Facebook is subject to 10 major GDPR investigations

Zuckerberg looking worried

Two-thirds of the Irish Data Protection Commission's (DPC) ongoing investigations into multinational tech firms concern Facebook, and its subsidiaries WhatsApp and Instagram.

Mark Zuckerberg's social media company is subject to ten of 15 ongoing statutory inquiries the DPC has launched since the EU's General Data Protection Regulation (GDPR) came into force on 25 May, according to its annual report.

Seven of these investigations concern Facebook directly, as well as two separate probes into WhatsApp and one into Instagram. There are also two investigations looking into data practices at Twitter and Apple, and a further one looking at LinkedIn.

The DPC's inquiries into Facebook range in severity; from examining whether it has fulfilled a user's subject access request (SAR) to last September's devastating 'token hack' that affected three million EU users.

The token breach has itself warranted three separate investigations. These include two probes into whether the firm took organisational and technical measures to secure users' personal data and one into whether it notified the DPC within 72 hours as required by law.

"In 2018 the DPC opened inquiries into data-processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram, looking at issues ranging from large-scale data breaches to legal bases for processing to transparent presentation to users," the report said.

"All these inquiries should reach the decision and adjudication stage later this year, and it's our intention that the analysis and conclusions in the context of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services."

This is the DPC's first annual report since the rollout of GDPR, and covers the period between 25 May and 31 December 2018. It's likely that future reports will cover full calendar years.

The regulator says its role in governing large multinational companies since GDPR came into force has "changed immeasurably", mostly due to its status as the lead supervisory authority for cross-border investigations.

This is partially due to GDPR's 'one-stop shop' principle, whereby one authority takes the lead on investigations, and the fact a plethora of tech companies have based their headquarters in Ireland.

On a wider level, the number of data complaints received in the 12 months of 2018 rose by 56% against 2017; a total of 4,113 versus 2,642. The number of data breaches recorded during 2018 similarly rose 70% against the previous year, 4,740 against 2,795.

The one-stop shop mechanism also saw the DPC receive 136 cross-border data processing complaints since GDPR came into force.

The DPC has also held consultations with a broad range of companies on clarifying aspects of the law with relation to their data processing activities.

This includes Google on processing location data, Facebook on transferring data from third-party apps to itself, and Microsoft on processing telemetry data collected by its Office products. WhatsApp has also requested engagement on sharing personal data of users with Facebook and other companies.

"The rise in the number of complaints and queries demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data," data protection commissioner Helen Dixon said.

"Although we are still in the stage of having to bust some myths and misunderstandings that have built up around the GDPR, we feel very optimistic about the improvements we will see in Ireland in personal-data-handling practices over the next few years."

Facebook was only recently given a dressing down by the UK's Information Commissioner's Office (ICO) for its role in sharing data with Cambridge Analytica between 2007 and 2014. Since the violations occurred prior to GDPR's conception, the ICO could only issue the maximum 500,000 fine the Data Protection Act (DPA) 1998 allowed.

Facebook was just one of 30 organisations being investigated as part of the ICO's wider probe into the use of data in political campaigns, although this investigation also largely concerned alleged violations of the DPA 1998.

The ICO has not released an annual report in the same way as the Irish DPC has, covering the period since GDPR came into force. Rather, the UK data regulator released its previous annual report in July 2018, covering the financial year 2017/18, and is expected to do so again in 2019 for the subsequent 12-month period.

IT Pro asked the ICO whether it would be publishing a GDPR 'update' but did not get a response at the time of writing.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.