GDPR one year on: No fines but considerable amounts of dread
Big tech braces for first penalties from Irish regulator under sweeping EU privacy rules
Data Protection Commissioner Helen Dixon in her Fitzwilliam Square offices. Dixon wants to extend her role into a second five-year term when her current one ends in September “to continue out the work that we have started”. Photograph: Dave Meehan
Rarely have four letters caused such dread. GDPR – the EU law designed to give people more control over their personal data in the internet age – celebrates its first birthday today.
The arrival of the General Data Protection Regulation was heralded with a high-profile public awareness campaign that informed people of their new rights around their personal information and warned businesses of their responsibility about how they used this information.
A Dublin-based address brought them an Irish regulator.
If the fines under the law initially made Silicon Valley executives sweat – and so they should given the commission’s ability to impose penalties of up to 4 per cent of turnover – they may have breathed a little easier in the past year as the Irish regulator has not yet imposed a fine under GDPR.
However, that might be about to change. Helen Dixon, the head of the DPC, expects the first draft decision on enforcement action to go to the European Data Protection Board, the independent umbrella body for national data protection authorities, in July on whether a big tech company should be fined under GDPR.
Big tech companies have become “combative” in correspondence with the commission with “constant querying” and “lots of flags being raised at every turn in terms of how we are proceeding”, she says.
The size of the multinationals’ teams they meet has increased with new personnel being introduced pointing to irrefutable evidence that the multinationals are “lawyering up” in anticipation of fines, said Dixon.
She is focused on reaching a first set of draft decisions over the coming months on some of the 19 statutory inquiries into big tech companies out of 54 investigations that her office is conducting. For her, the process has to be methodical and must take time given the precedent-setting value of enforcement and the potential for litigation challenging her decisions.
“Ultimately, what I can tell you I am about and what this office is about is not meeting artificial deadlines of anniversaries. It is not about getting out there to get a headline that I issued the first fine and then to have it appealed the next day and my decision not to stand up,” she says.
Other European regulators have imposed fines. According to the Brussels-based board, there were 11 imposed under GDPR as of the end of March totalling €55 million in penalties.
The biggest was against Google which was slapped with a €50 million fine by the French regulator CNIL, a day before supervision of the Californian company moved to the Irish regulator.
This week, the DPC opened an investigation into Google Ireland, its first against the internet behemoth, in relation to the same area that caused the French regulator concerns – the sharing of personal data through internet advertising.
Google makes billions of euro year each year from real-time ad auctions where companies bid to place ads in front of users based on their web browsing. What is at issue is how Google processes and retains personal information on the internet histories and habits of users, what it tells users about that process, and how it keeps information about their activities to a minimum as it sells ads targeting them.
Dixon sees the investigative intent of the commission’s office in opening 19 inquiries into suspected data infringements by big tech firms such as Facebook, Apple and Twitter as a better gauge of how seriously the commission is taking its responsibilities under GDPR rather than the absence of fines.
“In opening and deploying what are finite resources to any of these investigations we have opened, we have to be operating on the suspicion or preliminary evidence that there may be infringements of the GDPR at play,” Dixon says, sitting in a boardroom of her Georgian offices on Fitzwilliam Square in Dublin.
“On the basis of statistics of previous investigations we have opened, it would be very unusual if none of them ultimately yielded evidence of wrongdoing under GDPR.”
To stress the importance of policing alleged wrongdoing, Dixon says that more than 80 of the commission’s 137 staff are “on the front line of enforcing GDPR”, handling complaints and investigations.
Unlike other State regulators with a specific focus on a sector or profession, the commission has one of the widest ranges of supervision for an Irish watchdog. Where the Central Bank monitors banks and financial institutions, the commission regulates the handling of personal information across a broad remit, from Facebook to the Catholic Church to your local corner shop to households with expansive CCTV systems.
Dixon says that the “over-zealous” interpretation of GDPR requirements in some instances has shown that, even with the lack of fines, people are paying attention to and taking the new rules seriously.
She cites An Post’s removal of public bins in the GPO in Dublin as an example of a company going too far. An Post thought that rubbish containing personal details in their bins could fall foul of the new law.
“It is very hard to fathom that one but there was an absence of common sense there,” Dixon says.
The number of complaints received is another indication of the public’s awareness of the one-year-old rules. The commission is receiving an average of about 633 complaints a month and has received 6,624 in total. It receives in the region of 20,000 emails and calls a year.
They can range from queries as basic as not being able to contact a data protection officer in a company to complaints about ending an online subscription and the over-reaching demands for verifying ID that might come with that.
Complaints this year have included a gravestone company who wrote to a family suffering a bereavement offering a cheap headstone for the dead relative. Another involved a multinational using a customer’s mobile number taken to verify her account to later ask her out on a date.
There are more egregious examples. A mobile phone user complained that her ex-partner masqueraded as her to gain control of her telephone number, giving him access to future texts and calls – all because the phone company’s customer service agent failed to carry out a verification process properly.
Dixon says the commission’s broad range of responses under the new privacy law would ultimately show “a much richer picture to measure across the board what the effects of GDPR are”.
She took exception to a long, online article published on Politico Europe last month that criticised the commission’s failure to take enforcement action against a big tech firm and questioned the State’s commitment to regulate GDPR when it had “wooed top Silicon Valley firms” to create jobs in Ireland.
Asked if there was a connection between the two, Dixon replied: “Absolutely none.”
The independence of data protection authorities from governments is “poorly understood,” she says, noting that the commission’s role in fact includes the regulation of Government departments and State agencies.
One of its investigations was into the Department of Employment Affairs and Social Protection relating to the collection of people’s biometric data for the public services card. Another was into CCTV schemes across the State and the use of video technology by An Garda Síochána and local authorities.
She notes the “ramping up” of the State’s investment in the commission since she was appointed in 2014 was an example of the Government’s commitment to EU-wide regulation out of Dublin.
The regulator’s budget has risen from €1.9 million to €15.2 million within that timeframe. Dixon plans to recruit another 30 staff this year and wants another budget increase from Government for 2020.
“We’re the most rapidly growing data protection authority in the EU,” she said.
In spite of this, some feel that the regulator is not hiring at the right level though. Simon McGarr, director of Data Compliance Europe, said the commission needs to pay higher salaries if it wants to recruit the best staff. Paying a senior lawyer a starting salary of €66,000 to regulate the richest companies in the world is not enough, he argues.
McGarr has suggested that staff at the commission should be paid outside civil service pay rates like at the National Treasury Management Agency. Long-term retention of staff would be critical to its capacity to investigate and enforce data protection laws, he says.
“The DPC should be considered a specialist case with very highly skilled but also highly paid people outside the civil service wage structure. It is such a critical office for the State,” he said.
TJ McIntyre, a law lecturer at UCD and chairman of Digital Rights Ireland, says the commission’s staff levels need to be increased to a minimum of 200 to become an effective regulator.
On the lack of fines under GDPR, he agreed that the Irish legal environment makes regulators “gun shy” when it comes to enforcement, while the “institutional knowledge” built up from aggressive action over time “is not there”. The new law’s fining powers is putting the regulator into new territory.
“They are being understandably cautious about dotting the ‘i’s and crossing the ‘t’s to avoid the possibility of these decisions being successfully appealed or judicially reviewed,” he said.
Dixon sees lots of unfinished business and a commission in transition. She wants to extend her role into a second five-year term when her current one ends in September “to continue out the work that we have started”.
Given the anticipated enforcement actions, year two of GDPR looks set to bring a whole new level of dread to Irish-based big tech firms.
GDPR: ONE YEAR ON
Complaints received: 6,624
Breach notifications received: 5,818
Contacts made to DPC: 48,000
Statutory inquiries into ‘big tech’ multinationals:
WhatsApp (owned by Facebook): 2
Instagram (owned by Facebook): 1
LinkedIn (owned by Microsoft): 1