Facebook Inc. may know by this summer whether it could face billions of dollars in fines stemming from potential violations of the European Union’s data privacy law.
Ireland’s Data Protection Commission has been investigating whether the social media giant’s data practices have violated the General Data Protection Regulation.
“We are well advanced, but not at the final stages,” Irish Data Protection Commissioner Helen Dixon told Bloomberg Law April 5 on the sidelines of the International Privacy + Security Forum in Washington. Dixon said Irish investigators will give her a report “certainly in the next two months.”
Companies can face fines of up to 4 percent of annual revenue or 20 million euros ($22.4 million), whichever is greater, for violating the GDPR. If Dixon’s office finds that Facebook did so, it could result in over $2 billion in fines for Facebook, based on its fiscal year 2018 revenue of $55.8 billion.
Facebook spokesman Andy Stone declined to comment “on any of the ongoing investigations.”
Facebook likely will be given investigative report soon, Dixon said. The office “is literally on the verge of issuing” initial reports to the parties, she said.
Dixon’s office is investigating several tech companies, including Apple Inc., Twitter Inc., and LinkedIn Corp. for alleged GDPR violations. All of the companies have their European headquarters in Ireland.
The investigative report will kick off a comment period during which Facebook and parties claiming harm from alleged violations are able to weigh in on the findings. Dixon said that process takes about six weeks, after which she will consider the final report. The European Data Protection Board, a collection of other EU data protection commissioners, are also involved, but Dixon is the lead regulator under the EU’s one-stop-shop enforcement mechanism.
EU privacy regulators take into account any remediation companies take to limit ongoing alleged EU privacy actions. Any such efforts are weighed against the “gravity, nature, and duration” of any alleged infringement of EU privacy law, Dixon said.
Facebook is currently facing seven EU investigations. The social media giant also has to deal with separate privacy investigations into Instagram and WhatsApp.
Dixon said she’s been working with Facebook on data protection areas such as “looking back at the Facebook app developer program,” which has 1.6 million app developers, and how they are overseeing the program.
Dixon said those reviews are ongoing and that she wants to make sure Facebook is properly vetting developers when they access user data.
The number of large tech companies subject to Ireland’s privacy oversight may increase depending on the outcome of Brexit, Dixon said. Under a no-deal Brexit, data transfers from the EU to the U.K. would grind to a halt without some other data transfer mechanism, she said.
Companies based in the U.K., Dixon said, would have to designate representatives in the EU to deal with any European enforcement matters. Dixon said some companies, including Accenture Plc, have indicated they will be taking their operations to Ireland.