RegSol Blog

Data Protection Commission Raids Facebook Ahead of Valentine's Day

February 2020

Article 35 of the General Data Protection Regulation (“GDPR”) prescribes that a Data Protection Impact Assessment (“DPIA”) shall be conducted by a controller where a type of data processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals. The GDPR also sets out a number of specific instances in which controllers must conduct a DPIA. If required, a DPIA must be completed prior to the commencement of the relevant data processing. 

Despite informing the Data Protection Commission (DPC) of its plans to roll out a new dating platform coinciding with Valentine’s day, the DPC conducted an inspection at Facebook’s offices on the 10th of February seeking further information. The DPC has stated that its concerns arose because Facebook did not provide a DPIA, nor did it provide the DPC with an overview of its decision -making processes with respect to the new dating feature in a timely fashion.

As a result, Facebook Ireland has had to postpone the rollout of the dating feature in Europe. This case highlights the significance of carrying out a DPIA for any new high risk projects under Article 35.

The purpose of the DPIA is to allow the data controller to make informed decisions about the acceptability of data protection risks and communicate effectively with data subjects affected. Interestingly the DPC’s website does note the following:
“If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, you must consult with the Data Protection Commissioner before moving forward with the project.”

Please click HERE for more information:

If you need assistance or would like to learn more about Data Protection, register for DP training or contact our consultants.

By Judy de Castro - Regulatory Consultant