Yesterday Ireland’s Data Protection Commission (DPC) confirmed that it had visited Facebook’s premises in Ireland over concerns about the data protection aspects of Facebook’s planned new dating service. This is the most high profile ‘dawn raid’ under GDPR to date and has led to the postponement of Facebook’s planned launch tomorrow.
What is this about?
According to the DPC, Facebook told it on 3 February 2020 that it planned to launch a dating service on 14 February 2020. Under GDPR, in some circumstances, data protection authorities (DPAs) have the right to be consulted before processing takes place. They can ask to see a Data Protection Impact Assessment (DPIA). The DPC said that their initial concerns were “further compounded by the fact that no information/documentation was provided to us on 3 February in relation to the Data Protection Impact Assessment or the decision-making processes that were undertaken by Facebook”. As a result the DPC went to Facebook’s offices on 10 February 2020 and gathered documentation for their investigation.
Do DPAs have dawn raid powers?
Essentially yes.
They’re not called dawn raids under GDPR but GDPR doesn’t just give DPAs the power to fine. GDPR Article 58 gives DPAs a host of other powers including:
- to order the controller, processor or Data Protection Representative to provide any information it requires for the performance of its tasks;
- to carry out data protection audits;
- to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
- to obtain access to any premises of the controller and the processor, including to any data processing equipment and means (this can include equipment like servers);
- to order the controller or processor to bring processing operations into compliance with the provisions of GDPR;
- to impose a temporary or permanent ban on processing.
What is a DPIA?
DPIAs are one of the key elements of GDPR. They help organisations assess risk and deal with it in a proportionate way. The DPIA process is not new – the UK DPA issued their first guidance on Privacy Impact Assessments in 2007, but DPIAs received statutory footing under GDPR and are mandatory in some cases.
In this short film Cordery’s Jonathan Armstrong looks at the investigation by the data protection authorities in Ireland into Facebook and the Data Protection Impact Assessment (DPIA) for their dating service. Jonathan then shares some tips on the DPIA process – why is it worth doing and how do you do it?