(Bloomberg Opinion) -- “Only Facebook Ireland can respond to your concerns.”
That is the response you are likely to get from Facebook Inc. if you accuse the world’s biggest social network of breaching Europe’s tough new laws on data privacy.
The company’s European headquarters are in Ireland; data from its users in the region is officially controlled and processed there; and its lead supervisor is the Irish Data Protection Commission. This isn’t a one-off: Google, Twitter Inc., Microsoft Corp., and Apple Inc. all run their European operations from Ireland, drawn in part because of the country’s low tax rates.
Why does this matter? Despite the pan-European nature of the General Data Protection Regulation (GDPR) and its strict approach to policing citizens’ data rights, the crucial matter of enforcement ultimately rests with each member state’s domestic supervisor – usually the one in the country where a company bases its operations.
Even though it oversees the biggest, most data-hungry tech companies in the world, the Irish regulator has been rather quiet. After receiving almost 3,000 complaints, it has issued no fines since GDPR came into force, despite opening more than a dozen inquiries into firms like Facebook and Twitter. Given the law’s most potent weapon is the power to issue fines of up to 20 million euros ($22 million), or 4% of a firm’s revenue, the legislation faces a clear credibility problem if Dublin won’t enforce it stringently.
The Irish defense is that investigations take time. Its regulator said last year that any fines would come at “the end of a very long path” of inquiry. However, it may well be that an economic model set up to be a welcome-mat for Big Tech is incompatible with a data-privacy framework set up to curb its power.
Recent reports by Politico and the Observer newspaper have painted a dismal picture of Ireland’s conflicted ties with tech firms, from a regulator that openly embraces negotiation and questionnaires rather than on-site visits and sanctions, to a political class that has been relentlessly lobbied to water down oversight rules. (They deny the accusation that they’re a soft touch.) It’s reminiscent of financial regulation in the City of London before the crisis of 2008.
This should worry a lot of people, including Facebook co-founder Chris Hughes, who is calling for the U.S. to introduce its own GDPR. European regulators and politicians are understandably nervous given Ireland’s past embrace of using tax incentives as a way to attract investment — a strategy derided by Joseph Stiglitz as “stealing revenue from all the other countries of Europe.” They fear history will repeat itself when it comes to data supervision.
In January, the head of France’s data-privacy watchdog, CNIL, warned of the risk of “competitive distortions” affecting how tech companies choose their European hubs. As the CNIL prepared to issue a 50 million-euro fine against Google earlier this year for alleged GDPR violations, the search giant — which is appealing the decision — accused it of overreaching by not going through Ireland.
The “tech-shaming” of Ireland is going to get creative. Privacy advocates are testing ways to bypass Dublin when going after Big Tech. One example comes from the French chapter of advocacy group Internet Society, which is building up a class-action data-privacy lawsuit against Facebook over alleged GDPR breaches (which the company denies). Its head, Nicolas Chagny, tells me that this specific type of action would be filed in a Paris court, which wouldn’t have to surrender competence to Ireland’s data regulator. Laurens Mommers, a tech compliance expert at startup PrivacyPerfect, says this kind of initiative, if successful, would help toughen up the GDPR.
All this finger-pointing is for a good cause. Some will worry about the risk of “forum-shopping,” as plaintiffs and tech firms cherry-pick jurisdictions. But the longer it goes on, the more likely the EU will take action to improve enforcement. With public opinion in Ireland warming to the idea of exercising data-privacy rights, even Dublin should see that as a win.
To contact the editor responsible for this story: Edward Evans at eevans3@bloomberg.net
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Lionel Laurent is a Bloomberg Opinion columnist covering Brussels. He previously worked at Reuters and Forbes.
©2019 Bloomberg L.P.