Tag: Irish Data Protection Commission

Irish DPC launches investigation into Facebook data leak

26. April 2021

On April 14th, 2021, Ireland’s Data Protection Commission (DPC) announced it launched an investigation into Facebook’s data leak reported earlier this month (please see our blog post here). The inquiry was initiated on the Irish DPC’s own volition according to section 110 of the Irish Data Protection Act. It comes after a dataset of 533 million Facebook users worldwide was made available on the internet.

The Irish DPC indicated in a statement that, “having considered the information provided by Facebook Ireland regarding this matter to date, the DPC is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data”. The Irish DPC further stated that they had engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance, to which Facebook Ireland furnished a number of responses.

The launch of an investigation by the Irish authorities is significant due to the fact that Ireland remains home to Facebook’s European headquarters. This means the Irish DPC would act as the lead regulator within the European Union on all matters related to it. However, Ireland’s data watchdog has faced criticism from privacy advocates for being too slow with its GDPR investigations into large tech companies. In fact, the inquiry comes after the European Commission intervened to apply pressure on Ireland’s data protection commissioner.

Facebook’s statement on the inquiry has been shared through multiple media, and it has announced that Facebook is “cooperating fully with the DPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place.”

Irish DPC to assess TikTok’s plans for opening Data Centre in Ireland

13. August 2020

The short video app TikTok is planning to establish a data centre in Ireland under the One Stop Shop (OSS) data processing mechanism, the Irish Data Commission has stated.

However, the company needs to first be assessed to determine if they meet the requirements of the OSS.

The OSS rules, introduced under the General Data Protection Regulations (GDPR) rules, mean companies can make the Irish Data Protection Commission the lead supervisory authority, if they meet the criteria, and would not have to deal with regulators in each of the 28 EU member states but could be monitored by a lead regulator in one state. This would benefit the company in the case that if something happens, it would be one investigation, one decision and one appeal, rather than one for each country affected.

These plans come at a time when the popular app is facing some criticism, however. Not only is TikTok on the verge of being banned in the United States, a lot of doubts in regard to their handling of user data have surfaced in the past few months.

Last week in Beijing, the Beijing Internet Court ruled against TikTok’s owner Tencent Holdings in cases alleging the misuse of user data. The data was shared without consent between the WeRead and WeChat apps, violating the users’ privacy.

The move to establish a data centre in Ireland “will create hundreds of new jobs and play a key role in further strengthening the safeguarding and protection of TikTok user data with a state of the art physical and network security defense system planned around this new operation,“ stated Global Chief Information Security Officer of the company, Roland Cloutier.

Following the moves of big tech giants of recent years, TikTok plans to open the data centre by the year 2022. The Irish Data Protection Commissioner stated that the examination for the OSS mechanism is currently underway.

Irish Data Protection Authority investigates Google’s processing of location data

6. February 2020

The irish data protection authorty (namely The Data Protection Commission (DPC)) is, in its role as Lead Supervisory Authority, responsible for Google within the European Union.

The DPC startet a formal investigation into Google’s practices to track its user’s location and the transparency surrounding that processing.

Following a number of complaints by serveral national consumer groups all across the EU, the investigation was initiated by the DPC.  Consumer organisations argue that the consent to “share” users’ location data was not freely given and consumers were tricked into accepting privacy-intrusive settings. Such practices are not compliant with the EU’s data protection law GDPR.

The irish data protection authority will now have to establish, whether Google has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency.

The investigation will add further pressure to Google. Google is facing a handful of investigations in Europe. The DPC has already opened an investigation into how Google handles data for advertising. That investigation is still ongoing. If Google is found not complying with the GDPR, the company could be forced to change its business model.

However, there are still a number of steps before the Irish DPC makes a decision including the opportunity for Google to reply.

Advocate General’s opinion on “Schrems II” is delayed

11. December 2019

The Court of Justice of the European Union (CJEU) Advocate General’s opinion in the case C-311/18 (‘Facebook Ireland and Schrems’) will be released on December 19, 2019. Originally, the CJEU announced that the opinion of the Advocate General in this case, Henrik Saugmandsgaard Øe, would be released on December 12, 2019. The CJEU did not provide a reason for this delay.

The prominent case deals with the complaint to the Irish Data Protection Commission (DPC) by privacy activist and lawyer Maximilian Schrems and the transfer of his personal data from Facebook Ireland Ltd. to Facebook Inc. in the U.S. under the European Commission’s controller-to-processor Standard Contractual Clauses (SCCs).

Perhaps, the most consequential question that the High Court of Ireland set before the CJEU is whether the transfers of personal data from the EU to the U.S. under the SCCs violate the rights of the individuals under Articles 7 and/or 8 of the Charter of Fundamental Rights of the European Union (Question No. 4). The decision of the CJEU in “Schrems II” will also have ramifications on the parallel case T-738/16 (‘La Quadrature du net and others’). The latter case poses the question whether the EU-U.S. Privacy Shield for data transfers from the EU to the U.S. protects the rights of EU individuals sufficiently. If it does not, the European Commission would face a “Safe Harbor”-déjà vu after approving of the new Privacy Shield in its adequacy decision from 2016.

The CJEU is not bound to the opinion of the Advocate General (AG), but in some cases, the AG’s opinion may be a weighty indicator of the CJEU’s final ruling. The final decision by the Court is expected in early 2020.

Data Protection Commission announces statutory inquiry into Facebook

17. December 2018

The Irish Data Protection Commission announced in a press release on  December 14, 2018 that it had initiated a statutory inquiry into Facebook.

Due to the frequent, especially in the recent past, data breaches of the American company and the total number of reported data breaches since the GDPR came into force on May 25, 2018, the Irish Data Protection Commission has initiated an investigation into compliance with the relevant provisions of the GDPR against Facebook.

In recent weeks, reports of renewed breaches of data protection by Facebook have continued.

Most recently, it became known that the Italian competition authority AGCM had imposed a fine of 10 million euros on Facebook because the company had passed on data to other platforms without the express consent of the users and that a bug in the programming interface for picture processing led to third-party apps having access to pictures of 6.8 million Facebook users, some of which had not even been published by the users.