Irish data protection watchdog defends handling of social media investigations

Data Protection Commissioner Helen Dixon said the long-running criticisms are ‘becoming old news’.
Data Protection Commissioner Helen Dixon said the long-running criticisms are ‘becoming old news’.

Ireland’s data protection watchdog has defended its stance and the pace of its investigations into breaches by social media giants.

Data Protection Commissioner Helen Dixon said the long-running criticisms are “becoming old news”.

Ireland’s regulator of big tech companies has long faced criticism from civil liberties groups in Ireland and across Europe, accusing it of being too soft and too slow.

It comes after the Data Protection Commission (DPC) issued a fine to Instagram of 405 million euro over the way in which it handled teenagers’ personal data, making it the largest fine the authority has ever issued.

Public Services Card
Data Protection Commissioner Helen Dixon said the long-running criticisms are ‘becoming old news’ (Data Protection Commission/PA)

Instagram’s parent company, Meta, said in a statement that it plans to appeal against the decision.

The DPC was criticised for proposing a fine of 50 million euros against WhatsApp for breaches of privacy laws. However, the fine was increased to 225 million euros after it consulted with its European partners.

Ms Dixon told RTE: “To a large extent I think the criticisms are becoming old news, at least for those with regards to the facts, and let me address, for example, the WhatsApp (case).

“If you look at the decision that was made by the European Data Protection Board in relation to WhatsApp, the reason the fine ended up larger is actually because of a technical interpretation of one of the articles of the GDPR (General Data Protection Regulation).

“We had proposed fines in relation to all the infringements we found; however, we read a particular article of the GDPR as saying that only the gravest of the infringements counted for the purposes of the fine if the processing operations were linked.

“The EDPB in the event took a different technical interpretation. They said no, they should effectively all be cumulated together.

“It’s an arithmetic issue as a result of the interpretation that arose in that case. So it’s not an example of any difference in approach in terms of how these types of infringement should be identified and ultimately punished for punitive effect.”

The DPC began an inquiry in September 2020 in relation to how Instagram processed the details of teenage minors.

The inquiry looked at a process by which users aged between 13 and 17 were allowed to operate business accounts on Instagram, which in some cases allowed, or required, children’s phone numbers and/or email addresses to be made public.

Ms Dixon added: “With a case like this, it’s somewhat more tangible what the harms could be because we know that the phenomenon of technology-facilitated grooming is real.

“The contact details posted potentially without users being aware of the risks, the significance of the risks could be considerable.

“So we opened an investigation in 2020. We looked at issues of the design in relation to the automatic posting of content of children publicly in relation to the contact details being made public and in relation then to how Instagram itself had assessed the risks and designed its measures accordingly.

“We made findings of infringement across a number of areas.

“We assess the severity and the nature of those, and we proposed fines, a fining range for each of the infringements that we found, and those finding ranges when totalled added up to 405 million.”

Meta is expected to pay the fine once it is confirmed by the courts in Dublin.

The money then goes to the Exchequer.