The Irish Data Protection Commissioner (the “DPC”) has stated his intention to carry out scheduled audits of major social media companies that have operations in Ireland. Commissioner Billy Hawkes said that many such companies had their European headquarters in Ireland and therefore they fell under his jurisdiction as Irish Data Protection Commissioner. He added that Ireland had a significant responsibility to the rest of Europe in this regard.
Under the Data Protection Acts 1998 and 2003, the DPC has powers to carry out data protection audits and inspections to ensure compliance with the law and to identify possible breaches. Each year the Commissioner decides the office’s target sectors for audit for that year. Scheduled audits are intended to provide some forewarning to the operators in the sector and to give them an opportunity to address any perceived issues and perhaps to commence engagement with the DPC’s office.
The DPC plans to conduct a scheduled audit of a leading international social media company this year and we understand the DPC is in discussions with the company in relation to when that will commence and the scope of that audit. Whilst the DPC’s staff numbers and budget have increased in anticipation of more audits, we would nonetheless anticipate that the audits will be undertaken one at a time rather than in parallel with each other.
The DPC’s comments come in the wake of the widely-publicised Facebook audit undertaken by his office. Facebook has clearly benefited from the DPC audit because it has given it a “clean bill of health” from a data protection perspective. The DPC’s audit of Facebook also demonstrated that their business model is sustainable from a data protection perspective, thus underlining the importance of data protection compliance as a driver of shareholder value.