Ireland’s DPC (Data Protection Commission) has said it will release the findings of its investigation into Facebook and several other high-profile tech companies in June or July.
Commissioner Helen Dixon told Bloomberg: “We’re at various concrete stages in all of them, but they’re all substantially advanced.”
The DPC began its investigation in October 2018, following consumer complaints about the way Facebook processes personal data. A separate investigation was launched after the social media giant announced that it had uncovered a bug that gave third-party apps access to more of users’ photos than were disclosed in its policy.
The DPC is also investigating complaints about WhatsApp and Instagram, which are both owned by Facebook, as well as Twitter, Apple and LinkedIn.
As with Google, the investigated organisations are based in the US, but are required to comply with the GDPR because they offer their services to EU-based subjects.
If any of the organisations being investigated are found liable, Dixon said that a substantial fine “is the certainty rather than the likelihood”.
However, she added that financial penalties alone won’t prevent organisations from violating the GDPR’s requirements in the future. Organisations like Google are more likely to spend money fighting the ruling and trying to protect their reputation rather than invest in security practices.
“Companies are lawyering up and we’re typically dealing with more litigators and lawyers on the side of any inquiry that we conduct,” Dixon said.
“It does show the power that they have in terms of the size. But we have all the cards in terms of the powers to investigate, to compel and ultimately to conclude and make findings.”
Worried about your organisation’s GDPR compliance status?
Most organisations don’t have the same luxuries as the tech giants when it comes to GDPR violations. You always have the option to appeal, but even if the punishment is reduced, you may still suffer crippling financial and reputational consequences.
You can prevent that from happening by teaching employees involved in data processing the fundamentals of the Regulation.
IT Governance’s Certified GDPR Foundation and Practitioner training courses are the perfect platform to do that. Our structured learning path is delivered by an experienced GDPR consultant, and our training sessions are built on the foundations of our extensive practical experience gained advising on the GDPR and the international standard for information security management, ISO 27001.