Monday, May 25 marked the second anniversary since the General Data Protection Regulation (GDPR) has been in force. While some companies have been issued with large penalty notices—most notably some £280 million of combined fines for hotel chain Marriott and British Airways, although this may be reduced in a final decision—tech giants Facebook and Twitter have so far not had any major decisions.
Facebook was fined in 2018 by the UK Information Commissioner’s Office (ICO) for failing to protect its users’ data from being harvested by application developers on its platform. As the case predated the introduction of the GDPR, the fine was issued under the Data Protection Act 1998, which limits fines to £500,000, an amount that many argued was a trivial sum for the online giant. Information Commissioner Elizabeth Denham pointed out at the time that the fine would have likely been much larger under the GDPR, which sets a maximum of the higher of two options: €20m (£17.8m) or 4% of yearly global turnover.
With many tech companies choosing to base their European operations in Ireland, the Irish Data Protection Commission (DPC) is the lead body tasked with investigating complaints against many tech companies, but given the Europe-wide presence of technologies like social media, it also needs to coordinate with regulators in other affected countries.
It now looks like the Irish DPC is edging closer to issuing its first major cross-border decision with its announcement that it has circulated a draft decision about Twitter’s operations to other regulatory bodies for review. The decision came just a few days before the GDPR’s second anniversary, which is possibly no coincidence. Other data regulators can now put forward any objections they have about the decision so long as they have a reasonable basis.
The DPC has previously indicated it would make progress in cross-border decisions early this year, but navigating new processes like the one-stop shop for regulation appears to have slowed it down. It also has a huge workload, with over 20 such current investigations. Progress is being made, though, as indicated by Graham Doyle, the deputy commissioner, in a statement from the DPC:
“In addition to submitting this draft decision to other EU supervisory authorities, we have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their final submissions which will be taken into account by the DPC before preparing a draft decision in that matter also for Article 60 purposes. The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.”
Of course, not everyone has the resources of Facebook or Twitter, but at Pro-Networks, we can still help you ensure compliance with the GDPR through our managed IT support services. Not only will you stay on the right side of the ICO, but your organisation will also benefit from a culture of sound practices and enhanced cybersecurity, which in turn earns the trust of customers.