Facebook faces seven separate data-protection investigations in the Republic as the data protection commissioner looks to take advantage of new rules that allow her office to impose hefty fines.
The investigations are among 16 cases targeting big technology companies including Twitter, Apple, LinkedIn, and also Facebook's WhatsApp and Instagram, commissioner Helen Dixon said.
Many of the investigations opened by the Irish and other EU regulators “are centred on the activities of very big internet companies with tens and hundreds of millions of users,” she said following a conference in Brussels this week. That could ultimately be “a very large factor when looking at the scale of a fine”.
She said: “Companies are lawyering up and we’re typically dealing with more litigators and lawyers on the side of any inquiry that we conduct.”
Regulators throughout Europe are looking to increase the level of fines they issue under the EU's new General Data Protection Regulation, which allow penalties as large as 4 per cent of a company's annual revenue. A record €50 million French fine against Google last month showed that watchdogs took the new guidelines seriously.
“Undoubtedly, the Google fine is not the last of them,” said Ms Dixon, who has been in the post since 2014.
Ms Dixon may be the EU’s key regulator because of the fact that so many American tech companies have their European headquarters in the Republic, including Facebook, Twitter, Google and Apple. Google has appealed its French fine. Facebook didn’t immediately respond to a request for comment and Twitter declined to comment.
Facebook in October became the first big test case under the EU new rules when the Irish authority opened an investigation into a security breach that affected as many as 50 million accounts. In December, the DPC announced a second probe into several other breach notifications by Facebook. That investigation also looks at a breach caused by a software bug that gave outside developers broader access to the photos of millions of users. Ms Dixon says she’s aware that many of the decisions her office will make will act as a precedent for the rest of the sector.
“They’re not trivial, the cases we’re deciding,” she said, indicating that first decisions in open cases may come as soon as this summer. “We’re at various concrete stages in all of them, but they’re all substantially advanced,” she said.
“The soonest I am going to see an investigation report on my desk, which is when my role kicks in” to make a final decision on sanctions in case of an infringement “is likely to be June or July in the bigger cases.”
Scrutiny of Facebook has intensified with the revelations last year that the data of millions of users, mostly in the US and UK, could have ended up in the hands of Cambridge Analytica, a consulting firm that was linked to Donald Trump's US presidential campaign.
Competition regulators in Germany have also been looking closely at the company and could call on Facebook to change privacy terms in its contracts within weeks.
Many of the breach notifications the DPC has received since May 25th are related to coding errors, Ms Dixon said. This results in issues such as posts being made public that should have been private, or in a major breach. “No company seems to be immune from this,” she said.
Companies do alert regulators quickly. Apple has already been in touch about the FaceTime video chat service bug which allowed hackers to eavesdrop on conversations. Ms Dixon said the glitch “sounds frightening.”
Her office will have to look at the circumstances in which the bug manifested itself and whether any users actually got affected. She said that the issues with Apple “are very different with the broader internet companies” because of the vertical integration between their devices and services.
“Apple has been in touch with us” this week “but the information we have at this point is preliminary,” she said. “We need a lot more facts, we need to hear a lot more from Apple.” The company didn’t immediately respond to a request for comment.
GDPR rules require regulators to consider a sanction and a possible administrative fine, whenever a probe finds there has been a violation of the rules. “If there are infringements that will have affected hundreds of millions of users potentially, then that is the certainty rather than the likelihood,” said Ms Dixon.
Going down a purely punitive route, however, won’t change behaviour, she said. This requires using the new powers regulators now have, plus engaging more and educating oneself about these companies, their industry and technology “while making sure you’re not subject to regulatory capture.”
Still, having the ability to threaten with a “very big punitive fine is a very useful tool,” Dixon said. And GDPR has brought other changes, too.
“It does show the power that they have in terms of the size. But we have all the cards in terms of the powers to investigate, to compel and ultimately to conclude and make findings.” – Bloomberg