Facebook Irish privacy probe outcome possible within months

Data protection commission has been investigating whether GDPR has been violated

Facebook is facing seven EU investigations. The social media giant also has to deal with separate privacy investigations into Instagram and WhatsApp. Photograph: Dado Ruvic/Reuters

Facebook may know by this summer whether it could face billions of euro in fines stemming from potential violations of the European Union's data privacy law.

The Data Protection Commission in Ireland has been investigating whether the social media giant's data practices have violated the General Data Protection Regulation.

"We are well advanced, but not at the final stages," data protection commissioner Helen Dixon told Bloomberg on the sidelines of the International Privacy and Security Forum in Washington, DC. Ms Dixon said Irish investigators will give her a report "certainly in the next two months".

Companies can face fines of up to 4 per cent of annual revenue or €20 million, whichever is greater, for violating the GDPR.


If Ms Dixon’s office finds that Facebook did so, it could result in more than $2 billion (€1.8 billion) in fines for Facebook, based on its fiscal year 2018 revenue of $55.8 billion.

Facebook spokesman Andy Stone declined to comment "on any of the ongoing investigations".

Investigative report

Facebook likely will be given investigative report soon, Ms Dixon said. The office “is literally on the verge of issuing” initial reports to the parties, she said.

Ms Dixon's office is investigating several tech companies, including Apple, Twitter, and LinkedIn for alleged GDPR violations. All of the companies have their European headquarters in Ireland.

The investigative report will kick off a comment period during which Facebook and parties claiming harm from alleged violations are able to weigh in on the findings. Ms Dixon said that process takes about six weeks, after which she will consider the final report.

The European Data Protection Board, a collection of other EU data protection commissioners, are also involved, but Ms Dixon is the lead regulator under the EU’s one-stop-shop enforcement mechanism.

EU privacy regulators take into account any remediation companies take to limit ongoing alleged EU privacy actions. Any such efforts are weighed against the “gravity, nature, and duration” of any alleged infringement of EU privacy law, Ms Dixon said.

Ongoing Efforts

Facebook is currently facing seven EU investigations. The social media giant also has to deal with separate privacy investigations into Instagram and WhatsApp.

Ms Dixon said she’s been working with Facebook on data protection areas such as “looking back at the Facebook app developer program,” which has 1.6 million app developers, and how they are overseeing the program.

Data protection commissioner Helen Dixon

Ms Dixon said those reviews are ongoing and that she wants to make sure Facebook is properly vetting developers when they access user data.

The number of large tech companies subject to Ireland’s privacy oversight may increase depending on the outcome of Brexit, Ms Dixon said. Under a no-deal Brexit, data transfers from the EU to the UK would grind to a halt without some other data transfer mechanism, she said.

Companies based in the UK, Ms Dixon said, would have to designate representatives in the EU to deal with any European enforcement matters. Ms Dixon said some companies, including Accenture, have indicated they will be taking their operations to Ireland. – Bloomberg