Ireland’s data privacy regulator is close to concluding its first probe into a multinational company under the EU’s new privacy laws, likely to involve Facebook’s WhatsApp subsidiary, although a formal decision could take months.
Ireland hosts the European headquarters of a number of U.S. technology firms. That makes Ireland’s Data Protection Commission (DPC), headed by Helen Dixon, the lead regulator in the bloc under the EU’s General Data Protection Regulation’s (GDPR) “One Stop Shop” regime introduced last year.
The Irish Independent newspaper quoted Dixon as saying on Friday that her office’s first major GDPR decision relating to a multinational firm looked set to be one of two probes it opened into WhatsApp.
More than half of the DPC’s multinational investigations relate to Facebook, eight directly focusing on the U.S. social media giant, plus the two into WhatsApp and one into Facebook-owned Instagram.
“I expect that file to land on my desk in the next fortnight,” Dixon told the newspaper in an interview.
“I’d like to say that we could do it in 48 hours, but it has to be in the order of months, to be done in the way that it has to be done. I will have to allow them a period of time to respond. I would have to consider their responses.”
The new rules give regulators the power to impose fines for violations of up to 4% of a company’s global revenue or 20 million euros ($22 million), whichever is higher.
Dixon said her office was “not really looking at” the record-breaking $5 billion fine Facebook agreed to pay last month to resolve a U.S. government probe into its privacy practices.
“One criticism of the FTC’s (U.S. Federal Trade Commission) decision is that it has done nothing to change Facebook’s business model, or the way that Facebook will handle personal data. The decisions that we make here have to have an impact, in terms of how the GDPR must be applied,” she said.
Dixon said that the DPC had also opened its 21st investigations into a multinational technology company, relating to Verizon Communications Inc’s media division, previously named Oath.
In a separate, embarrassing ruling for the Irish government on Friday, the DPC told the state it must delete data held on 3.2 million of the country’s 4.7 million citizens, gathered as part of the roll-out of a identity card for public services.
It said there was no legal basis for the wide application of the card, which was introduced for claiming welfare benefits but was criticized by data-privacy campaigners when it was required to access other state services such as renewing driving licences.