An office that’s responsible for enforcing European data privacy laws against many of the biggest U.S. tech firms is spending much of its time on one company: Facebook.
The Ireland Data Protection Commission said in a report that as of Dec. 31 it had 15 ongoing investigations of multinational tech companies. Ten of the investigations were about Facebook or its subsidiaries, Instagram and WhatsApp.
One of the investigations into Facebook is especially wide-ranging, examining whether the social network has met its obligations “to secure and safeguard the personal data of its users.” Twitter faces a similar probe, the report says.
The report, released early on Thursday on Dublin time, underscores how much Facebook’s handling of sensitive personal data is dominating legal and policy debates about privacy — and how much potential regulatory danger the social network faces in Europe, where privacy laws are more strict than in the U.S.
Facebook has been battered by a series of privacy scandals over the past year, including a security flaw that affected 50 million accounts, a bug that may have exposed unpublished photos to third-party app developers and the collection of personal data by the political analysis firm Cambridge Analytica.
Like many other U.S. corporations, Facebook has its European headquarters in Dublin, meaning authorities in Ireland often have the first crack at enforcing Europewide laws against them.
The Irish commission has not announced the results of any investigations of Facebook, but potential penalties are high. Under a new privacy law that took effect in Europe in May 2018, companies that mishandle data can be fined up to 4 percent of their annual global revenue.
Facebook is separately looking at a potential multi-billion dollar fine in the United States, where it is negotiating with the Federal Trade Commission to end investigations into its privacy practices, The Washington Post reported this month.
The ten Irish investigations of Facebook cover a wide array of subjects. One is looking at how Facebook processes personal data for “behavioral analysis and targeted advertising.” Another is examining Instagram’s handling of personal information. A third is about the processing of information between WhatsApp and other Facebook subsidiaries.
Some of the investigations are based on complaints by users, while others the commission said it launched of its own volition.
Facebook said in a statement that it spent over 18 months working to ensure compliance with Europe's new privacy law.
“We made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information," the company said. "We are in close contact with the Irish Data Protection Office to ensure we are answering any questions they may have.”
Twitter said in a statement that it was fully committed to working with Irish authorities “to improve the already strong data and privacy protections we offer to the people who use our services. As always, our approach is one of transparency and openness.”
The Ireland Data Protection Commission said that it’s handling a growing number of consumer complaints under the new European privacy law, known as the General Data Protection Regulation (GDPR).
Between when the law took effect on May 25, 2018, and the end of the year, the commission said it received 3,542 valid notifications of data security breaches. For the full year, total consumer complaints were up 56 percent over the prior year, the commission said.
“The rise in the number of complaints and queries demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data,” Helen Dixon, Ireland’s data protection commissioner, said in a statement along with the report.
The commission said it was adding staff to handle the increased workload, employing 110 people at the end of 2018 compared to 85 a year earlier.