Is the Irish Data Regulator in Facebook's pocket? 🤔

For several years now I’ve watched as the Irish Data Regulator has valiantly fought to sweep Meta’s sins under the carper.

There’s a long history of regulatory incompetence in Ireland, but I can’t help suspecting that this case has been driven more by the Data Protection Regulator wanting to keep Meta onboard and protecting the MNC rather than protecting the public.

A bit of background to this record fine.

Schrems battle with data regulators

Max Schrems, an Austrian privacy campaigner, paid three visits to the office of the Data Protection Commissioner when it oversaw Facebook, Google, Dropbox and the rest of big tech from above a shop in Portarlington, Co Laois. On his first visit, Schrems says an official gave him a 15-minute dressing down for criticising the DPC in press interviews.

On another occasion he was told no one was available to speak to him about a privacy complaint he had lodged. “I was like, ‘this is childish and I can be just as childish as you’,” he said. So the dogged Austrian phoned the DPC every hour, until finally an official texted to say no one would talk to him. “After that they didn’t really respond to any emails any more, even though there was an open, pending case,” Schrems claimed in 2018 in an interview with Frontline.

In 2014, Billy Hawkes, as data protection commissioner, rejected one of Schrems’s cases against Facebook as frivolous and vexatious. That decision was overturned by the courts, and the process finally concluded on Tuesday with the DPC fining Facebook’s owner Meta €1.2 billion for violations of European data privacy laws.

Schrems’s relationship with regulators has not improved. “We regularly have to sue DPAs [with costs of €2,000-€5,000 on average], to get ‘free’ GDPR complaints decided,” he tweeted after the Meta fine was announced.

The Latest…

Irish watchdog opposed €1.2bn Meta fine, saying it would have no ‘meaningful dissuasive effect’

Case centres on Facebook’s transfers of personal data to the US in defiance of EU law

*Meta, which plans a court appeal against the ruling, claimed it was flawed and unjustified. *

A record €1.2 billion fine against Facebook owner Meta for violating privacy law was imposed in the face of claims by Ireland’s data regulator that no financial sanction was needed.

The penalty against one of the world’s largest companies was imposed on Monday after Data Protection Commissioner Helen Dixon’s European counterparts dismissed her argument that a fine would have no “meaningful dissuasive effect” on Meta.

It was the biggest fine since Ms Dixon assumed sweeping powers in 2018 to supervise the European operations of large tech companies such as Meta, which have their EU headquarters in Ireland.

The regime was billed as a game-changer in the drive to control how business exploits consumers’ personal information, although critics say enforcement should be sharper and swifter.

Meta, which plans a court appeal against the ruling, claimed it was flawed and unjustified. But European regulators accused the company of “the highest degree of negligence” with personal data, as they instructed Ms Dixon to impose a large fine.

She is lead European Union regulator for Meta with responsibility for pan-European investigations into any violations of the data of hundreds of millions of users. Still, her conclusions must be approved by EU counterparts in a Brussels-based body called the European Data Protection Board (EDPB).

Records show Ms Dixon met a backlash from Austrian, German, French and Spanish regulators for saying there should be no financial penalty at all.

The case centres on Facebook transfers of personal data to the United States, in defiance of EU law after a 2020 European court ruling struck down the arrangements. The data included “photographs, videos or messages” and “everyday data of social interactions with family, friends, acquaintances and others”.

The social media giant, one of the State’s biggest taxpayers, has been directed to suspend any future transfers within five months. It must also cease within six months “unlawful” processing and storage in the US of European data.

The latest sanction against Meta brings its total EU sanctions for privacy violations to some €2.5 billion. But Ms Dixon had argued that a fine on top of an order to suspend the data transfers would not be proportionate.

“I expressed the view, in the draft decision, that the imposition of an administrative fine would not render the [Data Protection Commission’s] response to the findings of unlawfulness any more effective,” she said in case papers.

“Nor did I consider that, in the particular circumstances of this case, or in relation to transfers generally, the imposition of an administrative fine on top of the suspension would have any meaningful dissuasive effect.”

Such assertions met resistance from four other regulators, who insisted on a fine when the case went to the European board. That body agreed, saying a suspension order alone would “not be enough to produce the specific deterrence effect necessary to discourage Meta” from continuing the infringements.

“The [EDPB] considers that, taking into account the nature and scope of the processing, as well as the very high number of data subjects affected, Meta [Ireland] committed an infringement of significant nature, gravity and duration,” it said.

“The EDPB takes the view that the imposition of an administrative fine in addition to the suspension order would have an important deterrence effect, which the imposition of a suspension order alone cannot have.”

An earlier wrangle between the Irish Data protection Commissioner and her EU colleagues.

Could they be under pressure from the Irish government, who want to keep big tech there, and would prefer to turn a blind eye?

Absolutely. Big Tech directly employs thousands in the Republic and many more indirectly.

Apple’s Cork campus had 4,000 staff last time I was there in 2017. I’d imagine that place has poured a heap of money into the local economy in the 40 years since it opened.

Possibly, but if that is the case she should stand down really. An old mentee of mine is a past member of the board of the Irish Investment Authority and another friend has just been appointed to it. I’ll see if I can sniff anything out :shushing_face: I’d like to know why they are allowing so many climatically disastrous datacentres to be built in Ireland too. That has to MNC blackmail.

Yes, and there’s still the €13B tax battle going on. But at least Apple (and Intel and a lot of Pharma and others) have produced stuff in Ireland. Facebook and its ilk are only there for the tax breaks (and perhaps light regulation :face_with_hand_over_mouth:).

2 Likes

I’m sure pressure was applied in this instance, but it goes further than just this decision by the Irish DPC.

A few years ago now BA was notified of the UK ICO’s intention to fine them £183M for their part in data on 400,000 customers and staff being improperly secured. This figure represented, at the time, the biggest GDPR related fine issued, although it was only 1.5% of BA’s turnover for that year whereas the maximum possible is 4%.

Fast forward a couple of years and the fine ended up being only £20M, or 0.16% BA’s worldwide annual turnover for the year of approximately £12.23B.

This is so frustrating because when GDPR was announced there was a sense of unease amongst businesses about these fines. I was still working for Vodafone at the time GDPR was introduced and they went to great lengths to locate data, write DPIAs, compile ROPAs, implement processes for DSARs, etc… As a data subject who was otherwise completely powerless in knowing how organisations used my data, this was great.

However, as BA found out, it appears the ICO and their equivalents lack any teeth. You can see this by looking at who exactly is getting fined and by how much.

Instead of making examples of large organisations like Meta, BA, Google, etc… they’re going after SMEs or even sole traders. And instead of headline-grabbing fines of 4% of global turnover, the fines are mostly small change for large organisations, so there’s no compelling reason for them to comply… They most likely won’t get investigated and if they do the fine will have been worth it.

What needs to happen is, like for SOX in the US, Board members ground guilty of breaching GDPR should be imprisoned.

2 Likes

I agree entirely. I’m pissed off with having to go through supposedly GDPR related bullshit when I call a company when I know they don’t actually give a damn.

2 Likes