DUBLIN – Facebook faces 10 investigations by Ireland’s privacy regulator into whether the company or its subsidiaries have violated European Union privacy law, making the social network the biggest target for one of the bloc’s most important data watchdogs, amid growing scrutiny around the world of its privacy practices.
Some of the investigations, disclosed as part of the Irish regulator’s annual report on Thursday, focus on whether the company is legally gathering and processing individuals’ data. Others are looking into whether the company’s units are sufficiently transparent about how they handle data, and whether they have done enough to safeguard it.
The regulator said the probes were among the 15 investigations into major tech firms that it has opened since the EU’s new privacy law called GDPR went into effect last May, adding that some could be resolved in 2019.
A Facebook spokesman said the company had “spent over 18 months working to ensure we comply with the GDPR,” adding that it was working with the Irish regulator to address its questions.
While Ireland’s privacy watchdog has previously discussed its Facebook investigations – which include complaints that users don’t have the ability to opt out of some forms of data collection – Thursday’s report highlights the breadth of the probes the company is facing in the EU, amid growing scrutiny of its privacy practices.
The Wall Street Journal reported last week that popular apps were using software provided by Facebook to send the social network personal information about their users, such as their body weight or whether they were ovulating. After the report, New York Gov. Andrew Cuomo ordered state agencies to investigate Facebook and app makers for what he described as “an outrageous abuse of privacy.”
In 2018, the UK’s privacy regulator fined Facebook 500,000 pounds ($665,000) for doing too little to stop political data firm Cambridge Analytica from accessing information about tens of millions of Facebook users. The US Federal Trade Commission is currently also investigating the company.
Ireland’s Data Protection Commission is the lead privacy regulator in the EU for Facebook and other companies, including Apple, Microsoft, Twitter, that have regional headquarters there, making it one of the globe’s most influential privacy regulators. It also has some of the biggest bite: Under the GDPR, the office can fine companies up to 4 percent of their world-wide annual revenue, or 20 million euros ($22.7 million), whichever is greater.
In Thursday’s report, the Irish regulator disclosed five other privacy investigations into major tech companies, including two probes each into Apple and Twitter and one into Microsoft’s professional-networking service, LinkedIn. Those probes examine issues including data collection for targeted advertising, protections against data breaches and transparency requirements.
A Twitter spokesman said the company would work with the Irish regulator to “improve the already strong data and privacy protections we offer.”
Denis Kelleher, LinkedIn’s head of privacy in Europe, the Middle East and Africa, said it was working with the Irish regulator and that the complaint on which the investigation was based didn’t “take account of the changes we made to our platform to comply with GDPR.”
Spokesmen for Apple didn’t immediately respond to a request for comment.
Several of the probes into multinationals, including Apple, Facebook and LinkedIn, focus on behavioral advertising businesses, in which companies track individuals’ behavior on websites and within apps to target them with tailored ads. Many companies in the ad-tech business play roles in behavioral advertising, collecting and processing this data behind the scenes, including through third-party software embedded in nearly all apps, known as software-development kits, which were a focus of last week’s Journal report.
The Irish privacy regulator said Thursday it had concerns in particular about how companies may profile individuals, particularly those with sensitive data, and whether individuals are aware of which parties hold their data.
“The protection of personal data is a prerequisite to the processing of any personal data within this ecosystem and ultimately the sector must comply with the standards set down by the GDPR,” the regulator said.