Ireland's Data Protection Commission, the country's privacy watchdog, announced Friday that it's submitted a draft decision to EU supervisory authorities on whether Twitter broke European privacy laws.
It's one of multiple cases involving Silicon Valley tech giants that the Irish regulator is close to making final decisions on. Each case could result in a big fine for a company, or even an order that would require the business to temporarily or permanently stop collecting and processing the data of European citizens.
The Twitter case involves an unspecified data breach and looks at whether the company informed supervisory authorities quickly enough and if it effectively documented the details. Twitter declined to comment on the the DPC's announcement.
"In addition to submitting this draft decision to other EU supervisory authorities, we have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their final submissions which will be taken in to account by the DPC before preparing a draft decision in that matter also," Deputy Commissioner Graham Doyle said in a statement.
The inquiry into WhatsApp Ireland involves questions about the company's compliance with Articles 12 to 14 of Europe's General Data Protection Regulation (GDPR), including transparency around what information is shared with Facebook, which owns WhatsApp.
The DPC said it's also completed an inquiry into how Facebook processes personal data, and has now moved into the decision-making phase. In addition, it's sent draft inquiry reports to the complainants and companies concerned in two further cases, one involving WhatsApp and one involving Instagram, which also is owned by Facebook.
The announcements from the DPC come just three days before the GDPR is due to celebrate its. The sweeping privacy law is designed to protect and empower European citizens in the digital age, and is being used as blueprint for the development of privacy legislation all over the world. If companies or organizations are found to be in breach of the GDPR, they can be issued fines of up to 20 million euros ($22.8 million), or up to 4% of their annual worldwide turnover, or be ordered to significantly alter their behavior.
Ireland is in charge of enforcing the GDPR among all Facebook brands, as well as Twitter, Apple and Google, because all the companies have their European headquarters in that country. It has a combined 18 investigations open into the companies. Last week, the DPC made its first announcement about taking action on a GDPR inquiry, but rather than a multinational tech company, it was in relation to a local public agency.
Since the GDPR came into force, only two fines have been issued to big tech companies -- one for 51,000 euros to the German subsidiary of Facebook for not appointing a local data protection officer, and one to Google for 50 million euros by French authorities over Android, which doesn't fall under the jurisdiction of Ireland.
Onlookers have been awaiting the Irish DPC's decisions, which will be a test of the GDPR's power and which have the potential to challenge the business models of Silicon Valley's most powerful companies.