February 5, 2019
Ireland, where many U.S. tech firms have European headquarters, is investigating Facebook in seven separate cases. Ireland’s data protection commissioner Helen Dixon reported that these probes are among 16 cases looking into Apple, LinkedIn, Twitter, as well as Facebook’s WhatsApp and Instagram. She added that the Irish and EU investigations are “centered on the activities of very big Internet companies with tens and hundreds of millions of users,” which would be “a very large factor when looking at the scale of a fine.”
Bloomberg reports that, “regulators throughout Europe are looking to increase the level of fines they issue under the EU’s new General Data Protection Regulation, which allow penalties as large as 4 percent of a company’s annual revenue.” Dixon said that the 50 million Euro ($57 million) fine against Google levied by the French was “not the last of them.” (Google has appealed the fine.)
In October last year, Facebook “became the first big test case under the EU new rules when the Irish authority opened a probe into a security breach that affected as many as 50 million accounts,” and a second probe was launched in December related to “other breach notifications.” Dixon said that the result of the Irish probes “are not trivial” and “will act as a precedent for the rest of the sector.” A final decision “is likely to be June or July in the bigger cases.”
Dixon revealed that, “many of the breach notifications [her] office has received since May 25 are related to coding errors,” which have resulted “in issues such as posts being made public that should have been private, or in a major breach.” She is also looking into Apple’s FaceTime glitch, which permitted eavesdropping, “to look at the circumstances in which the bug manifested itself and whether any users actually got affected.” Apple has been in touch, she said, but “we need a lot more facts.”
With GDPR regulations, a sanction and fine is required if a probe finds a rules violation, and Dixon said that, “if there are infringements that will have affected hundreds of millions of users potentially, then that is the certainty rather than the likelihood.”
A “very big punitive fine is a very useful tool,” she noted, but it won’t change behavior, which will require “using the new powers regulators now have, plus engaging more and educating oneself about these companies, their industry and technology.” The fact that the big tech companies are able to hire big lawyers only goes so far, she added.
“It does show the power that they have in terms of the size,” she said. “But we have all the cards in terms of the powers to investigate, to compel and ultimately to conclude and make findings.”