No tech firm data breach fines likely this year as DPC tempers expectations
The Irish Data Protection Commissioner expects decisions on investigations into Twitter and WhatsApp by the end of the year, but any resulting sanction or fine would not be levied for "months".
Data Commissioner Helen Dixon's office concluded its Twitter and WhatsApp investigations several weeks ago, and is currently formulating draft decisions, possibly with the inclusion of a sanction, fine or regulatory order for the companies to change their own processes.
The gap between final determination of the cases and any penalties is understood to be a function of the statutory examination processes, a spokeswoman for the DPC said.
The Irish regulator currently has 21 statutory enquiries running into multinational technology firms, the majority of which are into Facebook - or component companies such as WhatsApp or Instagram.
The investigation into WhatsApp concerns whether the division of Facebook has been transparent in how it provides information to both users and non-users of the service, including how WhatsApp passes data between itself and other Facebook companies.
The Twitter probe concerns a data breach notification from January of this year.
The Irish data protection authority is one of the most powerful data regulation bodies in Europe because of the multinational tech companies that choose to base their international headquarters here.
Under GDPR law, the Irish DPC can fine a company up to 4pc of its annual turnover.
Any fines for tech giants are likely to be high-profile.
In total, Ms Dixon's office currently has 61 statutory enquiries under way under Europe's GDPR law, 21 of which are focused on multinational tech firms.
These include Facebook (8), Twitter (3), Apple (3), WhatsApp (2), Instagram (1), Google (1), LinkedIn (1), Quantcast (1) and Verizon Media (1).
Ms Dixon told the American publication 'Fortune' that final results in relation to the WhatsApp and Twitter decisions were unlikely before the end of the year, despite her office's draft decisions being expected within weeks.
Ms Dixon's spokeswoman said that the decisions needed to be circulated among EU peers before the final effect of any sanction or fine could occur.
"We cannot take any shortcuts," Ms Dixon told the publication, adding that the companies affected could choose to legally contest the findings.
Earlier this year, Ms Dixon told the Irish Independent that it would likely take "months" to arrive at a formal decision due to a statutory process of "examination and analysis".
"I'd like to say that we could do it in 48 hours, but it has to be in the order of months to be done in the way that it has to be done," she said.
"I will have to allow them a period of time to respond. I would have to consider their responses."
Earlier this autumn, US authorities fined Facebook $5bn for data privacy failings in the largest settlement of its kind to date.
However, Ms Dixon said that while the Irish office was prepared to use the "scope" of the GDPR's maximum 4pc fine structure, the EU process was different to the American one.
"We're not really looking at $5bn or what the FTC (Federal Trade Commission) has done," she told the Irish Independent's Big Tech Show podcast.
"We've got to look at this fairly under the legal framework that we have."
She added: "One criticism of the FTC's decision is that it has done nothing to change Facebook's business model or the way that Facebook will handle personal data.
"The decisions that we make here have to have an impact in terms of punishing any contraventions and providing a precedent for others in terms of how we say the GDPR must be applied."
Ms Dixon said that another decision, into Garda surveillance techniques using CCTV cameras and identification of car licence plates, is also nearing a final result.