Twitter and WhatsApp could face EU data privacy sanctions

Irish Data Protection Commission prepares cases for review by EU peers

FILE - This April 26, 2017, file photo shows the Twitter app icon on a mobile phone in Philadelphia. Twitter announced Monday, May 11, 2020, it will warn users with a label when a tweet contains disputed or misleading information about the coronavirus. (AP Photo/Matt Rourke, File)
Powered by automated translation

Twitter and Facebook’s WhatsApp are in the firing line as Europe’s leading privacy watchdog for US tech giants edges closer to delivering its first major sanctions under the region’s tough data-protection rules.

The Irish Data Protection Commission said on May 22 that it finalised a draft decision linked to a data breach at Twitter and has asked its peers across the European Union for their sign-off.

The regulator said it has also completed a draft decision in a probe of WhatsApp’s transparency around data sharing. The Facebook service will be asked to give its comments on any proposed sanctions before EU counterparts can weigh in.

The Irish authority’s probes have been piling up since the bloc’s tough General Data Protection Regulation took effect in May 2018 – but with no final decisions to date. The regulator is the lead data protection authority for some of the biggest US tech companies, including Twitter, Facebook, Google and Apple.

GDPR empowered regulators to levy penalties of as much as 4 per cent of a company’s annual revenue for the most serious violations. The biggest fine to date was a €50 million (Dh200m) penalty for Google by France’s watchdog CNIL.

The Irish regulator said it has also made progress in a number of its other pending cases, including an investigation into obligations of Facebook’s local unit “to establish a lawful basis for personal data processing”, adding that this “inquiry is now in the decision-making phase”.

Twitter and WhatsApp representatives declined to comment on the Irish probes.

While sanctions in the two cases wouldn’t be the first under the new GDPR rules, they will be the first to test the cooperation between all 27 EU data authorities. Due to the EU-wide effects of the alleged violations in the two cases, the Irish regulator has to share its draft decisions with other regulators, allowing them to weigh in and either approve or object to its findings.