The collection of potentially sensitive location data by Twitter and Facebook, and practices by LinkedIn, all came under scrutiny by the Data Protection Commissioner last year.
The commissioner also engaged with Google on the introduction of a parent-controlled account environment for use by children, according to the commissioner's annual report published on Tuesday.
Helen Dixon said supervision of multinational companies with operations in Ireland continued to be a key priority for her office during 2017.
It engaged with Facebook throughout the year on issues including an update to its Messenger app, called Live Location, which allows individuals to choose to share their location with others in a conversation for a period of time.
The office noted the sensitivity of location data could reveal intimate details about an individual.
It said its engagements with Facebook had confirmed that location data sharing was “at the control and choice of the user”, that the location data was not retained by Facebook.
But on foot of the engagement it provided Facebook with observations and recommendations regarding the continuous collection of location data by the Messenger app.
It also decided to look more closely at the collection and use of location data by Twitter, during a review of a proposed update to its privacy policy.
It noted that while the company obtained opt-in consent for the collection and use of location data from terminal equipment used to access the service, that location data may also be collected from home router equipment even where consent was not given.
Accountability
Her office recommended to Twitter “that they revisit the legal basis for processing of location data from account-holder or third-party router equipment in order to fully consider and be able to demonstrate their accountability, necessity and balance of processing with data subject rights and freedoms”.
The office is also monitoring a salary reporting feature rolled out by LinkedIn, and expressed concerns about a feature where information made “publicly available” on some websites was being collected by the company.
The office said its concerns centred on the transparency and the controls available to LinkedIn members, and possibly non-members, whose personal data the company was collecting.
“It became clear when we explored this feature with LinkedIn that it was consent based, and that members could choose to prevent the processing enabling this feature from taking place,” the report said.
It had made clear to LinkedIn in its observations that the feature should be carefully managed, particularly in terms of transparency, controls and risk mitigation regarding the processing of non-members’ data.
The commissioner said her office had devoted “very significant resources” in 2017 on driving awareness of the EU General Data Protection Regulation (GDPR) so that organisations were “motivated and energised” to make the necessary changes to their businesses.
The office also said it hoped to finalise early this year its investigation into a Yahoo data breach involving about 500 million people in 2016.