Ireland’s Data Protection Commission, the country’s privacy watchdog, announced on Friday that it’s submitted a draft decision on whether Twitter broke European privacy laws to EU supervisory authorities.
It’s one of multiple cases involving Silicon Valley tech giants that the Irish regulator is close to making final decisions on. Each case could result in big fines for the companies, or even an order that would require them to temporarily or permanently stop collecting and processing the data of European citizens.
The Twitter case involves an unspecified data breach, and looks at whether Twitter informed supervisory authorities quickly enough about the breach and whether it effectively documented the details of the breach. Twitter didn’t immediately respond to request for comment.
“In addition to submitting this draft decision to other EU supervisory authorities, we have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their final submissions which will be taken in to account by the DPC before preparing a draft decision in that matter also for Article 60 purposes,” said Deputy Commissioner Graham Doyle in a statement.
The inquiry into WhatsApp Ireland is looking into the company’s compliance with Articles 12 to 14 of the GDPR, including transparency around what information is shared with Facebook, which owns WhatsApp.
The DPC said it has also completed the investigation into an inquiry about how Facebook processes personal data, and has now moved into the decision-making phase. In addition, it has sent draft inquiry reports to the complainants and companies concerned in two further cases, one involving WhatsApp and one involving Instagram, which also is owned by Facebook.
The announcements from the DPC come just three days before GDPR, which stands for the General Data Protection Regulation, is due to celebrate its. The sweeping privacy law is designed to protect and empower European citizens in the digital age, and is being used as blueprint for the development of privacy legislation all over the world. If companies or organizations are found to be in breach of GDPR, they can be issued fines of up to 20 million euros ($22.8 million), or up to 4% of their annual worldwide turnover, or be ordered to significantly alter their behavior.
Ireland is in charge of enforcing GDPR among all Facebook brands, as well as Twitter, Apple and Google, because all the companies have their European headquarters in the country. It has a combined 18 investigations open into the companies. The DPC made its first announcement about taking action on a GDPR inquiry last week, but rather than a multinational tech company, it was in relation to a local public agency.
Since GDPR came into force, only two fines have been issued to big tech companies — one for 51,000 euros to the German subsidiary of Facebook for not appointing a local data protection officer, and one to Google for 50 million euros by French authorities over Android, which doesn’t fall under the jurisdiction of Ireland.
Onlookers have been awaiting the Irish DPC’s decisions, which will be a test of GDPR’s power and which have the potential to challenge the business models of Silicon Valley’s most powerful companies.