Twitter deadlock among EU watchdogs bodes ill for other Irish GDPR probes

21 Aug 2020 8:10 am by Vesela Gladicheva

Twitter

The clash over Twitter being fought out by Ireland's privacy watchdog and its EU peers suggests that more-complex upcoming probes of Facebook and WhatsApp may well suffer delays — and that there might be some gaps in the GDPR.

The Twitter probe centered on whether in early 2019, the social-media platform reported a data breach to the Irish authority within a 72-hour deadline — a fairly straightforward case. But it matters, because it's also the first Irish-led EU-wide investigation into a Big Tech company under the bloc's General Data Protection Regulation to make significant progress.

Other enforcers took the opportunity laid down in EU rules to weigh in, and ended up marking their territory. The upshot? Division over how best to wrap up the high-profile investigation, putting the resolution in deadlock. The final outcome of the case may not be decided before November.

Yesterday, the Irish DPC was forced to trigger a dispute-resolution mechanism provided by the GDPR for the first time. The mechanism is called into play when the watchdog leading an EU-wide investigation and regulators in other EU countries can't agree on the outcome of a probe.

That some national privacy regulators rejected the Irish Data Protection Commission's findings bodes ill for far more thorny probes pending at the authority. Agreement on its cases dealing with infringements of transparency and consent obligations, and data subject rights under the GDPR will be even harder to get from its counterparts across the EU.

One-stop concentration

The GDPR's "one-stop shop" mechanism is meant to provide clarity on who is in charge of a case when it involves a company with operations across the EU: the national regulator leads investigations into multinationals headquartered in its territory. But it has always attracted criticism for concentrating probes into Big Tech in Ireland, where the typically US companies involved tend to have their EU base.

Given that, the GDPR's dispute-mechanism provision, laid down in Article 65 of the rulebook, empowers other national watchdogs to have a say in the final outcome of cases.

Some of the more-active enforcers — such as those in Germany, Italy, Spain and Sweden, which prior to the GDPR would routinely conduct their own probes into tech giants — see this mechanism as their only opportunity to influence new attempts by data-heavy companies to circumvent the law.

It could be seen as a success that the first case to involve the GDPR mediation process has come after more than two years of applying the law. After all, regulators have collaborated to resolve successfully in 130 cross-border cases in the meantime.

What's different here, though, is that Ireland's draft Twitter decision in May was the first Big Tech decision since the GDPR took effect, and it was open for comment by any data protection authority in the EU.

Pending cases

Other Big Tech cases in Ireland may be in line, then, to meet the same fate as Twitter. Currently, the Irish DPC has 23 live investigations into multinational tech companies.

The second most-advanced case after Twitter is a probe into WhatsApp, a messaging app owned by Facebook since 2014. It looks at whether WhatsApp meets its transparency obligations under the GDPR to provide information to both users and non-users of the service.

The Irish DPC opened the case in 2018 as an own-initiative probe. That followed multiple complaints by users across Europe about transparency around WhatsApp's sharing of data with the Facebook family of companies and its handling of non-user data.

The DPC has also completed the investigation phase of one of eight probes into Facebook itself, this one prompted by a complaint from Austrian privacy advocacy group Noyb. The case focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing in relation to Facebook’s terms of service and data policy for its users.

Another investigation into social-media platform Instagram, which also is a Facebook subsidiary, and a separate probe into WhatsApp are also making progress in Ireland.

The DPC had come under significant criticism from privacy advocates, including other EU privacy watchdogs, for taking too long to resolve its investigations into tech companies. Now those critics are likely turn their focus to national regulators beyond Ireland.

The next few months will shed crucial light for other companies in a similar situation to Twitter on how EU regulators will deal with privacy violations.

Related Articles