In the past two months, Ireland’s Data Protection Commission has threatened Facebook with two important investigations. First, in April, the regulator launched an investigation into a potential data breach by the tech giant, which resulted in information from 533 million users worldwide being exposed in an online forum.
Then in May, the commission announced that it was resuming a probe into Facebook data transfers. This could potentially result in a ban on Facebook transferring users’ personal data from the European Union to the United States.
The cases arise under the EU’s “gold-standard” data privacy law, the General Data Protection Regulation, or GDPR. If you live in Europe, you’re most likely to recognise GDPR from the cookie banners and privacy policies that pop when you visit websites.
What is GDPR?
GDPR is meant to protect data rights. In the EU these include the fundamental rights to privacy and data protection. It also ensures the free flow of information within the EU. Before the adoption of GDPR’s predecessor, the 1995 Directive, member states tried to block data transfers within the EU. GDPR prevents this.
The legislation applies to businesses large or small and even to certain public institutions. However, regulators have indicated that compliance by very large firms, like Facebook, will be monitored as a priority.
GDPR requires firms to have a legal basis for processing personal data. Companies must ensure the security of personal data that they process, and they are also required to provide users with the right to access their own information.
GDPR limits data exports to countries that provide an adequate level of legal protection. Otherwise, another safeguard must be provided, such as the adoption of contractual clauses approved by the EU. Companies are held accountable for compliance and must be able to demonstrate this to regulators at any time.
These clauses give the EU data subjects similar rights to those under the EU legislation. However, an important European Court of Justice decision called Schrems II, handed down in July 2020, means that companies required to cooperate in US mass surveillance programs may not use such clauses. This includes Facebook.
Ireland under fire
These developments have occurred in an environment where the Irish data regulator is coming under fire.
Greater pressure is being put on the country to act against the tech giants. Under GDPR, the Irish Data Protection Commission is the lead regulator for many of these companies, because they have their main EU establishment in Ireland. Google, Microsoft and Twitter are all based there, along with Facebook.
As of today, Ireland has only fined one big tech company, Twitter, for the relatively low sum of €450,000, for failing to reveal a data breach to affected users within 72 hours of discovering it. GDPR allows for maximum fines of either €20 million or 4% of turnover, whichever is higher.
The Irish failure to enforce GDPR in the past has done more than raise eyebrows in Brussels and Strasbourg. The EU parliament has started to apply political pressure as well.
In March, the parliament adopted a resolution expressing concern about the Irish regulator’s sluggish approach, also complaining that most cases are closed with a settlement instead of a sanction. On May 20, the parliament voted in favour of a new resolution, demanding that the European Commission begin infringement procedures against Ireland for failure to enforce GDPR. While those resolutions were not binding, they signal political pressure being applied on the commission and Ireland.
The Facebook cases serve to test the Irish regulator’s seriousness, and that of GDPR. According to our research, the failure to take effective action when warranted harms the deterrent effect of GDPR. To encourage companies to comply, regulators must provide effective enforcement. This may be through imposing a sufficiently severe fine to deter others.
Insignificant fines send a signal that violations are not taken seriously. If Facebook has violated GDPR, the Irish regulator should throw the book at it. As fines for Facebook could run into billions of euros based on the 4% rule, there is room for significant action here, if it’s warranted.
A serious penalty would give Facebook and other big tech companies reason to take the necessary measures to comply with GDPR. This includes ensuring adequate data security, respecting data transfer restrictions and avoiding future data breaches. And if regulators don’t act on such breaches, the European Commission will need to.