META Meta Platforms Inc

By Catherine Stupp 

BRUSSELS -- A decision in Ireland's privacy investigation into Facebook Inc.'s WhatsApp has been delayed because the company's lawyers raised concerns about how the regulator will share potentially sensitive commercial data with authorities in other European countries.

Ireland's Data Protection Commission will need a few weeks to respond to WhatsApp's questions, the regulator's head, Helen Dixon, told WSJ Pro Cybersecurity on Wednesday on the sidelines of a privacy conference. As a result, Ms. Dixon said a decision would likely come in early 2020 instead of the end of this year, as she had previously flagged.

"We want any issues with the process and the fair procedures aired out now. We do not want to end up in court where it's not the substance of our decision or the merits of our decision that's being appealed or challenged, it's the procedures we followed," said Ms. Dixon, the commissioner for data protection. Fortune reported about the delay Tuesday.

A WhatsApp spokeswoman declined to comment.

Ms. Dixon's office is investigating Facebook, Twitter Inc. and other technology companies for possible violations of the European Union's 18-month-old privacy law, the General Data Protection Regulation. The companies fall under her office's jurisdiction because their European headquarters are in Ireland. Other EU regulators can object to the Irish regulator's decisions.

The WhatsApp probe is considering whether the messaging platform informed its users sufficiently about how it shares their data with other companies. Failure to do so could violate the GDPR. Companies that break the law can face fines of up to 4% of global revenue or EUR20 million (about $22 million), whichever is higher.

The case marks the first time a regulator will require input from counterparts in all other EU countries before finalizing a decision, Ms. Dixon said during a panel discussion at the conference. When a case concerns privacy rights of residents of more than one EU country, one regulator leads the investigation but others can weigh in and object to a final decision.

"Companies are naturally nervous and entitled to information about how that's going to work," she said.

Under the GDPR, regulators must follow a special process for cases affecting people in various European countries. WhatsApp inquired about that process and whether the Irish regulator would share information with other authorities including commercial data. The company also asked for an explanation of the potential infringement and information about any fine.

The Irish regulator instructed WhatsApp to identify information it considers confidential or commercially sensitive, Ms. Dixon told WSJ Pro Cybersecurity, adding she would determine whether the information is too sensitive to share with other authorities.

The WhatsApp case will be a test of whether Ms. Dixon's office makes any changes to how it communicates with companies it investigates, she said. "We're going to learn from the first few cases," she said.

Ms. Dixon has faced criticism for the length of her office's GDPR investigations.

In other European countries, regulators have already issued large penalties related to the data-protection law. This summer, the U.K. privacy authority proposed fines of GBP99 million ($128 million) against Marriott International Inc. and of GBP183 million ($236 million) against British Airways' parent company, International Consolidated Airlines Group SA, over cybersecurity gaps that led to major data breaches.

"Speed is not the only angle when it comes to enforcement," said Marie-Laure Denis, president of the CNIL, France's data-protection regulator, speaking on the same panel as Ms. Dixon. European authorities undertake a huge amount of work that they don't make public, Ms. Denis said, such as requiring companies to change their practices to comply with the GDPR.

CNIL fined Alphabet Inc.'s Google EUR50 million ($55 million) in January, saying the search-engine company didn't go far enough getting valid user consent to gather data for targeted advertising. The French regulator will soon publicize more decisions about corporate probes, Ms. Denis said.

Write to Catherine Stupp at Catherine.Stupp@wsj.com

(END) Dow Jones Newswires

November 20, 2019 14:46 ET (19:46 GMT)

Copyright (c) 2019 Dow Jones & Company, Inc.