Is Ireland the tech giants’ darling, or is it doing its part to protect data?

The small European nation faces criticism for its alleged failure to regulate Silicon Valley companies, but is Ireland really compromised by its economy’s reliance on low taxes and tech firms, or is it fulfilling its GDPR duties?

Europe’s General Data Protection Regulation (GDPR) came into effect last May and states the country that is home to a company’s data controller is the lead regulator. For many companies, like Facebook, Google, and Microsoft, that country is Ireland, which has long attracted Silicon Valley giants thanks to its low corporate taxes.

The watchdog

Ireland’s Data Protection Commission (DPC) is in charge of regulating tech companies, but it has been accused of failing to issue rulings on some key user information issues, from Facebook sharing data with Whatsapp, to Google sharing data across its suite of companies.

A woman walks past the Google offices near the city centre in Dublin © Cathal McNaughton / Reuters

Alexander Hanff, co-founder of Think Privacy, told RT that “some of the most dangerous threats to democracy, self identity and self determination” are posed by the tech companies that fall under the DPC’s remit, but that the office isn’t rising to the challenge.

“As advocates, myself and others have been crying out for the Irish Commissioner to take action against these companies for over a decade – but our pleas have fallen on deaf ears,” he said, adding that in 2015 he asked the DPC if it would “take action” against corporations illegally storing and accessing tracking technologies on users’ devices for profiling and was told “they would not.”  

Hanff also accused the commissioner of shifting cases to the courts when the key issues are already clearly defined, in what he sees as a way to shirk the office’s enforcement responsibilities: “The Commissioner has actually weakened the fundamental rights of EU citizens by refusing to enforce the law.”

The DPC currently has up to 16 investigations underway, including cases looking into Twitter, WhatsApp, Instagram, LinkedIn and Apple, and at least eight probes involving Facebook alone. These are expected to conclude in the summer.

“I would rather they take the time to get it right rather than rush out a decision,” Trinity College law professor Eoin O’Dell told RT of the investigations.

He pointed to France fining Google €50 million for failing to get consent and be transparent with its users, saying: “Instead of conducting a whole range of investigations it put a lot of it eggs in that one basket, and Google are appealing and they have some strong grounds of appeal.”

Under GDPR, the DPC can fine companies €20 million, or four percent of its total annual turnover. O’Dell said he “wouldn’t be surprised if [the DPC will] impose equally significant fines, but it very much depends on how serious any breaches are.”

However, Hanff thinks GDPR penalties “are completely useless” in the context of such high earnings, and that breaches should be considered criminal acts.

The DPC is funded by the Justice Ministry, which critics suggest could leave it exposed to government interference. O’Dell, though, thinks the connection between the Justice Ministry and the DPC is “massively overstated,” and the watchdog’s office is independent and could not so simply fall prey to political inference.  

Antoin O’Lachtnain of Digital Rights Ireland told RT the DPC has “a great opportunity to bring in the best global expertise at the highest level in order to build trust and confidence in Ireland’s role,” as up to three commissioners can be appointed, and currently there is just one.

Facebook friends?

Ireland’s relationship with Facebook in particular has come into question from data protection activists. Headquartered in Dublin, Facebook said in January that it would have 5,000 employees in Ireland by the end of the year.

More recently, CEO Mark Zuckerberg played down the tax implications in its decision to base in Ireland when questioned by Irish state broadcaster RTE in April.

Facebook's European Headquarters in Dublin, Ireland © William Murphy / Flickr

“It has taken Facebook on before, I don’t see any reason why it wouldn’t again,” O’Dell said, referring to a large 2012 audit by the DPC that forced Facebook to make “significant changes to their privacy practices.”

Facebook’s Chief Operating Officer Sheryl Sandberg lobbied then-Prime Minister Enda Kenny when the new DPC chief was being selected in 2014, warning him companies could “revisit their investment strategies for the EU market,” and voicing her opinion that the person should be one who would “establish a strong collaborative working relationship with companies like ours.”

In March it was revealed that Kenny lobbied Europe on Facebook’s behalf over GDPR. A 2013 memo revealed in a US court case against Facebook described him as one of the “friends of Facebook.”

However, despite the history of a close relationship, minutes from two 2018 meetings between Ireland’s then-Minister for Communications Denis Naughten and a Facebook representative suggest the warmth may be cooling, given the heated dressing-down delivered by Naughten in the wake of the Cambridge Analytica scandal and a Dispatches documentary revealing the company’s community standards practices.

On Thursday, the DPC announced it had begun a statutory inquiry after Facebook notified it that it had kept millions of Facebook and Instagram passwords stored in plain text on its servers. The DPC said it will determine “whether Facebook has complied with its obligations under relevant provisions of the GDPR.”

RT has contacted the DPC for comment.

Subscribe to RT newsletter to get stories the mainstream media won’t tell you.