General Data Protection Regulation (GDPR) , Governance & Risk Management , Incident & Breach Response

15 GDPR Probes in Ireland Target Facebook, Twitter, Others

Facebook Alone the Focus of 10 Separate Regulatory Investigations by Privacy Watchdog
15 GDPR Probes in Ireland Target Facebook, Twitter, Others
Facebook CEO Mark Zuckerberg meets with European politicians in Brussels in May 2018. (Photo: European Parliament)

Ireland's privacy watchdog has its eye on Facebook. Of 15 major investigations that the Data Protection Commission has underway, 10 focus on the social network.

See Also: OnDemand - XDR: Five Factors to Keep in Mind for Better Implementation

All of the investigations have been launched since the EU's strong new privacy law, the General Data Protection Regulation, went into full effect on May 25, 2018.

"In 2018, the DPC opened inquiries into data-processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram, looking at issues ranging from large-scale data breaches to legal bases for processing to transparent presentation to users," the DPC says in its annual report for 2018 released on Thursday. "All these inquiries should reach the decision and adjudication stage later this year, and it's our intention that the analysis and conclusions in the context of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services."

The regulator says it's focusing on some of the world's biggest data processors first so that it can extract lessons from which others can learn. "There are undoubtedly areas of risk to be examined in sectors beyond the free internet services, but initial complaints and breaches have focused the DPC in this area and warrant attention in light of the hundreds of millions of users implicated," the DPC's report says.

Facebook didn't immediately respond to a request for comment. But Facebook told NBC that it spent more than 18 months working to comply with GDPR.

"We made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download and delete their information," the company said. "We are in close contact with the Irish Data Protection Office to ensure we are answering any questions they may have."

Twitter says it's also continuing to work with the DPC. "We are fully committed to working with the Data Protection Commissioner's Office to improve the already strong data and privacy protections we offer to the people who use our services," Twitter tells Information Security Media Group in a statement. "As always, our approach is one of transparency and openness."

One-Stop Shop

In Ireland, the DPC is in charge of enforcing GDPR and about 20 other national laws that touch on privacy rights.

Any EU member state can initiate a GDPR investigation into an organization's data security and privacy practices. But Ireland's DPC takes the lead on all European investigations under GDPR that involve Facebook. That's because Facebook has its EU "main establishment" in Dublin, and so it qualifies for a one-stop-shop mechanism under GDPR that ensures that only the privacy watchdog in the country in which it is headquartered conducts any privacy investigations (see: Ireland's Privacy Watchdog Probes Facebook Data Breaches).

Other foreign technology companies that have their EU main establishments in Ireland include Apple, Microsoft, Twitter, Dropbox, Airbnb, LinkedIn, Oath, WhatsApp, Yelp and MTCH Technology, which owns Match, OkCupid, PlentyOfFish and Tinder. Google is also in the process of making Ireland its EU main establishment.

Breach Notifications Increase

Source: DPC

Beyond revealing that Ireland's privacy watchdog has more than a dozen major GDPR investigations underway, the DPC's annual report also counts all of the data breach notifications and privacy complaints it has received (see: Data Breach Reports in Europe Under GDPR Exceed 59,000).

Last year, after GDPR went into full effect in May, the DPC received 3,542 valid data security breach reports. It received 4,740 for all of 2018, up 70 percent from 2017. The increase is not surprising because GDPR for the first time required all organizations to disclose any breach involving Europeans' personal data.

Breaches were blamed on a wide range of causes, including the loss in the mail of USB storage devices storing personal data, phishing attacks, the loss of physical files in transit by a courier - for which no backups had been kept - and SIM swap attacks against online bank account holders.

Source: DPC

From May 25 to Dec. 31, 2018, the DPC also received 38 data breach notifications involving 11 multinational technology companies. Some of these, such as the Facebook single sign-on breach, resulted in the DPC launching investigations (see: Facebook Submits GDPR Breach Notification to Irish Watchdog).

In December 2018, ISMG reported that the number of data breach reports filed since GDPR went into effect had hit about 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K. (see: GDPR: EU Sees More Data Breach Reports, Privacy Complaints).

Security experts say the increase in breach reports does not necessarily mean that the frequency of data breaches is rising. Rather, GDPR's mandatory breach reporting requirement is for the first time beginning to provide visibility into the actual prevalence of data breaches in Europe.

Privacy Complaints Spike

Last year after GDPR went into full effect, the DPC received 2,864 privacy complaints. Under GDPR, as with prior European privacy rules, any European can file a complaint with their country's privacy watchdog if they believe that their personal data has been misused.

Excerpt from the General Data Protection Regulation

For all of 2018, the DPC said it received 4,113 privacy complaints, which was a 56 percent increase from 2017 (see: GDPR Effect: Data Protection Complaints Spike).

"The rise in the number of complaints and queries demonstrates a new level of mobilization to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data," says Helen Dixon, Ireland's data protection commissioner.

Irish Regulator is Hiring

Given Ireland's status as the main EU establishment for so many overseas technology firms, the DPC says it's been continuing to expand.

"The Irish DPC has been in expansion mode for the past four years, and we are not stopping now," Dixon says. "Following a major recruitment campaign in 2018, 30 new staff had joined the DPC by the end of December, with a further 20 coming on board in January 2019, so that the DPC has grown to 135 staff. We will recruit an additional 30 staff this year in order to meet the demands of the tasks assigned under the GDPR and to deliver public value in what is an area of critical importance to society."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.