META Meta Platforms Inc

By Sam Schechner 

DUBLIN -- When chat service WhatsApp last summer did an about-face and started sharing users' personal information with parent company Facebook Inc., Ireland's top privacy cop jumped into action.

Helen Dixon, Ireland's data-protection commissioner, activated a 10-person investigative unit she had created to probe multinational tech firms, and she pushed to coordinate multiple probes across Europe. She has since put both Facebook and WhatsApp through rounds of questioning at her agency's new offices in Dublin.

The case is one of the most high-profile tests since the European Union agreed on a new law for regulating data-protection and privacy matters across the continent, which has long tilted toward stricter rules than in the U.S.

While the law doesn't take effect until 2018, it will eventually give tiny Ireland the authority to hit companies with big fines -- up to 4% of global revenue -- for violations. Other EU countries will share the same power, but Ms. Dixon stands to take an outsize role in the global debate over data-protection and privacy issues given the prominence of the companies that have their European headquarters in Ireland -- including giants like Facebook, Apple Inc., Alphabet Inc.'s Google and Airbnb Inc.

"We are effectively regulating the global rollout of the products these companies propose," Ms. Dixon said in an interview. "The standards that we set in Europe will influence how data privacy is done around the world."

That puts Ireland and its data-protection chief in the global spotlight. Ms. Dixon two years ago took over an agency that faced frequent accusations of industry bias. Ireland, after all, drew the world's tech darlings in part because of its business-friendly tax and governance environment. Its tax treatment of Apple is now the subject of a policy tug of war between Dublin and the EU.

Before Ms. Dixon took over, the privacy commissioner had a single tiny office above a small-town supermarket. She has since doubled staff to 60 with plans to reach nearly 100 next year. Ireland boosted her 2017 budget to EUR7.5 million ($7.8 million), up 58% from this year. In August, she opened a new office in a renovated four-story townhouse in Dublin -- but expects the team to outgrow the space as early as next year.

Meanwhile, Ms. Dixon is in a wrestling match with other national data-protection agencies in the EU, many of which want a say over the multinationals squarely in her sights. Under the new EU privacy law, a lead authority must consult with EU counterparts on major cross-border cases, and the leader can be overruled. But for now, in cases like WhatsApp, there is no formal lead authority, and cross-border collaboration is ad hoc.

"For the moment, Ireland is one among many," said Isabelle Falque-Pierrotin, France's privacy chief and the head of a pan-European advisory group comprising the bloc's 28 data-protection regulators.

The EU recently accused Facebook of making misleading statements in 2014 when seeking approval to buy WhatsApp, which could lead to a fine of up to $179 million. But in the privacy case under Ms. Dixon's purview, any fines would be minimal under current Irish law. She can send cases directly to court with the ceiling on fines set at EUR3,000 -- far less than the 4% of world-wide revenue that will become possible under EU law in 2018.

More immediately, however, Ireland could order Facebook to change its behavior, which combined with possible action and fines by other EU regulators would point to a tougher enforcement ahead for companies. "We aren't look to hang a sign around our necks saying 'leader,' but that is what we are doing when it comes to communicating with the other regulators," Ms. Dixon said.

A spokeswoman for Facebook said last summer's changes to WhatsApp's privacy policy "comply with applicable law," but added that the company held off on sharing some WhatsApp data with Facebook in Europe pending the outcome of the investigations opened in several countries.

There are skeptics of Ireland's policing of corporate practices. Irish data-protection officials have long promoted what they call an "engaged approach" to regulation. Through frequent conversations with companies, they say they foster compliance before there is a violation that needs punishing.

While corporate lawyers applaud the approach, some privacy activists have said it is still too cozy. When Facebook launched a new privacy policy in 2015, several data-protection authorities opened parallel investigations into it -- but not Irish regulators. "It is no secret that in the past we have had different views on legal topics concerning Facebook," said Johannes Caspar, privacy commissioner in Hamburg, Germany.

Ms. Dixon, who spent nearly 11 years working for American corporations before moving to the public sector in 2007, rejects the notion that the agency has been a pushover through the years. She said that striking deals with companies to change practices sometimes does more to protect citizens than ending up in years of enforcement litigation.

Dara Murphy, Ireland's data-protection minister, who helps oversee the regulator, says Ireland will prove unflinching in applying the EU's new privacy law: "It will be in the interest of our regulator here is that it become clear quite quickly that the Irish interpretation is as robust as anyone else's."

Write to Sam Schechner at sam.schechner@wsj.com

(END) Dow Jones Newswires

December 28, 2016 02:47 ET (07:47 GMT)

Copyright (c) 2016 Dow Jones & Company, Inc.