Helen Dixon from the DPC (Ireland) spoke to the Irish Independent in an interview that was released today about GDPR enforcement and she dropped names and numbers.
Key bits annotated:
The Irish DPC office is now probing Verizon Media, formerly known as Oath, around complaints that its online media properties do not give users choice around online ‘cookies’ that track user activity online.
“It’s specifically into transparency issues,” Ms Dixon tells Adrian. “There were more 38 complaints redirected to us by other EU data protection authorities. Those authorities were in receipt of a significant volume of complaints from individuals specifically relating to services by media sites.”
She said that some of the complaints related to when “effectively there’s no choice when cookie banners are offered. The only option seems to be to click okay”.
So Oath is specifically under investigation here, and the issue is transparency and the sufficiency of consent mechanisms. She’s also raising a tactical point: when collecting consent, the ability to decline has to be clear and prominent. This is consistent with ICO guidance, which also emphasizes equality of prominence with accept, which goes beyond simple prominence.
Also note that she cites a high volume of complaints forwarded from other regulators regarding ’services by media sites.’ These could trigger DPC investigations to a wide range of media sites beyond Oath, and the 3rd parties that might be embedded on these sites.
One note of encouragement: it looks like DPAs are off to a good start with information sharing under GDPR and they are at least attempting to consolidate investigations to lead authorities with principle jurisdiction over a company.
Meanwhile, Dixon tells Adrian that her office’s first major GDPR decision relating to a multinational tech firm looks set to be about Whatsapp.
The WhatsApp investigation is examining whether WhatsApp has “discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies”, according to the DPC’s office.
WhatsApp will be first up for the DPC. The core issue is data sharing across FB properties. We assume that transparency about these sharing practices and the achievement of sufficient legal basis are at the core.
Dixon’s office currently has 61 statutory enquiries underway under GDPR law, 21 of which are focused on tech multinational firms. These include Facebook (8), Twitter (3), Apple (3), Whatsapp (2), Instagram (1), Google (1), Linkedin (1), Quantcast (1) and Verizon Media (1).
Not all of these will resolve in enforcement activity, but this is a long list. And note that there are 40 additional companies that are not named.
If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!
The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at firstname.lastname@example.org or visit us on the web or Twitter.