The Data Protection Commissioner has told a US Senate Committee that her office has reason to believe that US technology firms may have breached the European Union's new data protection rules.
Speaking in Washington DC, Helen Dixon said in the 11 months since the General Data Protection Regulation came into force, the Data Protection Commission has opened 12 significant investigations into potential infringements by large US tech companies.
"So we have reason to believe then clearly that there are potential infringements of the GDPR arising," she told the US Senate Committee on Commerce, Science and Transportation.
Ms Dixon said the DPC is significantly advanced in a number of those investigations and intends to have a decision on the first of them soon.
So far, she said, no fines had been issued under GDPR because the probes which are complex are still continuing.
She said that overall her office has 51 significant investigations under way currently, with a subset of those related to US tech companies.
The commissioner said she did not think it was a case that GDPR poses a more difficult or easier compliance approach for US companies over European ones.
GDPR endorses a risk-based approach, she said, and so for platforms that have billions of users in some cases, the risks are potentially higher when it comes to data breaches and non-compliance with the principles.
Ms Dixon, who is in the US capital to deliver a keynote address at a global privacy summit this week, was invited along with representatives of a number of data protection organisations to address the committee.
It is holding a heading entitled "Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework" and Ms Dixon was asked to make a contribution in relation to the General Data Protection Regulation.
In her opening address she told Senators that her office had received 5,839 complaints from individuals since GDPR came into force 11 months ago.
There was no evidence to hand of small businesses closing down as a result of the extra burden imposed on them by GDPR, she also told the committee.
She said the Data Protection Commission currently has 20 litigation cases before the courts in Ireland.
The commissioner said industry codes of conduct are a new feature of EU data protection law that she thinks will "pay dividends" when they get off the ground.
She said it would be up to industry groupings to bring forward proposals about how they'd work and that one proposal was that there should be independent monitoring bodies paid for by each industry.
Ms Dixon said she thinks EU service users' trust would be undermined if full effect is not given to the harmonised data protection rules in the EU.
She added that one of the European Data Protection Board's role is to help drive that harmonisation.
Committee told of gravestones and potential dates
In a written submission to the committee, Ms Dixon outlined details of a number of data protection breaches this year, including one by a gravestone company here.
It contacted an individual who had suffered a family bereavement, advertising cheap headstones.
The company had taken data from an online death notice website, Ms Dixon said, and recreated the full address from multiple other sources.
She said the actions of the company were not only distasteful but in breach of the requirements to limit the purpose of data use under GDPR.
Ms Dixon also outlined another case where a man had managed to verify his ex-partner's identity with her mobile phone company by masquerading as the individual herself.
The Commissioner said the man contacted the telecom company by web chat and provided his former partner's name and phone number.
Pretending to be the woman, the man then told the company that he had lost his phone, had purchased a new SIM card and asked that the phone number be ported over to the new SIM that he had bought.
Despite being unable to answer some of the verification questions, the agent accepted that the man was his ex-partner.
The agent then ported across the complainant's number to the new SIM card, enabling the man to access his former partner's future calls and texts.
Ms Dixon said in this case the telecom company had failed to adhere to its own standards for verification of identity, "with very unfortunate consequences".
In another case, a customer service agent at a multinational who was dealing with a customer complaint by web chat took note of the consumer's personal details.
These included their mobile phone number.
The agent later contacted the user and asked her on a date.
However, Ms Dixon noted that it did not turn out to be a happily ever after story, as the agent was removed from his job.