GDPR is complicated business; even people like me who try to keep up with all its developments struggle to understand this mammoth set of European regulations and its effects. I believe one of the main reasons for that is we’ve yet to see a proper GDPR case being brought against big tech companies like Facebook and Google — the companies GDPR should protect us from.
This isn’t all too serious just yet, as findings are expected in the next few months. But Politico’s extensive new investigation from last week — ‘How one country blocks the world on data privacy’ — questions the regulators independence and its willingness to apply the full force of GDPR, i.e. fines to the tune of 4 percent of guilty companies’ global annual turnover, which could amount to billions of dollars.
Politico’s report (which you should definitely read when you have time for 4,000 words) is quite damning and detailed; here are the key takeaways:
- GDPR’s weakness is companies are regulated by the data protection agency (DPA) where they’re headquartered (have their ‘data controller’)
- This weakens the collective force of the EU to regulate, leaving it up to smaller countries that could be more easily influenced instead
- For big tech, this is usually Ireland, which has a history of being overly accommodating to corporations (e.g. getting companies to set up shop in Ireland by promising little or no taxation)
- Ireland has already shown it has a laxer approach to Facebook and other big tech companies than Germany and France
- Big tech has had easy access to Irish politicians and government officials. For example, Facebook COO Sheryl Sandberg got involved when the current Irish Data Protection Commissioner was hired
There’s little question of whether or not the Irish government is friendly to big corporations — for example, it neglected to collect $13 billion in taxes from Apple — but does that mean Irish regulators are as well? Politico’s article does make it out to be, but it’s important to note that the Irish Data Protection Commission (DPC) is an independent agency.
One of the experts quoted by Politico — data management consultant Daragh O’Brien — clarified his comments in a blog post, and stated he did not completely agree with the editorial angle of the piece:
Do I think the DPC favours tech companies over others in an effort to support an advantage for Ireland? No. And I was clear with Politico that that was my view. Ireland has lots of other advantages and we are beyond the point where we would profit from being seen as “light touch.” But the optics are challenging.
It’s clear that DPAs have a different approach to how they enforce GDPR — like Politico describes for Germany, France, UK, and Ireland — but the fact the Irish DPC has yet to issue fines doesn’t necessarily mean it’s not fulfilling its regulatory role.
O’Brien said the process has definitely been slow in Ireland, but he chalks it up to Ireland’s legal framework and the Irish DPC accumulating experience, rather than effects of outside lobbying. He also pointed out that even though the Irish DPC is far from perfect, it is separate from the Irish government (its independence is guaranteed in EU Treaty) and that Helen Dixon, the Data Protection Commissioner, does have regulatory enforcement experience, contrary to what the Politico article stated.
O’Brien was also not convinced the flashier approach of other regulators is necessarily better. He said the fact the Irish DPC has appointed staff specifically to manage the 16 investigations it’s launched into Facebook’s data handling indicates a “gloves are coming off” mindset — even though it’s slow.
But what does the Irish DPC say about all of this? The Irish DPC wasn’t able to provide comments to TNW before this article went live, but Graham Doyle, Head of Communications with the Irish DPC told Politico the agency wasn’t overly deferential to companies under its purview. He also acknowledged that data protection enforcers don’t always agree on which approach is best.
To shed some light on the Irish approach, Doyle told TNW last year the aim was to assist companies to get data handling right from the beginning, which would prevent any personal data from being compromised — rather than to focus solely on punishing offenders. However, Doyle added that the DPC also intended to fulfill its corrective role as investigations were ongoing, and the agency wouldn’t shy away from using the tools at its disposal.
So, is the Irish DPC failing to fulfill its duties as a regulator? Well, the truth is that we’ve yet to see.
It’s always been clear that the regulator has numerous investigations going on into the practices of big tech and that the first results would be announced mid-year 2019. So we’re just going to have to wait.
What I do find positive about this coverage is that it shows data governance is a complicated issue, and one that we all need to keep our eyes on. We can do that with in-depth journalistic investigations like Politico’s, empowering regulators, and informing ourselves about how our data is being used.
All of this illustrates that we’re still coming to terms with what GDPR is, how it should work, and how to mitigate the power of big tech. It’s going to require constant monitoring and adjustment to get it right, and we’ll see when the Irish DPC publishes its findings in the coming months whether that’s on track.
TNW Conference 2019 is coming! Check out our glorious new location, inspiring line-up of speakers and activities, and how to be a part of this annual tech extravaganza by clicking here.