Google and Tinder are the most recent corporates to come to the attention of the Irish DPA. The Hill reports as follows:
Ireland’s Data Protection Commission, based in Dublin, is investigating Google’s Irish subsidiary to decide whether the company meets transparency obligations under the EU’s General Data Protection Regulation (GDPR) or “has a valid legal basis for processing the location data of its users,” the commission said in a statement.
Google “will cooperate fully with the office of the Data Protection Commission in its inquiry, and continue to work closely with regulators and consumer associations across Europe,” the company said in a statement, according to The Associated Press. “In the last year, we have made a number of product changes to improve the level of user transparency and control over location data.”
The commission has a total of 23 inquiries into U.S.-based tech companies, including Facebook and Twitter.
Tinder is also under investigation by the commission after the EU raised concerns about problem areas surrounding its U.S. parent company, Match Group, and its processing of users’ private data and compliance with GDPR.
(Privacy press clipping sourced via The Hill)
The Irish Data Protection Commission has quite a few corporates presently under investigation, including Twitter, WhatsApp and Facebook. Google and Tinder are just the most recent companies to be added to the list. With regard to Google, the Commission has stated that (February 4, 2020): “the DPC has commenced an own-volition Statutory Inquiry, with respect to Google Ireland Limited, pursuant to Section 110 of the Data Protection 2018 and in accordance with the co-operation mechanism outlined under Article 60 of the GDPR. The Inquiry will set out to establish whether Google has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency.”
What hasn’t happened, to date, is significant GDPR enforcement action in Ireland. The Irish DPA has stopped short of announcing the sort of fines it may wish to impose. Most recently, in the WhatsApp investigation for example, a delay in announcing the results of its investigation was blamed on the protestations of corporate lawyers for the tech company.
Ireland has a lot of tech companies based locally, largely attracted by tax breaks, good governance and a competitive labor market. This means that the Data Protection Commission has an impressive workload to deal with, both in the volume of cases and their complexity. Unfortunately, the Commission also needs to manage criticism from some quarters (particularly commentators in Brussels) that it appears soft on privacy enforcement when it comes to large foreign companies. This additional pressure comes from its ‘lead’ role under the GDPR for companies based in Ireland.