ast May, Europe imposed new data privacy guidelines that carry the hopes of hundreds of millions of people around the world — including in the United States — to rein in abuses by big tech companies.
Almost a year later, its apparent that the new rules have a significant loophole: The designated lead regulator — the tiny nation of Ireland — has yet to bring an enforcement action against a big tech firm.
Thats not entirely surprising. Despite its vows to beef up its threadbare regulatory apparatus, Ireland has a long history of catering to the very companies it is supposed to oversee, having wooed top Silicon Valley firms to the Emerald Isle with promises of low taxes, open access to top officials, and help securing funds to build glittering new headquarters.
Now, data privacy experts and regulators in other countries are questioning Irelands commitment to policing imminent privacy concerns like Facebooks reintroduction of facial recognition software and data-sharing with its recently purchased subsidiary WhatsApp, and Googles sharing of information across its burgeoning number of platforms.
Interviews with scores of privacy experts, data watchdogs, academics and regulators in other countries over the past 10 months reveal increasing concern that the landmark General Data Protection Regulation, the product of years of wrangling with data companies, is vulnerable because of the one provision on which the tech companies prevailed: That the lead regulator be in the country in which the tech firms have their “data controller” – in most cases, Ireland.
“We need to be careful and ensure that the margin for maneuver given by the GDPR doesnt lead to an attractiveness competition between EU countries, as is already the case for taxation,” Marie-Laure Denis, Frances new chief privacy regulator, warned the French parliament in January, in a clear reference to Ireland. “I dont want to see a race [between EU countries] to attract or keep the headquarters of the big tech actors.”
Irelands willingness to crack down on the companies that dominate its economy has long been questionable, even when its regulatory officials spot a potential violation. Such a situation developed with Facebook in 2011, in events detailed here for the first time.
Years before the social media giant unwittingly released the personal data of 87 million users that made its way to Cambridge Analytica and the 2016 Trump campaign, Irelands data privacy regulator found that it was failing to screen applications in a way that could have prevented the breach.
The then-head of Irelands Data Protection Commission recorded his complaint in a 2011 audit report that zeroed in on how Facebook was allowing outside app developers to gain access to oceans of “friend” data. Facebook pushed back on the finding, according to the agency, and the Irish regulator backed off, issuing an almost perfect score for Facebooks privacy practices in a follow-up report a year later. The rampant exposure of data wasnt corrected until years later — too late to prevent the Cambridge Analytica breach.
Irelands failure to safeguard huge stores of personal information looms larger now that the country is the primary regulator responsible for protecting the health information, email addresses, financial records, relationship statuses, search histories and friend lists of hundreds of millions of Americans, Europeans and other users around the globe.
Already, regulators in other countries are expressing concern over Irelands failure this year to crack down on Facebooks sharing of data with the messaging tool WhatsApp, which it purchased in 2014.
According to the EU, Facebook misled European officials into believing the two networks would not exchange information, thereby allaying concerns at the time of the merger that WhatsApp users could be drawn into Facebooks web. In 2016, a German court found that the two networks were indeed sharing data, and barred Facebook and WhatsApp from exchanging information about German users. The ban became unenforceable when the GDPR took effect and Ireland became the lead supervisory authority. Now, German authorities say the sharing has resumed and Ireland must crack down. For their part, Irish officials said in a statement theyre satisfied that Facebook and WhatsApp arent sharing information for the purposes of “friend suggestion or enhanced advertising.”
Meanwhile, Facebook took advantage of Irelands assumption of the lead regulator role last May to reintroduce its facial recognition tool, which had been banned in the EU out of fear that photos would be used to track people without their permission. Facebook says it will not utilize the photo data until it receives consent from individuals. But other EU regulators and privacy lawyers contend that merely storing the photographs amounts to an unauthorized collection of data under GDPR rules. Although Irish authorities have suggested they share many of the lawyers concerns and have begun a preliminary “examination,” they have yet to launch a formal probe.
Google, meanwhile, aroused the ire of regulators in other countries last year by failing to obtain consent before sharing data among its fast-growing line of networks and products — from YouTube to Google Photos to Gmail and more. Irish regulators declined to open a probe against Google, which had consolidated most of its operations for Europe, Middle East and Africa in Ireland, arguing that the company had not yet finished the paperwork that would give Irish regulators “lead supervisory authority.” The paperwork was finished in January, but Ireland has yet to announce an investigation.
Critics, including German authorities, insist that the Irish Data Protection Commission had the authority to launch a probe without Googles consent, and should have done so. Meanwhile, France stepped in to issue its first-ever fine under GDPR against the company for €50 million.
The head of the Irish Data Protection Commission, Helen Dixon, declined requests for interviews. Her spokesman, Graham Doyle, wrote in an emailed response to POLITICOs questions that the commission takes its regulatory responsibilities seriously and has 16 investigations underway, probing complaints against companies including Twitter, WhatsApp, Instagram, LinkedIn and Apple, along with seven probes involving Facebook.
The Irish Data Protection Commission is “one of the most strongly resourced data protection authorities in Europe” and stands ready to impose “fines and firm remedies when appropriate,” he wrote.
Doyle said the commission, which earlier this decade was so obscure it was headquartered in a small office above a convenience store in the tiny village of Portarlington, is recruiting state-of-the-art industry experts to join its staff of approximately 140 people currently working out of temporary offices in Dublin, with a goal of eventually employing 180 people.
He noted the agencys tough new enforcement powers include fines of up to 4 percent of a companys annual worldwide revenues and cited the agencys willingness to enforce privacy rules by pointing to a pre-GDPR case in which Irish regulators ordered LinkedIn to delete data on nonmembers.
He rejected any suggestion that the agency is being overly to deferential companies under its purview, but added: “Those with an interest in data protection dont always agree on every point, and we respect that.”
Nonetheless, regulators in other EU countries, particularly Germany, remain skeptical, maintaining that Ireland is letting major complaints slide and creating the risk of a regulatory safe zone in Europe. So, too, are independent experts who are familiar with the actions of the Irish Data Protection Commission.
“Its the appearance of an investigation rather than the substance of one,” said the independent Dublin-based data management consultant Daragh OBrien, referring to the Irelands data enforcement culture, which he scrutinizes closely.
Max Schrems, an Austrian privacy advocate behind some of the most successful legal challenges against major technology companies, said he believes Irelands approach to regulation is more or less unchanged since 2012.
“Theyve basically gotten smarter about not doing things,” said Schrems, whose initial complaint about transatlantic sharing of data was thrown out by the Irish regulator in 2013, only to succeed in European courts, bringing down the transatlantic data-flow agreement known as Safe Harbor.
Ireland continues to take a more corporate-friendly approach to regulation than many of its EU counterparts, openly favoring negotiation over sanctions, and lists of questions over on-site inspections.
For example, as of last October, the Data Protection Commission had yet to dispatch any regulatory agents to Facebooks Dublin headquarters, despite its multiple investigations, according to a person close to the matter who spoke under the condition of anonymity. Rather than seek answers more aggressively, the regulator has been satisfied by “updates” from Facebooks headquarters that often reveal little more than whats been said in public statements. Both Facebook and the DPC declined to say whether any on-site visits have taken place since 2011.
Around the same time, France posted its own regulatory officers inside Facebooks offices to monitor the networks efforts to police hate speech and terrorist content, a core concern in many countries where terrorists have connected via social media and hate speech has encouraged racist or sectarian violence. But France has no authority to enforce standards beyond its borders.
Privacy watchdogs also voice concerns about the 2014 appointment of Helen Dixon, an Irish civil servant with no prior experience in regulatory enforcement, to replace Billy Hawkes, the regulator who initially presided over the finding of Facebooks over-sharing of data with researchers and developers of third-party apps.
If Ireland were serious about cracking down on privacy violations, some legal professionals said, it would have followed the lead of the United Kingdom and appointed an outside specialist with a history in law enforcement or regulatory investigation. Moreover, they said, Dixons budget is overseen by the Irish justice ministry, while other data regulators, like the U.K.s, are financed through fees on the companies they oversee. That could make her, or any future chief regulator, more susceptible to interference by government officials, who have long cultivated close relationships with tech executives.
In 2014, Facebooks chief operating officer, Sheryl Sandberg, personally lobbied Enda Kenny, then Irelands prime minister, over the selection of a data protection chief, according to emails revealed by the Irish Independent.
Now, just as some of its investigations should be wrapping up — with Dixon telling Bloomberg News in January that her office would announce decisions by midyear — the Data Protection Commission is launching an “international consultation on regulation strategy” that some critics fear will be an invitation for corporations to critique its practices.
Doyle said the agency will reach out to a broad range of as-yet unnamed parties to weigh in on how Ireland should apply regulation. Doyle declined to say whether those consultants would come from the tech industry, only specifying that the panel would be “international.”
The call for advice is symptomatic of what Dixons critics among privacy advocates, lawyers and other EU data protection authorities argue is a preference for resolving issues amicably over public enforcement actions, which Dixon, in speeches, has suggested might expose the regulator to extremely costly legal battles. Its a reasonable fear in a place where the tech companies resources far outstrip the governments. Googles market capitalization, by itself, is twice the size of Irelands gross domestic product. Facebooks is larger by about a third.
“Regulation is a particularly fraught area for a country like Ireland because they have less leverage [over companies] than a bigger country,” said Josephine Wolff, a professor of public policy at the Rochester Institute of Technology. “If Facebook announced tomorrow: Weve had it with Ireland, we are closing down our office, that would be a huge deal with political and economic consequences for the whole country.”
BRINGING SILICON VALLEY TO EUROPE
The story of how a country known for poetry and dark ale ended up in the unlikely role of global tech policeman stretches back to the aftermath of World War II.
As a neutral power, Ireland had emerged physically undamaged from the war but with a sputtering economy and bleak prospects. It had limited access to U.S. reconstruction funds from the European Recovery Program, or Marshall Plan, due to its neutral position, and no industrial base to speak of, thanks largely to Britains long-held interest in keeping Roman Catholic southern Ireland in a firmly agrarian state. (Ireland won independence from Britain in 1919.) There was little chance of jumpstarting domestic manufacturing 250 years after the rest of Europe, so Irish leaders turned to the next best thing: nurturing ties with countries that had flourishing industries of their own.
Spurred on by an economist and central banker named Thomas Kenneth Whitaker, Irelands leaders oversaw an economic transformation starting in the late 1950s — away from protectionism, toward free trade and encouraging foreign investment. The most obvious partner was the United States, to which generations of Irish people had emigrated and whose Irish-origin population already far surpassed the population at home.
So began Irelands epic and enduring courtship of U.S. corporations. Via the Irish Development Agency, a powerful entity that acts as a sales office for the country, the Emerald Isle established missions across the United States, dispatching dozens of agents to start preaching the good word about Ireland to U.S. companies from New York to San Francisco.
One of these investment missionaries was Larry Mone, a former accountant who joined the IDA in the late 1970s because he was, in his own words, “really bad at” accounting.
After a brief stint in Chicago, Mone was sent out to join the IDAs office in what was already known as Silicon Valley. In an office that overlooked a golf course, Mone and his colleagues spent their days trying to coax emerging digital giants — Microsoft chief among them — over to Ireland. Working from an alphabetical list of the important companies in the region, they spent their days cold-calling executives in an atmosphere he describes as “boiler room-like.”
Many positive voices for Ireland over the last few days including Sheryl Sandberg who I met on Thursday morning. pic.twitter.com/C6V1tUdgQs
— Enda Kenny (@EndaKennyTD) January 21, 2017
“We had an almost messianic zeal to bring jobs to Ireland,” Mone, whos now retired and lives in Palo Alto, said in a telephone conversation.
Mones section of the list covered companies with names from the letter G to the letter O and included giants like Microsoft and Intel, which would both go on to establish major footholds in Ireland. Apple set up its first manufacturing plant in Cork in 1980, setting off a wave of tech companies coming to the country.
The pitch, as Mone recalled, was “very simple.” Any product exported from Ireland would be totally exempt from taxation. That was later updated, under EU pressure, to a 10-percent flat rate that could be offset in other ways. When added to the promise of cheap labor, cheap land and an English-speaking workforce, this amounted to an almost unbeatable argument for locating sales operations in Ireland, because it would allow U.S. firms to reach hundreds of millions of European consumers without facing the heavy corporate taxes in France, Germany or even the Netherlands.
The IDAs approach had other refinements, like inviting top tech executives over to Ireland for country tours during which they would be entertained, fed whiskey and “sent home punch-drunk, in love with the country,” according to Mone. It didnt hurt that Ireland shares a common-law legal system with the United States.
But the basic argument — which remains Irelands unique selling point today, despite intensifying scrutiny of its tax practices by the European Commission — never varied: not having to hand over a significant portion of income to the Irish taxman.
“At the end of the day, these are profit-driven companies, and they go where the offer is the most profitable,” Mone said.
Data regulation wasnt an issue at the time when most of the companies were recruited, but Ireland did everything in its power to create an industry-friendly landscape.
“Back in those days there really was not much thought given to regulation of the technology industry, more what could be done to foster its development and bring it on shore,” he said.
The pitch was so seductive that, over the next 30 years, Ireland morphed into what Mone calls “the 51st state of the United States.”
Google and Facebook both landed in Ireland during the first decade of the new century. While the highly advantageous tax arrangements they enjoyed came under pressure from the European Commission (Apple was forced to pay the Irish government $13 billion in back taxes that Ireland had neglected to collect), regulation was just starting to become a concern.
Irelands 1995 Data Protection Act lacked significant enforcement mechanisms — so much so that Billy Hawkes, then the head of the Irish Data Protection Commission, had no legal power to apply any sanctions or penalties against the companies he was regulating in the years leading up to the Cambridge Analytica scandal. His successor, Dixon, herself acknowledged the lax culture in 2015, one year into her job, mentioning the problem of “forum-shopping” and perceptions that companies locate where “soft, incompetent or under-resourced regulators are.”
In the event that any regulatory issue should arise, as it did in the 2011 audit involving Facebooks sharing of data with app developers, U.S. companies had a powerful insurance policy: access to top Irish politicians via direct contacts or through the American Chamber of Commerce Ireland in Dublin, which continues to play an outsized role in shaping the direction of Irish policy. Top tech executives had Hawkes cellphone number and could access him directly whenever they had a need, according to two people with knowledge of such calls.
This welcoming atmosphere explains why Facebook, in particular, kept doubling down on its Irish presence throughout the 2000s, according to Sandy Parakilas, former operations manager for Facebook who left the company in 2012.
“It was simply the country with the least regulatory scrutiny,” he explained in a phone conversation from Los Angeles, where he is now senior product marketing manager, privacy, for Apple.
That statement was put to the test during Irelands 2011 audit of the company. Prompted by a groundswell of complaints against Facebook, Hawkes deputy, Gary Davis, undertook what is likely to have been the most in-depth review of Facebooks privacy practices ever. In his capacity as lead regulator not just for Europeans but Facebook users worldwide, Davis staff spent three months scouring the companys machinery, including sending officers to its Dublin headquarters to investigate first hand.
His first report, published in December 2011, called for dozens of changes and upgrades to Facebooks privacy practices, including its practices for screening third-party apps.
“We do not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data,” the report stated. “This is not considered sufficient by this Office to assure users of the security of their data once they have third party apps enabled. We expect FB-I [Facebook Ireland] to take additional steps to prevent applications from accessing user information other than where the user has granted an appropriate permission.”
Parakilas, who was Facebooks “point person” on privacy matters at the time, said the criticism did not rile the company. Facebook responded to the audit in a “professional manner” but did not feel pressure to make fundamental changes, he said. When Parakilas tried to escalate concerns about the key critical findings in the original audit report, he was brushed off by senior executives.
At the time, Facebook expressed its concern about the audit to Irish officials, according to later testimony by Dixon before a government committee. Afterward, the Data Protection Commission appeared to go out of its way to give Facebook a clean bill of health.
In a 74-page follow-up report published in 2012, the commission declared that “most of the recommendations [have] been fully implemented to our full satisfaction.” On its call to improve screening of third-party apps, where major problems later emerged, the report stated: “Satisfactory response from FB-I.” A year later, Davis left the commission to join Apple as its chief privacy officer.
“They didnt go anywhere near as far as you would have hoped,” Parakilas said, referring to the Irish commission. Parakilas, who left Facebook in 2012, added that he doubts Irelands approach to regulation has changed substantially.
“Facebook is certainly the one that has the leverage in that relationship,” he said.
Asked whether Ireland had done enough to stop the Cambridge Analytica scandal, Doyle said the commission had gone as far as it could, within its legal limitations, in simply flagging the problem with app developers and seeking changes to Facebooks privacy practices. He pointed to comments Davis had made outside the report saying there are “still a number of items on which progress has not been as fully forward as hoped,” although the issues flagged did not have to do with third-party apps. In 2017, Helen Dixon told an Irish parliamentary committee that Facebook “did not agree with the recommendation” for significant changes to its privacy rules in 2011, and that the changes were made only through an “iterative process” 18 months later.
Facebook disputes that account.
In comments to POLITICO, a spokesperson said that the company has “complied fully” with all requested changes, and claimed that the Irish regulator has never requested any changes that would have prevented the Cambridge Analytica scandal.
Hawkes, who at the time was the top Irish regulator, declined to comment on the matter, according to a spokeswoman at the International Association of Privacy Professionals, a nonprofit association that brings together people working on data protection. Gary Davis did not respond to repeated requests for comment and a spokesperson for Apple, where Davis now works, did not respond.
Max Schrems was rebuffed by Irish authorities when he complained about transatlantic data-sharing, only to have the European courts strike down the data-sharing law | Lisi Niesner/Bloomberg via Getty Images
FACEBOOK FLEXES ITS MUSCLES
The years that followed Davis audit brought Facebooks relationship with Ireland to new levels of closeness.
In 2013, the commission dismissed Schrems claim against the company over data transfers to the United States, calling the suit frivolous. The company then won an award of funds from Irelands national asset management agency — the so-called bad bank that took over assets on troubled lenders during the financial crisis — to build its Frank Gehry-designed headquarters in Dublin.
When the Cambridge Analytica scandal broke in 2018, the U.K. launched an investigation and fined the company, while Ireland merely issued recommendations. A few months after Facebook CEO Mark Zuckerberg appeared before the U.S. Congress and European Parliament to answer questions from lawmakers, the company announced the construction of a new 14-acre campus in Dublin and the opening of several new data centers in County Meath, north of Dublin.
As far back as 2014, the question of how Ireland would handle the new privacy rules under the GDPR was on the minds of Facebooks leaders. As it happened, Ireland was in the process of choosing a new chief data regulator to replace Hawkes. Sandberg took it on herself to investigate the matter, lobbying then-Irish Prime Minister Kenny on the sidelines of the World Economic Forum in Davos and also at her offices in Menlo Park, California.
According to emails obtained by the Irish Independent via Freedom of Information requests, Sandberg wanted to know that Hawkes successor would be “as strong as” he had been in the role. But if the wrong choice was made, Sandberg suggested, there would be consequences for Irelands attractiveness as a destination for tech investment.
“The risk is that companies will revisit their investment strategies for the EU market,” she wrote in a June 2014 email to Kenny, adding that Irelands regulator should be a person who would “establish a strong collaborative working relationship with companies like ours.”
The choice of Dixon, a former Irish civil servant with a law degree but no background in law enforcement or regulatory investigation, was in line with Sandbergs wishes. Before she became one of the most important privacy regulators in the world, Dixon had spent four years working for U.S. software company Citrix, followed by a stint at the business-friendly Irish Department of Enterprise, Trade and Innovation.
While the regulators statutes call for the appointment of three co-equal directors in order to properly separate the agencys enforcement and adjudication roles, the other two were never named.
TJ McIntyre, a law professor at University College Dublin who sued the government over the process under which Dixon was chosen, complained that shes “not coming from that investigatory and enforcement perspective.”Read More – Source