Move slower and don't break things: Facebook is feeling the Irish DPC heat

In all, the Irish Data Protection Commissioner now has 10 statutory inquiries into Facebook, representing more than a fifth of all such inquiries and two-thirds of its probes into multinational firms. These include probes into WhatsApp and Instagram, subsidiaries of the social media giant.

And they take into account last September's so-called 'token breach', where up to five million Irish and European users were affected with some 30 million accounts worldwide put at risk of being hacked. Under the EU's new GDPR rules, Facebook faces a fine of more than €2bn in a worst-case scenario.

It's not just the social media giant that is under scrutiny - there are over 40 active investigations, including many into local authorities. But Facebook is the gorilla in the room.

Is this a coincidence? Or is Mark Zuckerberg's firm genuinely at the forefront of data privacy problems in our lives? I talked to Dixon about the issue, together with more general challenges faced by the Irish Data Protection Commission.

Adrian Weckler [AW]: Do you think it's significant that 10 out of 15 of your big new inquiries under GDPR relate to one company, Facebook?

Helen Dixon [HD]: We have reacted to the circumstances that have arisen. We couldn't have predicted last September that Facebook was going to notify the massive token breach that they did. So that is entirely circumstantial.

Similarly, on the 25th of May 2018, the day that the GDPR applied, the new NGO, None Of Your Business, headed up by Max Schrems, launched complaints with European regulators on Instagram, Facebook and WhatsApp.

Those complaints were about very fundamental first principles under GDPR which raised issues for every user on the platform. And so in those circumstances, it kicked-off an inquiry on our part.

So, in large part, we've been led in that direction by the circumstances that have arisen. There are undoubtedly areas of high risk we will need to focus on outside of the internet companies. But this is what has shown up in terms of significant breaches complaints about systemic issues in the first seven months.

AW: When you're thinking of initiating an inquiry into a big multinational firm like that, what are the factors you take into account? How do you choose which ones to pursue?

HD: There are lots of inputs that we consider. We're obliged to look at every complaint we receive from individuals. When they look like they relate to something that could be an issue that affects more than the one individual, that may trigger the launching of an inquiry.

The other feed that we have are breaches.

With the mandatory breach notification requirement in the GDPR, we're seeing evidence of large volumes of breaches that are now be notified to us.

In the seven months since GDPR has applied, the big tech companies in particular have notified us of very large-scale breaches that have affected tens of millions of users in some of the cases.

So a very big breach of the nature of some that have been reported may well trigger us to use the limited resources that every Data Protection Authority has and take on a full-scale inquiry.

We get leads by other means as well. Sometimes the European data protection authorities bring issues to our notice. The media, of course, is very important in digging out issues.

AW: Do you feel pressure to launch an inquiry into a company like Facebook? After all, that company has arguably been at the centre of the most criticism, especially by media companies, in the last two years. Has that played any part?

HD: No. It can't influence our decision. If you look objectively at the facts, Facebook is a massive platform. So it's always going to be in scope.

As to whether it was predictable that the NGOs were going to lodge complaints in respect of Facebook companies out of the blocks, that probably was foreseeable.

But again, we have an obligation to handle complaints. And by any objective standard, when we receive a complaint that relates to issues that are going to affect, as I said, many millions of users, then it's appropriate that we apply resources to it.

So, no. I mean, there's a huge amount of Facebook coverage, as you say. If we were to make the inquiries that we open directly proportional to that, probably all of our inquiries [would be about Facebook]. We have 48 inquiries that we opened last year post application of the GDPR. So a proportion of them are Facebook, but it's less than a quarter actually.

AW: Are relationships with Facebook good?

HD: We've always had a position that GDPR will never be successfully implemented unless there is a constant and evolving dialogue between regulators and the regulated entities.

It's a principles-based law that has been designed deliberately so that it can stretch to cover any sector and any scenario.

But that requires that there is dialogue.

Regulators need to understand the real-world scenarios of companies and public sector bodies and voluntary organisations and then come to solutions that are in the best interests of consumers and data subjects. So when you ask about relationships we're very focused on keeping dialogue open.

But of course, our relationship now with some of the bigger entities and the internet companies that we regulate is multifaceted in a way that it wasn't before.

So while we still have meetings around potential future product launches to understand what the issues and risks for data subjects might be, equally we are having more correspondence in the context of statutory inquiries.

But the relationship still has to be there one way or the other.

AW: When big tech firms show you a product before it's launched, is it ever the case that they change or ditch it if your office says it won't fly?

HD: It is. We had a consultation with a company just last week that notified us of a product implementation that they were planning for the EU for next month.

On foot of concerns we expressed about the approach they were taking to rolling it out in the EU, they have decided to delay it pending further engagement so that we can satisfy ourselves that they followed a process that has allowed them to assess the risks to subjects in the EU.

That's not an unusual occurrence. Because often what we're calling out is that they have taken shortcuts themselves.

AW: Has Facebook come back with any update on plans to share data between it and WhatsApp?

HD: WhatsApp's pause on sharing data with Facebook for the purposes of friends, suggestions, and ad serving and product enhancements remains in place.

We actually have a specific statutory inquiry open, looking at the transparency that WhatsApp delivers to users. Part of that investigation is looking at the way that they wrote up the privacy policy in anticipation of the application of the GDPR and how they've expressed the provisions around data-sharing with Facebook.

AW: There has been non-stop speculation that Facebook, or other social media firms, secretly listen to our conversations for the purposes of serving us ads. Has your office ever investigated this?

HD: Nobody's ever contacted us and asked us specifically, but I have asked my technical team to look into the issue because we hear the same commentary.

We established a new technology leadership unit within the DPC. What that unit has said to me is that it would be very difficult to set up lab tests to fully test it.

So while we haven't set up such a lab test ourselves, they have looked at research done by researchers and academics who have looked at this question.

They're satisfied that there doesn't appear to be evidence to support the idea. It's an interesting one, though.

AW: Does this office have enough resources?

HD: Our budget for 2019 is €15.2m. We brought on board 25 staff last year and recruited an additional 25, who started last month. So there's huge expansion in our resources.

That's commensurate with the tasks that we have, under the GDPR. With the extra budget we now have for 2019, we'll recruit a further 30 specialists, more technologists, more trained investigators, more communications and media staff and so on.

So we are now in the top tier of highly resourced data protection authorities in the EU. Of course, the reality is that any Data Protection Authority globally is limited in its resources.

AW: One recurring theme in the DPC's annual reports is privacy versus security. You're looking at CCTV and other surveillance issues in local authorities.

But what about private estates and the growth of smart home products like Nest outdoor cameras or the Ring doorbell, which videos and photographs people who come to the door?

HD: The Court of Justice of the European Union has clearly said that where a homeowner operates a CCTV system they can operate it under the household exemption.

This is the exemption we all have as individuals to administer to our family and friends and private life without becoming subject to obligations under data protection law.

But that's provided the CCTV is trained only within the limits of the perimeter of your own home.

Homeowners in Ireland that are operating schemes that are more expansive and which are scanning public areas outside of their homes either need to tailor where those cameras are trained or assume the obligations of a data controller.

AW: So with a Ring doorbell, if somebody is in your driveway or outside your door, that's okay. But if it activates because somebody across the road is getting into their car, then data protection law kicks in?

HD: That's right. In that case, that householder is assuming the obligations of a data controller. They would have to provide clear notice that they are surveilling the public area.

They would also have to allow the neighbour across the road rights of access to their image into the personal data that they're recording and so on.

We get an awful lot of queries about this into our front-line service. Essentially, cameras should be trained within the perimeter of your own home.

AW: Is it fair to say that GDPR has made browsing websites disruptive, with so many increased pop-ups?

HD: There seems to be quite a bit of melodrama around this issue.

The answer we would give is that we are supervising the most innovative companies in the world, companies that make a lot of money out of user experience on apps and the internet.

They're monetising personal data with the skills they have around innovation. We think there must be a way of integrating what is the fundamental rights of individuals to know what has been done with their personal data.

I don't think it's true that the international experience of users on apps is that they're being ruined or slowed down.

But if there is any assertion of this, we shouldn't look to the GDPR in assigning blame. We should look to innovative companies and say: 'Find us a better way of delivering on our rights and our experience'.

AW: But hasn't it defeated the purpose of trying to inform people about what they're consenting to? Don't people now just tap and click blindly to get past the constant pop-ups?

HD: You bring up a good issue. Notice and consent aren't the only ways of legitimising collection and processing.

Many industry groups argue that there is perhaps an overemphasis on consent being the most superior of the legal bases under GDPR, which it isn't. They're all equal. Of course, consent must be relied on, typically in cases where special categories of personal data are going to be processed, like health data, biometric data or political data.

So one of the questions that we are going to be looking at in some of the big inquiries that we've now opened under the GDPR is around this.

Is it objectively the case that an organisation must ensure that a user has read the notice, or is it sufficient that organisations meet a certain standard that it is readable and usable?

And is it the concern of the organisation whether someone reads it or not, once the organisation has met that standard?

I know that if any one of us was to read the full privacy notices on the average websites and apps we interact with, it would take 76 days a year. And so there are question marks there.

On the other hand, the law does provide for the new legitimisation of processing using transparency and consent.

AW: And what about the complaint that others such as former Yahoo and Facebook executive Alex Stamos makes that GDPR has actually made it smoother for the biggest corporations, with their compliance teams, and harder for small outfits and startups that aren't as well resourced?

HD: I don't think there's any evidence to support that contention. As to whether the bigger internet companies with their privacy teams and all of the resources that they can bring to bear have successfully navigated the obligations of the GDPR, and that it's to their advantage, remains to be seen.

You've seen from the annual report that we launched 15 inquiries related to big tech companies looking at very fundamental principles under the GDPR.

They're into transparency and whether the requirements of the quality of consent is sufficient.

They're also looking at technical and organisational measures around security.

So we're certainly not at a point where we can concur with that statement that they've navigated it successfully.

To hear a podcast interview between Adrian Weckler and Helen Dixon, donwload or stream The Big Tech Show at independent.ie/podcasts or on Soundcloud or on most popular podcasting apps

Dublin DataSec 2019, Ireland’s data protection conference, takes place on April 30. For further information and tickets click here. It is an Independent News & Media event.