Ireland’s besieged data privacy regulator is fast becoming a problem too big for Dublin to ignore.
The Irish Data Protection Commission (DPC) has long faced accusations of being too soft on the legions of U.S. tech companies, including Facebook, Google and Apple, that it is charged with regulating.
So far those accusations have come from a rarified community of privacy activists and wonkish European lawmakers. But in past weeks criticism of the Irish DPC has gone mainstream, prompting soul-searching in a country that owes much of its prosperity to the many U.S. tech multinationals it lured to its shores.
On Sunday, the authority’s chief Helen Dixon had to go on national radio to defend the DPC after a slew of local media articles suggested Ireland’s reputation was at risk because of her office’s perceived misfiring.
“Anybody who does a search for Ireland and Data Protection Commissioner, your name and the office — it’s littered with international criticism of your office and Ireland as a result,” the interviewer, Gavin Jennings at public broadcaster RTÉ, said to Dixon.
Anxiety in Ireland over the country’s international standing has been rocked by a series of interventions by global big wigs.
In November, Facebook whistleblower Frances Haugen said Ireland faced a “conflict of interest” when regulating Big Tech because of the economic benefits it derives from hosting European headquarters of U.S. tech giants.
Shortly after, in December, European Commission Vice President Věra Jourová warned the GDPR may need overhauling if enforcement didn’t pick up, in a shock intervention that many interpreted as a swipe at Ireland. “We are in the crunch time now,” she said.
But more recent revelations have turned those sparks of discontent into a raging fire that’s spread far and wide beyond the privacy community.
Ireland vs. EU counterparts
A series of documents that emerged this month suggested the Irish authority had gone out on a limb to push Facebook’s interests at the European level.
!function(e,t,i,n,r,d){function o(e,i,n,r){t[s].list.push({id:e,title:r,container:i,type:n})}var a=”script”,s=”InfogramEmbeds”,c=e.getElementsByTagName(a),l=c[0];if(/^\/{2}/.test(i)&&0===t.location.protocol.indexOf(“file”)&&(i=”http:”+i),!t[s]){t[s]={script:i,list:[]};var m=e.createElement(a);m.async=1,m.src=i,l.parentNode.insertBefore(m,l)}t[s].add=o;var p=c[c.length-1],f=e.createElement(“div”);p.parentNode.insertBefore(f,p),t[s].add(n,f,r,d)}(document,window,”//e.infogr.am/js/dist/embed-loader-min.js”,”8fcd8a98-5d5a-4fe7-9134-f2ca99b70d04″,”interactive”,””);
According to the documents published by privacy campaign group noyb.eu December 5, the Irish DPC explicitly pushed for EU guidelines that would allow social networks to monitor users’ behavior to target them with personalized ads without having to obtain their consent.
The attempt was roundly rejected by other European data protection regulators, with one saying the Irish interpretation “undermines the system and spirit of the GDPR.”
The Irish authority in the end was the only European regulator to vote against final guidelines that dismissed its attempts to allow targeted ads through contracts, the documents showed.
That didn’t stop the Irish DPC from doubling down on its view that Facebook could use the so-called “performance of a contract” to use data for ads when it issued a draft decision on an investigation into Facebook’s practices in October.
The Irish view was — again — sharply criticized by at least one fellow European data protection regulator.
“Data protection law would no longer be able to ensure data protection, and the essence of the right to privacy and data protection would cease to exist,” the Norwegian regulator said of the Irish decision in an official objection obtained by POLITICO.
Adding to the controversy, Ireland’s push to greenlight targeted ads under a “performance of contract” came just as Facebook changed its own terms and conditions in a way that matched the Irish interpretation, but only after having held 10 meetings with the Irish DPC, according to lawyers for Facebook.
The revelations rattled the Dublin regulator. It refuted claims that it represents Big Tech’s interests as “baseless” in a 1,200-word response on its website.
How close is too close?
The Irish data protection authority’s response to the controversy did little to extinguish the whiff of suspicion now surrounding the office.
The watchdog maintained it is “utterly untrue” that it lobbied on Facebook’s behalf. But it struggled to rebut the fact that it had consistently pushed for social media companies to be able to use user contracts as a legal basis for ads — and that Facebook switched to the contract legal basis off the back of engagement with the regulator.
In Ireland’s defense, regulators commonly engage with companies they regulate. The issue of whether a contract can serve as a legal basis for targeted ads is also still under consideration at the EU’s Court of Justice after Austria’s top court in July referred the case to the Luxembourg court. A lower Austrian court had ruled in favor of Facebook’s interpretation.
But for some, the mountain of evidence against the Irish data protection commission has reached a turning point.
“For years we wondered, did the special relationship between Ireland and Big Tech have an impact on the enforcement of the GDPR?” said Estelle Massé, a data protection campaigner at NGO Access Now. “We now know that a DPC’s interpretation of the GPDR is not only serving social media’s interest but is also in the minority among regulators.”
This article is part of POLITICO’s premium Tech policy coverage: Pro Technology. Our expert journalism and suite of policy intelligence tools allow you to seamlessly search, track and understand the developments and stakeholders shaping EU Tech policy and driving decisions impacting your industry. Email pro@politico.eu with the code ‘TECH’ for a complimentary trial.
https://ift.tt/eA8V8J December 16, 2021 at 07:22PM
Vincent Manancourt