Big Tech is waiting for the other shoe to drop. Helen Dixon holds the shoe.
Some 16 months after the European Union introduced the world’s toughest online privacy laws, the most obvious targets of those rules—American technology giants such as Facebook and Google—have yet to be seriously censured. What happens next is largely in the hands of Dixon, Ireland’s data protection commissioner, who is responsible for enforcing the strict General Data Protection Regulation (GDPR) in that country.
Almost by accident, Ireland has become a primary privacy battlefield. Because it offers relatively low corporate taxation—with a headline rate of 12.5% versus an EU average of 22.5%—multinationals have long placed their international headquarters in the country. So it is that Google, Apple, Facebook, Twitter, and Microsoft are all established on Dixon’s turf, where her commission is both investigator and adjudicator of alleged GDPR violations—and one with a strong pro-consumer bent.
When GDPR took effect in May 2018, giving people more control over who gets their data and how it is used, it took mere hours for complaints to flood in from privacy activists—and many ended up in Dixon’s inbox, owing to the accused companies’ locations in Ireland. “It’s hard to take holidays in this kind of job,” she says. By the end of 2019, she estimates, some 10,000 complaints will have reached her office.
If the U.S. firms lose in major cases, Dixon could order them to pay fines as high as 4% of global annual revenue; a negative ruling could also expose them to even more expensive civil suits. Most important, they may face new limits on how they acquire, share, and use personal data—the lifeblood of today’s ad-driven tech economy. (Google did not respond to a request for comment about Dixon’s cases; Facebook and Twitter declined to comment.)
Dixon is an unlikely bad cop: an economist by training who worked as a technical support manager for tech multinationals such as Citrix before moving to the public sector. But her 2014 appointment as data protection commissioner (DPC)—the Irish government gave her a second five-year term this year—came at a critical moment in the online privacy debate.
The previous year, Edward Snowden’s revelations about online surveillance by intelligence agencies had prompted Max Schrems, an Austrian law student, to complain to the DPC that his Facebook data was being exposed to American spies. Dixon’s predecessor refused to investigate because Facebook was registered under a data-sharing deal between the U.S. and the EU. But the EU’s highest court ruled in 2015 that such deals couldn’t prevent regulators from investigating what it called breaches of fundamental rights. The court also scrapped the transatlantic deal, throwing the tech industry into a panic. And in 2016, GDPR was finalized—giving Dixon’s office a tough new law to enforce.
Privacy advocates anticipate that Dixon’s ruling will come down in their favor: The question is when. Although her investigators recently wrapped up reports on two cases involving Facebook’s WhatsApp platform and Twitter, Dixon says no final decisions are likely this year. She insists this is not because of any political pressure connected with multinationals’ Irish investments—there has been “absolutely none” of that, she says—but because the cases need to be appeal-proofed. Given the likelihood that tech companies would litigate any adverse ruling, Dixon says, “we cannot take any shortcuts.”
Privacy advocates aren’t pleased with the pace. Schrems, now a full-time activist, concedes that it takes longer to write the first major decision in a new legal arena but adds, “If you have a fundamental right, and it takes two years [to enforce], then you have it on paper but not in reality.”
One issue Dixon faces is that of resources. Major complaints against tech giants are vastly outnumbered by requests from people who, for example, can’t get a local company to unlock their personal data—another of the rights offered by GDPR. Dixon’s office has seen an enormous increase in staffing since her appointment, from 27 workers to over 140. But the looming threat of Brexit—an event likely to have a huge impact on data flows between the U.K. and Ireland—will divert much of the watchdog’s time and resources. And Ireland’s budget for next year, which the government published in early October, gave Dixon only a third of the extra funding she had asked for. “There’s still a lot of work to be done to build this organization up to be able to cope with the scope of what’s going on,” says Antoin Ó Lachtnain, a director at privacy activist group Digital Rights Ireland.
Dixon notes that a fast-evolving legal landscape also remains a big challenge. But she says her ultimate aim is “to do something about fairness” for consumers, adding, “We recognize the authority we have and the opportunity we have.” And Ó Lachtnain is blunt about what that will mean for companies under the DPC’s scrutiny. “I think they’re likely to come down quite hard,” he says.
A few of the biggest names under scrutiny from Dixon’s office:
Dixon’s team is investigating Facebook for allegedly forcing people to let their data be used for ad-targeting in return for access to its social networking platform. Facebook has said that it’s cooperating with the DPC.
Google is accused of sharing people’s sensitive information, covering such things as their political views and sexuality, with advertisers through its ad-bidding system. Google says its own rules forbid the targeting of ads based on such information.
Complaints allege that Verizon Media websites such as Yahoo News and HuffPost railroad users into being tracked by online “cookies,” giving them no effective means to say no. A spokesperson says the company gives users “meaningful controls over their data.”
A version of this article appears in the November 2019 issue of Fortune with the headline “Holding a Big Stick Over Big Tech.”
More must-read stories from Fortune:
—The wireless industry needs more airwaves, but it’s going to be costly
—Demand for Apple’s new iPhone 11 is strong
—How to claim a cash settlement of up to $358 for Yahoo’s data breaches
—Now hiring: people who can translate data into stories and actions
—Investors are pouring money into marijuana software. Here’s the latest startup to get funding
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.