DUBLIN (Reuters) - The first draft decisions by Ireland’s data privacy regulator on probes into some of the world’s biggest technology firms will go for consultation with other EU regulators this year, the lead watchdog for the bloc said on Thursday.
Ireland hosts the European headquarters of a number of U.S. technology firms, making Ireland’s Data Protection Commission (DPC) the EU’s lead regulator under the General Data Protection Regulation’s (GDPR) “One Stop Shop” regime introduced in 2018.
The new rules give regulators the power to impose fines for violations of up to 4% of a company’s global revenue or 20 million euros (17 million pounds), whichever is higher.
In its annual report, the DPC said two of the 21 inquiries it had open into big tech firms by the end of 2019 had moved from the investigative stage to the decision-making phase.
They related to a 2019 investigation into a bug in Twitter’s (TWTR.N) Android app, where some users’ protected tweets were made public and a 2018 probe into the transparency of WhatsApp’s data sharing with Facebook (FB.O) and its fellow subsidiaries.
Facebook has come under most scrutiny since the new rules came into force in mid-2018 with eight individual probes, plus two into WhatsApp and one into Facebook-owned Instagram.
Twitter and Apple (AAPL.O) are subject to three inquiries each. Google (GOOGL.O), Verizon Media, Microsoft (MSFT.O) owned LinkedIn and U.S. digital advertiser Quantcast made up the rest of the cross-border investigations at the end of last year.
The DPC has since launched a second inquiry into Google, relating to its processing of location data, and a first probe into the Match Group Inc’s (MTCH.O) Tinder dating app.
Under GDPR, the DPC must share its draft decision with all concerned EU supervisory authorities and consider their views in its final verdict. Each of the bloc’s regulators may be called on for a majority decision if agreement cannot be reached among the relevant member states.
A report last month showed European regulators had imposed just 114 million euros in fines for data breaches since GDPR came into force.
The DPC defended the process, saying there would be little benefit in mass producing decisions only to have them overturned by the courts.
“A new legal framework and one that contemplates very significant penalties is always going to take time to implement correctly,” Helen Dixon, the head of the DPC, said in the annual report.
“But have no doubt that intensive work is underway.”
Reporting by Padraic Halpin; Editing by Lincoln Feast.