“Only Facebook Ireland can respond to your concerns.” That is the response you are likely to get from Facebook Inc. if you accuse the world’s biggest social network of breaching Europe’s tough new laws on data privacy.
The company’s European headquarters are in Ireland; data from its users in the region is officially controlled and processed there; and its lead supervisor is the Irish Data Protection Commission. This isn’t a one-off: Google, Twitter Inc., Microsoft Corp., and Apple Inc. all run their European operations from Ireland, drawn in part
because of the country’s low tax rates.
Why does this matter? Despite the pan-European nature of the General Data Protection Regulation (GDPR) and its strict approach to policing citizens’ data rights, the crucial matter of enforcement ultimately rests with each member state’s domestic supervisor – usually the one in the country where a company bases its operations.
Even though it oversees the biggest, most data-hungry tech companies in the world, the Irish regulator has been rather quiet. After receiving almost 3,000 complaints, it has issued no fines since GDPR came into force, despite opening more than a dozen inquiries into firms like Facebook and Twitter. Given the law’s most potent weapon is the power to issue fines of up to 20 million euros, or 4% of a firm’s revenue, the legislation faces a clear credibility problem if Dublin won’t enforce it stringently.
The Irish defense is that investigations take time. Its regulator said last year that any fines would come at “the end of a very long path” of inquiry. However, it may well be that an economic model set up to be a welcome-mat for Big Tech is incompatible with a data-privacy framework set up to curb its power.
Recent reports by Politico and the Observer newspaper have painted a dismal picture of Ireland’s conflicted ties with tech firms, from a regulator that openly embraces negotiation and questionnaires rather than on-site visits and sanctions, to a political class that has been relentlessly lobbied to water down oversight rules.
This should worry a lot of people, including Facebook co-founder Chris Hughes, who is calling for the US to introduce its own GDPR. European regulators and politicians are understandably nervous given Ireland’s past embrace of using tax incentives as a way to attract investment — a strategy derided by Joseph Stiglitz as “stealing revenue from all the other countries of Europe.” They fear history will repeat itself when it comes to data supervision.
The “tech-shaming” of Ireland is going to get creative. Privacy advocates are testing ways to bypass Dublin when going after Big Tech. One example comes from the French chapter of advocacy group Internet Society, which is building up a class-action data-privacy lawsuit against Facebook over alleged GDPR breaches.
All this finger-pointing is for a good cause. Some will worry about the risk of “forum-shopping,” as plaintiffs and tech firms cherry-pick jurisdictions. But the longer it goes on, the more likely the EU will take action to improve enforcement. With public opinion in Ireland warming to the idea of exercising data-privacy rights, even Dublin should see that as a win.
Lionel Laurent is a Bloomberg Opinion columnist covering Brussels. He previously worked at Reuters and Forbes