Irish data protection commissioner opens investigation into Verizon Media

The Irish data protection commissioner has opened an investigation into Verizon Media, formerly called Oath, which owns online properties such as Yahoo and the Huffington Post.

The investigation comes on foot of complaints across the EU related to the company’s use of online cookies.

Helen Dixon’s office is overseeing the investigation as the company’s EU headquarters is based in Dublin.

“It’s specifically into transparency issues in relation to publications operated by the company,” Ms Dixon told Independent.ie. “There were more 38 complaints redirected to us by other EU data protection authorities. Those authorities were in receipt of a significant volume of complaints from individuals specifically relating to services by media sites.”

Other online properties owned by Verizon Media include Techcrunch, Engadget and AOL. It is currently in the process of selling the social media platform Tumblr to Automattic, which owns Wordpress.

She said that some of the complaints related to when “effectively there’s no choice when cookie banners are offered. The only option seems to be to click okay”.

Ms Dixon also said that her office’s first major GDPR decision relating to a multinational tech firm looks set to be about Whatsapp.

“I expect that file to land on my desk in the next fortnight,” she said.

However, it is then likely to take “months” to arrive at a formal decision due to a statutory process of “examination and analysis”.

“I'd like to say that we could do it on 48 hours, but it has to be in the order of months to be done in the way that it has to be done. I will have to allow them a period of time to respond. I would have to consider their responses.”

The WhatsApp investigation is examining whether WhatsApp has “discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies”, according to the DPC’s office.

Ms Dixon’s office currently has 61 statutory enquiries under way under GDPR law, 21 of which are focused on tech multinational firms. These include Facebook (8), Twitter (3), Apple (3), Whatsapp (2), Instagram (1), Google (1), Linkedin (1), Quantcast (1) and Verizon Media (1).

Under GDPR law, the Irish DPC can fine a company up to 4pc of its annual turnover.

Earlier this month, US authorities fined Facebook $5bn for data privacy failings in the largest settlement of its kind to date.

However, Ms Dixon said that while the Irish office was prepared to use the “scope” of the GDPR’s maximum 4pc fine structure, the EU process is different to the American one.

“We're not really looking at $5bn or what the FTC has done,” she said.

“We've got to look at this fairly under the legal framework that we have. One criticism of the FTC’s decision is that it has done nothing to change Facebook’s business model or the way that Facebook will handle personal data.

"The decisions that we make here have to have an impact in terms of punishing any contraventions and providing a precedent for others in terms of how we say the GDPR must be applied.”

Ms Dixon said that another decision - into Garda surveillance techniques using CCTV cameras and identification of car licence plates - is nearing a final result, having been passed from the DPC’s investigation team to Ms Dixon last month.