Is the Irish Data Regulator in Facebook's pocket? šŸ¤”

For several years now Iā€™ve watched as the Irish Data Regulator has valiantly fought to sweep Metaā€™s sins under the carper.

Thereā€™s a long history of regulatory incompetence in Ireland, but I canā€™t help suspecting that this case has been driven more by the Data Protection Regulator wanting to keep Meta onboard and protecting the MNC rather than protecting the public.

A bit of background to this record fine.

Schrems battle with data regulators

Max Schrems, an Austrian privacy campaigner, paid three visits to the office of the Data Protection Commissioner when it oversaw Facebook, Google, Dropbox and the rest of big tech from above a shop in Portarlington, Co Laois. On his first visit, Schrems says an official gave him a 15-minute dressing down for criticising the DPC in press interviews.

On another occasion he was told no one was available to speak to him about a privacy complaint he had lodged. ā€œI was like, ā€˜this is childish and I can be just as childish as youā€™,ā€ he said. So the dogged Austrian phoned the DPC every hour, until finally an official texted to say no one would talk to him. ā€œAfter that they didnā€™t really respond to any emails any more, even though there was an open, pending case,ā€ Schrems claimed in 2018 in an interview with Frontline.

In 2014, Billy Hawkes, as data protection commissioner, rejected one of Schremsā€™s cases against Facebook as frivolous and vexatious. That decision was overturned by the courts, and the process finally concluded on Tuesday with the DPC fining Facebookā€™s owner Meta ā‚¬1.2 billion for violations of European data privacy laws.

Schremsā€™s relationship with regulators has not improved. ā€œWe regularly have to sue DPAs [with costs of ā‚¬2,000-ā‚¬5,000 on average], to get ā€˜freeā€™ GDPR complaints decided,ā€ he tweeted after the Meta fine was announced.

The Latestā€¦

Irish watchdog opposed ā‚¬1.2bn Meta fine, saying it would have no ā€˜meaningful dissuasive effectā€™

Case centres on Facebookā€™s transfers of personal data to the US in defiance of EU law

*Meta, which plans a court appeal against the ruling, claimed it was flawed and unjustified. *

A record ā‚¬1.2 billion fine against Facebook owner Meta for violating privacy law was imposed in the face of claims by Irelandā€™s data regulator that no financial sanction was needed.

The penalty against one of the worldā€™s largest companies was imposed on Monday after Data Protection Commissioner Helen Dixonā€™s European counterparts dismissed her argument that a fine would have no ā€œmeaningful dissuasive effectā€ on Meta.

It was the biggest fine since Ms Dixon assumed sweeping powers in 2018 to supervise the European operations of large tech companies such as Meta, which have their EU headquarters in Ireland.

The regime was billed as a game-changer in the drive to control how business exploits consumersā€™ personal information, although critics say enforcement should be sharper and swifter.

Meta, which plans a court appeal against the ruling, claimed it was flawed and unjustified. But European regulators accused the company of ā€œthe highest degree of negligenceā€ with personal data, as they instructed Ms Dixon to impose a large fine.

She is lead European Union regulator for Meta with responsibility for pan-European investigations into any violations of the data of hundreds of millions of users. Still, her conclusions must be approved by EU counterparts in a Brussels-based body called the European Data Protection Board (EDPB).

Records show Ms Dixon met a backlash from Austrian, German, French and Spanish regulators for saying there should be no financial penalty at all.

The case centres on Facebook transfers of personal data to the United States, in defiance of EU law after a 2020 European court ruling struck down the arrangements. The data included ā€œphotographs, videos or messagesā€ and ā€œeveryday data of social interactions with family, friends, acquaintances and othersā€.

The social media giant, one of the Stateā€™s biggest taxpayers, has been directed to suspend any future transfers within five months. It must also cease within six months ā€œunlawfulā€ processing and storage in the US of European data.

The latest sanction against Meta brings its total EU sanctions for privacy violations to some ā‚¬2.5 billion. But Ms Dixon had argued that a fine on top of an order to suspend the data transfers would not be proportionate.

ā€œI expressed the view, in the draft decision, that the imposition of an administrative fine would not render the [Data Protection Commissionā€™s] response to the findings of unlawfulness any more effective,ā€ she said in case papers.

ā€œNor did I consider that, in the particular circumstances of this case, or in relation to transfers generally, the imposition of an administrative fine on top of the suspension would have any meaningful dissuasive effect.ā€

Such assertions met resistance from four other regulators, who insisted on a fine when the case went to the European board. That body agreed, saying a suspension order alone would ā€œnot be enough to produce the specific deterrence effect necessary to discourage Metaā€ from continuing the infringements.

ā€œThe [EDPB] considers that, taking into account the nature and scope of the processing, as well as the very high number of data subjects affected, Meta [Ireland] committed an infringement of significant nature, gravity and duration,ā€ it said.

ā€œThe EDPB takes the view that the imposition of an administrative fine in addition to the suspension order would have an important deterrence effect, which the imposition of a suspension order alone cannot have.ā€

An earlier wrangle between the Irish Data protection Commissioner and her EU colleagues.

Could they be under pressure from the Irish government, who want to keep big tech there, and would prefer to turn a blind eye?

1 Like

Absolutely. Big Tech directly employs thousands in the Republic and many more indirectly.

Appleā€™s Cork campus had 4,000 staff last time I was there in 2017. Iā€™d imagine that place has poured a heap of money into the local economy in the 40 years since it opened.

1 Like

Possibly, but if that is the case she should stand down really. An old mentee of mine is a past member of the board of the Irish Investment Authority and another friend has just been appointed to it. Iā€™ll see if I can sniff anything out :shushing_face: Iā€™d like to know why they are allowing so many climatically disastrous datacentres to be built in Ireland too. That has to MNC blackmail.

Yes, and thereā€™s still the ā‚¬13B tax battle going on. But at least Apple (and Intel and a lot of Pharma and others) have produced stuff in Ireland. Facebook and its ilk are only there for the tax breaks (and perhaps light regulation :face_with_hand_over_mouth:).

2 Likes

Iā€™m sure pressure was applied in this instance, but it goes further than just this decision by the Irish DPC.

A few years ago now BA was notified of the UK ICOā€™s intention to fine them Ā£183M for their part in data on 400,000 customers and staff being improperly secured. This figure represented, at the time, the biggest GDPR related fine issued, although it was only 1.5% of BAā€™s turnover for that year whereas the maximum possible is 4%.

Fast forward a couple of years and the fine ended up being only Ā£20M, or 0.16% BAā€™s worldwide annual turnover for the year of approximately Ā£12.23B.

This is so frustrating because when GDPR was announced there was a sense of unease amongst businesses about these fines. I was still working for Vodafone at the time GDPR was introduced and they went to great lengths to locate data, write DPIAs, compile ROPAs, implement processes for DSARs, etcā€¦ As a data subject who was otherwise completely powerless in knowing how organisations used my data, this was great.

However, as BA found out, it appears the ICO and their equivalents lack any teeth. You can see this by looking at who exactly is getting fined and by how much.

Instead of making examples of large organisations like Meta, BA, Google, etcā€¦ theyā€™re going after SMEs or even sole traders. And instead of headline-grabbing fines of 4% of global turnover, the fines are mostly small change for large organisations, so thereā€™s no compelling reason for them to complyā€¦ They most likely wonā€™t get investigated and if they do the fine will have been worth it.

What needs to happen is, like for SOX in the US, Board members ground guilty of breaching GDPR should be imprisoned.

2 Likes

I agree entirely. Iā€™m pissed off with having to go through supposedly GDPR related bullshit when I call a company when I know they donā€™t actually give a damn.

2 Likes

Bad news for Spotifyā€¦

Maybe Iā€™ve been proved wrong and the fines are finally starting to hit.

They are building there also the medical and the pharma industries, because the cabal they call a govt are throwing grants and such tidbits at themā€¦

It was a rhetorical question :face_with_hand_over_mouth: and it has nothing to do with grants and titbits. It because of the national dependence on tax driven FDI. Now itā€™s payback time with unnecessary datacentres that bring nothing to Ireland except a net zero headache.

Plus, despite its many faults I donā€™t think cabal in an accurate word to describe the Irish Government. The Tory inner sanctum yes, but a Government made up of a coalition of three parties, hardly.

The cabal I was referring to was the FF and FG. The fact that SF got in the mix shook Leo two socks to his core. The net zero scam will become a headache for all those govts that signed up to it at the WEF. The next headache is the agreement the WHO is trying to push through. No doubt the wet wipes in westminster will sign up for it. And then the population suffer.

1 Like

Not really a cabal, the whole Country was complicit for eighty years :roll_eyes:

1 Like