By Sam Schechner
The European Union could begin to hit Facebook Inc. with
decisions under the bloc's new privacy law by the end of the year,
raising the specter of billions of euros in fines and orders to
change business practices.
Ireland's Data Protection Commission -- which leads EU privacy
enforcement for Facebook because the firm's regional headquarters
are in Dublin -- says it is nearing the end of its investigations
in some of the 11 cases it has opened into the tech giant under the
EU's General Data Protection Regulation, or GDPR.
The Irish regulator has given Facebook copies of its final
investigative reports for some cases, and plans to begin drafting
decisions in coming weeks, according to Graham Doyle, a spokesman
for the regulator. Ireland aims to send at least some draft
decisions, along with any proposed fines and sanctions, to the EU's
27 other national privacy regulators by the end of September, Mr.
Doyle added.
The sending of those draft decisions will kick off an EU
approval process that could stretch to the end of the year or into
the beginning of 2020, European privacy officials say.
For Facebook, the Irish cases come as the company agreed in July
to a $5 billion settlement of past privacy behavior with the U.S.
Federal Trade Commission. Facebook board members were briefed on
the Irish cases along with other pending probes as recently as a
June meeting, according to a person familiar with the matter.
A Facebook spokeswoman said the company is "in close contact
with the Irish Data Protection Commission to ensure we are
answering their questions," adding that Facebook "spent over 18
months working to ensure we comply with the GDPR."
Facebook Chief Executive Mark Zuckerberg has pointed to the GDPR
as a potential model for regulation. But even if Facebook
executives believe regulation is a good thing, the company reserves
the right to disagree with regulators on specific cases, a person
close to the company said.
The pending Irish decisions are among the first cases involving
big U.S. tech companies that will be decided under the GDPR. They
will help determine whether the law will dent Silicon Valley and
what kind of role the EU will play in regulating the tech sector as
the U.S. ramps up its own scrutiny.
Ireland's Data Protection Commission is the focus of intense
attention because it is the lead privacy regulator in the EU for
some of the world's biggest technology companies, including
Alphabet Inc.'s Google, Apple Inc., Twitter Inc. and Microsoft
Corp.'s LinkedIn, because they too have a regional headquarters in
the country.
How Ireland will decide its cases against big Silicon Valley
companies also been a focus of attention in part because some
smaller ad-tech firms and advertising buyers say that the GDPR has,
at least initially, led marketers to shift digital-ad spending to
Google and Facebook.
Unlike the U.S. FTC settlement, the Irish investigations into
Facebook don't focus on the company's relationship with the
now-defunct political-campaign group Cambridge Analytica. That
relationship predates the GDPR, which went into effect in May 2018,
and has already led the U.K.'s privacy regulator, the Information
Commissioner's Office, to fine Facebook under older EU rules.
Under the new EU rules, privacy regulators have more expansive
powers than the FTC to order changes in behavior. But the fines
could be less than the FTC's settlement. Under the GDPR, fines can
run up to 4% of a company's prior-year world-wide revenue, which
for Facebook works out to $2.23 billion.
Theoretically Facebook could be fined in each of the cases
involving it, but there is still little precedent on how regulators
will assess their fines, or what courts will say on appeal. In
January, France's privacy regulator fined Google EUR50 million ($56
million) for "lack of valid consent regarding ads personalization"
-- a ruling Google is appealing.
The spokesman for Ireland's regulator didn't say which of the
cases involving Facebook are nearing the decision phase, except for
one looking at whether Facebook's chat app WhatsApp gives
sufficient information to users and nonusers about how it shares
data with other Facebook units.
Other cases Ireland has said it is investigating go to the heart
of Facebook's business model, though it isn't clear how close those
cases are to resolution. Three of the probes concern whether the
Irish units of Facebook, Instagram and WhatsApp, which are
responsible for EU-based users, have proper legal authorization
under EU law to collect and use personal information about EU
residents, according to the regulator's annual report. Another
specifically looks at whether Facebook is complying with the GDPR
when using that data "in the context of behavioral analysis and
targeted advertising," the report says.
Facebook has argued that it collects much of its information as
part of a contract with users to provide them with a personalized
service -- making the collection necessary if one wishes to join
the social network. But some privacy activists argue that
justification is insufficient given how much information Facebook
collects about users, in particular from other apps.
Thousands of popular smartphone apps on Apple and Google Android
devices include Facebook code that sends the social network
sometimes-detailed information about users, including what products
they put in their shopping carts and which destinations they are
searching for flights. Earlier this year, The Wall Street Journal
reported that 11 popular apps with tens of millions of active users
were sending Facebook highly personal information, including heart
rates and estimates of when a woman is ovulating -- something
Facebook said violated its policies for app developers.
Other Facebook investigations Ireland has said it is pursuing
look into whether the company took sufficient precautions to avert
data breaches, such as the so-called token breach it disclosed
nearly a year ago.
The European Commission, the EU's main antitrust enforcer, has
also set its sight on how Facebook uses data from other apps that
operate on its platform. The commission recently sent
questionnaires on the topic to Facebook customers and competitors,
something that could lead to an antitrust investigation in coming
months, according to an EU official.
Emily Glazer and Valentina Pop contributed to this article.
Write to Sam Schechner at sam.schechner@wsj.com
(END) Dow Jones Newswires
August 12, 2019 05:44 ET (09:44 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Aug 2024 to Sep 2024
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Sep 2023 to Sep 2024