EU Nears Decisions in Facebook Privacy Cases
Ireland's Data Protection Commission has power to levy billions of euros in fines; aims to send proposed decisions to other EU regulators by end of September
By Sam Schechner
Aug. 12, 2019
The European Union could begin to hit Facebook Inc. with decisions under the bloc's new privacy law by the end of the year, raising the specter of billions of euros in fines and orders to change business practices.
Ireland's Data Protection Commission--which leads EU privacy enforcement for Facebook because the firm's regional headquarters are in Dublin--says it is nearing the end of its investigations in some of the 11 cases it has opened into the tech giant under the EU's General Data Protection Regulation, or GDPR.
The Irish regulator has given Facebook copies of its final investigative reports for some cases, and plans to begin drafting decisions in coming weeks, according to Graham Doyle, a spokesman for the regulator. Ireland aims to send at least some draft decisions, along with any proposed fines and sanctions, to the EU's 27 other national privacy regulators by the end of September, Mr. Doyle added.
The sending of those draft decisions will kick off an EU approval process that could stretch to the end of the year or into the beginning of 2020, European privacy officials say.
For Facebook, the Irish cases come as the company agreed in July to a $5 billion settlement [1] of past privacy behavior with the U.S. Federal Trade Commission. Facebook board members were briefed on the Irish cases along with other pending probes as recently as a June meeting, according to a person familiar with the matter.
A Facebook spokeswoman said the company is "in close contact with the Irish Data Protection Commission to ensure we are answering their questions," adding that Facebook "spent over 18 months working to ensure we comply with the GDPR."
Facebook Chief Executive Mark Zuckerberg has pointed to the GDPR [2] as a potential model for regulation. But even if Facebook executives believe regulation is a good thing, the company reserves the right to disagree with regulators on specific cases, a person close to the company said.
The pending Irish decisions are among the first cases involving big U.S. tech companies that will be decided under the GDPR. They will help determine whether the law will dent Silicon Valley and what kind of role the EU will play in regulating the tech sector as the U.S. ramps up its own scrutiny.
Ireland's Data Protection Commission is the focus of intense attention because it is the lead privacy regulator in the EU for some of the world's biggest technology companies, including Alphabet Inc.'s Google, Apple Inc., Twitter Inc. and Microsoft Corp.'s LinkedIn, because they too have a regional headquarters in the country.
How Ireland will decide its cases against big Silicon Valley companies also been a focus of attention in part because some smaller ad-tech firms and advertising buyers say that the GDPR has, at least initially, led marketers to shift [3] digital-ad spending to Google and Facebook.
Unlike the U.S. FTC settlement, the Irish investigations [4] into Facebook don't focus on the company's relationship with the now-defunct political-campaign group Cambridge Analytica. That relationship predates the GDPR, which went into effect in May 2018, and has already led the U.K.'s privacy regulator, the Information Commissioner's Office, to fine Facebook under older EU rules.
Under the new EU rules, privacy regulators have more expansive powers than the FTC to order changes in behavior. But the fines could be less than the FTC's settlement. Under the GDPR, fines can run up to 4% of a company's prior-year world-wide revenue, which for Facebook works out to $2.23 billion.
Theoretically Facebook could be fined in each of the cases involving it, but there is still little precedent on how regulators will assess their fines, or what courts will say on appeal. In January, France's privacy regulator fined Google €50 million ($56 million) [5] for "lack of valid consent regarding ads personalization"--a ruling Google is appealing.
The spokesman for Ireland's regulator didn't say which of the cases involving Facebook are nearing the decision phase, except for one looking at whether Facebook's chat app WhatsApp gives sufficient information to users and nonusers about how it shares data with other Facebook units.
Other cases Ireland has said it is investigating [6] go to the heart of Facebook's business model, though it isn't clear how close those cases are to resolution. Three of the probes concern whether the Irish units of Facebook, Instagram and WhatsApp, which are responsible for EU-based users, have proper legal authorization under EU law to collect and use personal information about EU residents, according to the regulator's annual report. [7] Another specifically looks at whether Facebook is complying with the GDPR when using that data "in the context of behavioral analysis and targeted advertising," the report says.
Facebook has argued that it collects much of its information as part of a contract with users to provide them with a personalized service--making the collection necessary if one wishes to join the social network. [8] But some privacy activists argue that justification is insufficient given how much information Facebook collects about users, in particular from other apps.
Thousands of popular smartphone apps on Apple and Google Android devices include Facebook code that sends the social network sometimes-detailed information about users, including what products they put in their shopping carts and which destinations they are searching for flights. Earlier this year, The Wall Street Journal reported that 11 popular apps with tens of millions of active users were sending Facebook highly personal information, [9] including heart rates and estimates of when a woman is ovulating--something Facebook said violated its policies for app developers.
Other Facebook investigations Ireland has said it is pursuing look into whether the company took sufficient precautions to avert data breaches, such as the so-called token breach it disclosed nearly a year ago. [10]
The European Commission, the EU's main antitrust enforcer, has also set its sight on how Facebook uses data from other apps that operate on its platform. The commission recently sent questionnaires on the topic to Facebook customers and competitors, something that could lead to an antitrust investigation in coming months, according to an EU official.
--Emily Glazer and Valentina Pop contributed to this article.
Write to Sam Schechner at sam.schechner@wsj.com
[1] https://www.wsj.com/articles/ftc-approves-roughly-5-billion-facebook-settlement-11562960538
[3] https://www.wsj.com/articles/gdpr-has-been-a-boon-for-google-and-facebook-11560789219
[5] https://www.wsj.com/articles/google-fined-57-million-by-french-regulator-11548085558
[8] https://www.wsj.com/articles/stage-is-set-for-battle-over-data-privacy-in-europe-1526031104