Play by our rules if you want to do business in the EU, says deputy Irish data commissioner

  • The deputy commissioner of Ireland's Data Protection Commission (DPC) told CNBC the EU's data privacy rulebook called GDPR is "quite fair."
  • The Irish DPC is currently investigating Facebook and Twitter for possible GDPR breaches.
  • The deputy commissioner said he expects the Facebook investigation to close "in the coming months."

Ireland's deputy data commissioner has a clear message for companies that want to do business in the Europe: play by our data privacy rules.

The European Union's sweeping new set of data protection laws, called the General Data Protection Regulation or GDPR, is the "quid pro quo" for companies that want to take advantage of the European market, Dale Sunderland, deputy commissioner of Ireland's Data Protection Commission, told CNBC Tuesday in Brussels.

"What the EU says with GDPR is if you wish to provide services to people within the European Union, here is the rulebook by which you must play, so I think that's quite fair," Sunderland said.

GDPR, which went into effect in May across the EU, aims to give users more control over their personal data and imposes strict fines on companies that can't meet privacy standards.

As many big tech companies have European headquarters in Ireland, the country has become ground zero for some of GDPR's first big cases. The Irish Data Protection Commission is currently investigating Facebook over a security breach in September that exposed the data of 29 million users, including 3 million in Europe.

"Over the coming months we will conclude our investigation into that matter and we will provide a very fair and thorough assessment of the facts," Sunderland said.

Companies that fail to comply with GDPR face fines of up to 4 percent of global annual revenues or 20 million euros, whichever is bigger. For Facebook, this could mean as much as $1.63 billion.

Ireland's Data Protection Commission is also investigating Twitter over claims the company failed to provide a user with requested personal data. The "right to access" is a key pillar of GDPR that allows consumers to see how companies are using and processing their data.

"It's a very important issue for our office that we will thoroughly and fairly assess and investigate," Sunderland said.

GDPR has put Europe at the forefront of tech regulation as companies face increasing scrutiny over their use of personal data. At the International Conference of Data Protection and Privacy Commissioners in Brussels Wednesday, Apple CEO Tim Cook praised Europe's new rules and called for comprehensive federal data privacy regulation in the U.S.

Sunderland said GDPR has emerged as a leading framework for other data protection authorities around the world. He added regulators, companies and governments need to consider emerging technologies, like artificial intelligence, in the conversation about data protection.

"To be an effective regulator we must keep at the cutting edge of our understanding of technology and technological advancements," he said.