The Irish Data Protection Commissioner has given the clearest signal yet that huge fines may be imposed on technology multinational firms under investigation here.
Speaking to the Irish Independent, Helen Dixon indicated that her office has recently hired specialist lawyers to advise on the scale of punitive financial measures to be imposed on technology multinationals.
A US decision to fine Facebook $5bn (€4.6bn) last year will be a "relevant" gauge in Europe's response and fines are an "inevitability", she said.
"A very relevant factor in terms of what quantum will create deterrence is the level of fines already existing globally in the area," she said of the US fine.
"So if you ask whether the FTC [Federal Trade Commission] fine is relevant, it is. Under the GDPR, deterrence is a particularly important reason why the fines are included. They could have stopped at the corrective measures. But the fines are there to be punitive and give rise to deterrence. And deterrence is based on what's already in the [fine] landscape."
Ms Dixon said the specialist legal expertise on fines was not for any one case.
"We've taken it on not by reference to any particular inquiry," she said. "But a fine is an inevitability at some point."
However, Ms Dixon declined to say when fines would occur or the timing of its first major decisions.
Her office has previously said the first decisions would be related to WhatsApp (owned by Facebook) and Twitter.
The Irish DPC has faced criticism from German privacy regulators for a "slow" pace of decision-making. Ms Dixon rejected that, saying the Irish office must be scrupulous in ensuring decisions are protected from legal challenges, especially large fines.
She also defended the resourcing of the Irish DPC office, saying that it had scaled up "as fast as we could".
The Irish office has 23 separate statutory inquiries under way into tech multinationals under GDPR law. Facebook represents the majority of the cases, through its subsidiaries Instagram and WhatsApp. Apple has three open inquiries, while Twitter, Google, Verizon and Quantcast are also being investigated.
The Irish data protection agency is one of the most powerful data regulation bodies in Europe because of the tech multinational companies with international headquarters here.
The Irish DPC can fine a company up to 4pc of its annual turnover.
Ms Dixon was speaking as the Irish DPC released its annual report. In 2019, Ms Dixon's office received 6,247 data breach notifications, a 71pc increase on the year before. There were 7,215 complaints logged with the privacy watchdog, up from just over 4,000 in 2018.
Meanwhile, the European Commission has outlined separate plans around a raft of digital market reforms, including steps to rein in the data controlling powers of tech giants like Google, Facebook and Amazon.
In a move to check the power of large online platforms, the commission is considering introducing rules to stop companies imposing conditions for access and use of data, or benefiting from this in a disproportionate manner.
It also wants to create a single European market for data, in a bid to catch up with Silicon Valley and state-backed Chinese heavyweights.