By Sam Schechner
This article is being republished as part of our daily reproduction of WSJ.com articles that also appeared in the U.S. print edition of The Wall Street Journal (October 8, 2019).
A top European Union privacy regulator is moving closer to making draft decisions involving Facebook Inc.'s WhatsApp and Twitter Inc. under the bloc's new privacy law.
Ireland's Data Protection Commission said on Monday that its investigative unit has, in recent days, completed its investigations in two of the first cases involving big tech companies. The results are now on the desk of Helen Dixon, the body's commissioner, for her draft decisions and possible fine recommendations, which could come by the end of the year.
The WhatsApp case looks at whether the Facebook-owned chat app gives sufficient information to users and nonusers about how it shares data, in particular with other Facebook units. The Twitter case examines whether the company complied with notification obligations for a personal data breach the company disclosed to the regulator in January.
If the companies are found in violation, they could be liable for hefty fines under the EU's new privacy law, known as the GDPR.
Representatives for WhatsApp and Twitter declined to comment. A representative of Facebook also declined to comment.
The Irish regulator said it also hopes to complete the investigations and turn over to Ms. Dixon two or three other cases involving Facebook by the end of the year. That is somewhat later than had been expected, a delay spokesman Graham Doyle explained in part by saying the regulator has been taking time to make sure its decisions can withstand potential legal challenges.
"We have moved the first two inquiries into big tech companies to the decision phase," Mr. Doyle said. "These are the first two of what we hope will be a number of big tech inquiries completed by the end of the year."
The Irish cases have been closely watched. How EU regulators eventually decide the cases under the GDPR, and the size of any fines they might impose, will help determine the role the EU will play in regulating the tech sector world-wide.
Ireland has taken a leading role because its Data Protection Commission is, under EU law, the lead privacy regulator for an array of large U.S. tech firms that have their regional headquarters in the country. But that same law also imposes a power-sharing mechanism the bloc's national privacy regulators -- and that process will increasingly be in the spotlight as large tech cases move through.
Under the GDPR, privacy regulators must consult with other regulators on cross-border decisions, seeking their "relevant and reasoned" objections to any draft decision. Disagreements are settled by votes of a pan-European board of regulators, a process that could add additional months of' delay and lead to significant revisions of Irish decisions.
There is little precedent for what type of fines large tech companies might expect, and even the maximum amounts can differ in part based on the type of violation.
For transparency violations, WhatsApp could be liable for up to 4% of the annual world-wide revenue of its parent company, Facebook, which works out to $2.23 billion for last year. By contrast, for a breach-notification violation, Twitter faces maximum fines of 2% of its annual world-wide revenue, or $61 million, based on 2018 revenue.
Write to Sam Schechner at firstname.lastname@example.org
(END) Dow Jones Newswires
October 08, 2019 02:47 ET (06:47 GMT)Copyright (c) 2019 Dow Jones & Company, Inc.