investigating whether companies complied with the requirement to notify her office within 72 hours of becoming aware of the breach, she said.
Ms Dixon also said that some of the investigations concerned the notion of “layers of privacy” which was introduced under the GDPR regulation as a way of avoiding companies providing privacy notices running to hundreds of pages.
“Some of the investigations that we have open relate to complaints that the user is still finding that some key information that they need from the outset is hidden behind the layers, and that there isn’t always a consistency between the layers,” she said.
“One of the key principles of the GDPR is the principle of transparency, and providing users with intelligible and concise information about the personal data that is being collected and processed.”
Under GDPR rules, regulators can fine companies up to 4 per cent of the company’s global turnover for the previous year if they are found to be in breach of the regulation.
Outlining Ireland’s role in regulating US tech giants, Ms Dixon told the committee that her office now had 135 employees.
Ms Dixon’s appearance took place against an intense debate in the United States about data privacy laws amid moves to introduce a new federal regulation on data privacy.
The move towards a federal regulatory model was triggered by California's introduction of a new law last year to regulate data privacy. Modelled in part in the EU's landmark GDPR law, the California Consumer Privacy Act is due to come into effect early next year.
While the US was traditionally perceived to be behind the European Union when it comes to regulating data privacy, the introduction of the Californian law has prompted a scramble in Congress to come up with a federal privacy law.
US tech companies have enthusiastically backed the move for a federal regulatory system, prompting suspicions that they are pushing for a national law that would be less stringent than the Californian law.
Speaking at the hearing, Connecticut senator Richard Blumenthal, a Democrat, warned Congress not to water down the Californian law.
“Nobody believes that the people of the United States deserve less privacy protection than the people of California,” he said. “ I would oppose any effort that would preempt state laws so as to weaken protection for consumers.”