Ireland's Big Tech GDPR probes likely to get flak from other EU regulators, Dixon predicts

Forthcoming Irish decisions over Facebook, Twitter and other Big Tech companies for violations of EU privacy rules may well spark disagreement and "reasoned" demands for reappraisal from other regulators in the bloc, Ireland's top privacy watchdog expects.

In each case, that could cause an "intense period" of work, Irish Data Protection Commissioner Helen Dixon told MLex in a wide-ranging interview coinciding with the release of the regulator's annual report.

Dixon also told MLex that dozens of Irish companies in the finance, retail, media and other industries that were subject to a "cookies" sweep last year could face enforcement action if they fail to bring their websites into compliance as requested.

Unknown outcomes

Other national privacy watchdogs in the EU will be entering uncharted territory, Dixon said, once the Irish Data Protection Commission, or DPC, starts sharing the draft decisions on its probes with them, as prescribed by the General Data Protection Regulation for cross-border cases that affect citizens in more than one member state.

That process may need to involve a lot of back and forth among regulators, protracting the probes and meaning that in many of the Irish DPC's cases the final outcome may not be known until well into next year. "As we are experiencing with everything to do with the process of decision-making over cross-border cases, it's going to be very difficult to know how the process will pan out," Dixon said.

The process will put to the test enforcers' willingness to work together to reach consensus on appropriate sanctions. Since the GDPR took effect in May 2018, only three cases — in Lithuania and Malta, where the highest fine imposed was 62,000 euros — have partially trialed the "one-stop shop" mechanism specified under Article 60 of the GDPR. That's the system of cooperation between the authority leading the investigation and other "concerned" regulators — those that have a stake in the probe due to violations in their jurisdiction.

In contrast to these examples involving limited jurisdictions, Dixon said, "when we put through our first Article 60 decisions, every authority will be a concerned data-protection authority [DPA]. So we can anticipate that that could give rise to more relevant and reasoned objections, simply on a volume basis, due to the fact there are more DPAs involved."

Big Tech probes

Under the GDPR, which allows enforcers to levy fines of up to 4 percent of a company's annual global turnover, investigations involving more than one EU country are led by the regulator in the country where the business involved has its main establishment.

For the Irish DPC, this means a potentially giant caseload. It is responsible, among others, for the EU operations of large tech companies including Airbnb, Apple, Google, Microsoft, Facebook and its subsidiary WhatsApp. It currently has 23 live probes into Apple, Facebook, Google, Instagram, LinkedIn, Quantcast, Tinder, Twitter, Verizon Media and WhatsApp.

Two cases have reached the decision-making stage: that into Twitter, over a data breach arising from a bug in its Android app, and another one into WhatsApp, over transparency around sharing of data with the Facebook family of companies and its handling of non-user data.

Objections

Once Dixon finalizes her draft decisions and fines, she will forward them to her counterparts through their umbrella group of privacy watchdogs, the European Data Protection Board. The regulators will have four weeks to voice their views, including any "relevant and reasoned objections" to Dixon's decisions.

If she disagrees with the objections, the board is summoned as a mediator to adopt a binding decision on the Irish DPC, within two and a half months at most, via a voting system. The lead regulator will then have a month to adopt its final decision on the basis of the board's decision.

"It's possible there will be quite a volume of work for me in that four weeks that DPAs have to raise relevant and reasoned objections," Dixon said. "I and my support team here in Dublin will have to consider all of those very carefully and adopt them as we deem appropriate. That will be an intense period, where I will have to set aside time to deal with what I can anticipate will be at least some volume of commentary, and potentially relevant and reasoned objections coming through."

Dixon said it was impossible to predict at this stage whether she would need to trigger the GDPR's dispute-resolution mechanism, available if disagreements among national regulators surface and can't be resolved. "We will have to take it step by step," she said.

Cookie sweep

Irish companies operating in a string of industries have also been subject to scrutiny by Dixon's office, with a notable "cookie" sweep last year examining the websites of around 40 businesses in insurance, retail, sports, restaurants, food delivery, media and publishing.

The audit analysed the companies' compliance with the GDPR and another EU law on keeping communications confidential in how their websites collect data from visitors through online cookies and other tracking technologies, and how they obtain the consent of users for the use of cookies.

On the outcome of the sweep, Dixon told MLex that the exercise won't result in direct enforcement, despite only two of the examined businesses getting a "green" traffic-signal rating from the DPC. The rest received a "red" or "amber" label, she said. "What that shows is that there is a need for more consistent and clear guidance in this area. And we want to issue that first." The Irish DPC has previously said it would present such guidance by the end of March.

But companies may still face enforcement action, Dixon warned.

"We are also discussing internally, off the back of the [sweep] report, a further strategy of going back individually to the websites that we did examine, and making directed suggestions as to the deficits that we have found, and requiring them to bring their websites into compliance. We may then enforce if that isn't forthcoming," Dixon said.

"The follow-up actions we take in relation to those websites may give rise to enforcement action if there is no voluntary compliance. We will be giving them very targeted guidance."

The Irish DPC's work on cookies is its starting point for looking at the deeply ingrained issues surrounding practices of advertising technology and online behavioral advertising today, which many see as fraught with potential GDPR violations.

With its formal investigations into Apple, Facebook, Google, LinkedIn and Quantcast zooming in on real-time bidding and behavioral advertising, Dixon's office is targeting adtech "from a variety of different perspectives," she said. That's "painstaking work," given that "the GDPR did not create any explicit prohibition on online behavioral advertising … We're going to have to wait for the results of these inquiries and see what it adds up to."

The Irish DPC's investigations into adtech are some of its most complex cases, meaning the numerous companies involved in adtech and behavioral advertising will continue operating with legal uncertainty for some time to come.