Anyone expecting the first landmark GDPR ruling to emerge soon from the Irish Data Protection Commission could be in for a long wait, after the regulator revealed it is not expecting to make any decisions until this summer at the earliest.
Commissioner Helen Dixon said five or six of the regulator’s investigations into alleged data breaches by big tech companies were “well advanced”, but that she expected to circulate draft decisions on potential sanctionable infringements to her fellow EU data regulators during the summer.
“We are still a number of months away because each phase has a number of steps in it and the right to be heard by the parties is an important part of the fair procedures, but they are progressing,” she said.
Speaking on the publication of the Commission’s 2018 annual report - covering the first months of GDPR enforcement - Dixon said that “taking a scalp” to serve as a deterrent was not an approach she was pursuing, but instead she was ensuring fair procedures were followed.
“There is external pressure to see results. We are not in any way deaf to that but, equally, we are not going to be willing to short-cut what we need to do,” she told The Irish Times.
The Irish DPC has a total of ten inquiries under way into Facebook and its WhatsApp and Instagram subsidiaries, three inquiries into Twitter, two on Apple and one for LinkedIn.
The report states: "In 2018, the DPC opened inquiries into data-processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram, looking at issues ranging from large-scale data breaches to legal bases for processing to transparent presentation to users.
"All these inquiries should reach the decision and adjudication stage later this year, and it’s our intention that the analysis and conclusions in the context of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services."
The only significant fine under GDPR to date has been the €50 million (£44 million) penalty dished out to Google by the French data protection regulator CNIL for failing to provide transparent and easily accessible information on its consent policies. Google has launched an appeal against the fine.