Some are concerned by the lack of GDPR fines issued by Ireland, the lead regulator for many tech giants. But the country’s taking its time for good reason.
The original version of this post was published in Forbes.
The European Union’s General Data Protection Regulation (GDPR), now approaching its first anniversary, has been seen as the world’s best hope of bringing privacy back from the dead—reversing, or at least slowing, the seemingly inexorable march of ever-more-intrusive corporate surveillance by major tech companies.
Its provisions provide for mega fines—up to 4% of a company’s annual global revenue—for misuse of data or violations of users’ privacy. That could easily reach into the billions—Google’s annual revenue is closing in on $140 billion and Facebook’s is around $55 billion.
So amid the blizzard of first-anniversary stories, the most obvious question is: Is it working? How well is it fulfilling its promise so far? And, perhaps not surprisingly, there is a clear mix of opinions on that.
Nicholas Vinocur, technology editor in France for Politico, recently presented the “not so well” case, based on what regularly tends to emasculate the best-intended legislation—what he called a “significant loophole.”
Specifically, the law provides for the “lead regulator” (chief enforcer, in other words) of multi-national firms to be within the country in which those firms have their “main establishment.”
For most of the big players—Facebook, Twitter, WhatsApp, Google, Airbnb, Microsoft and Oath—that country is Ireland, which has attracted the tech giants through low taxes, low regulation, subsidies and access to government officials.
And so far, in spite of numerous reported incidents of privacy abuse by giants like Facebook and Google and 91 fines levied elsewhere in the world (including $57 million against Google by France), Ireland’s Data Protection Commission (DPC) has yet to take a single enforcement action for GDPR violations.
Those abuses include Facebook’s reintroduction of facial recognition software and data sharing with its recently purchased subsidiary WhatsApp, a messaging tool it bought in 2014. They also include Google’s failure to get consent from users “before sharing data among its fast-growing line of networks and products—from YouTube to Google Photos to Gmail and more.”
Vinocur, after talking with “scores of privacy experts, data watchdogs, academics and regulators in other countries,” said that is likely because the tiny nation lacks both the will and the means—what he described as a “threadbare regulatory apparatus”—to be a data privacy cop at this level.
One example he cited is the 2016 finding by a German court that Facebook and WhatsApp were sharing data. The court barred the two networks from exchanging information about German users. But “the ban became unenforceable when the GDPR took effect and Ireland became the lead supervisory authority,” he wrote.
Now, while German authorities want Ireland to crack down on what they say is resumed sharing, “Irish officials said in a statement they’re satisfied that Facebook and WhatsApp aren’t sharing information for the purposes of ‘friend suggestion or enhanced advertising.’”
Critics also note that the $739 billion market capitalization of Google’s parent company, Alphabet, is twice that of Ireland’s gross domestic product, which suggests the country doesn’t have much leverage over companies of that size.
But then, other reports emphasize the number of investigations by Ireland underway—now 18—into alleged GDPR violations by giants like Twitter, WhatsApp, Instagram, LinkedIn and Apple, along with seven involving Facebook.
Helen Dixon, chief of Ireland’s DPC, told the U.S. Senate Commerce Committee last week that some of those investigations could conclude by summer.
And she had declared before the law took effect that “there will be fines, and they will be significant.” But, she added, that would happen only “at the end of a very long path that has demonstrated a lack of accountability and an infringement.”
Which suggests Ireland’s DPC is not ignoring violations, it just hasn’t gotten to the “show me the money” stage yet.
So, should privacy advocates worry or be patient?
Jules Polonetsky, CEO of the Future of Privacy Forum (FPF), comes down on the side of patience. In fact, he argues that while fines tend to get most of the headlines, they aren’t as important as the major precedents that regulators will be setting—precedents that will “redefine business models.”
That, he said, takes time to be done right.
“The cases before the DPC in Ireland are some of the most consequential that will be made about the GDPR,” he said. “So being careful is prudent, given who you’re taking on. These decisions are going to need to withstand court challenges.”
He added that Irish law requires more due process than in some countries—another reason things aren’t happening as quickly as some might expect.
And he said while Ireland may be the lead regulator for a number of tech giants, that doesn’t mean it will be acting unilaterally. “Ireland must coordinate its actions,” he said. “It has to take its proposed resolutions to all the other countries before it makes a final decision. They can argue that something goes too far, or not far enough.”
Also, Adam Brown, associate managing consultant at Synopsys, noted the $57 million fine levied by the French Supervisory Authority against Google. “I don’t think it makes sense to say that the DPC was being soft on its tenants,” he said. “Even if it was, it makes no difference since another supervisory authority can come in and levy a fine.”
And while critics say the Ireland DPC is too close to those it regulates, Brown said he thinks the commission is doing the right thing—that it will be more effective to “work with stakeholders to yield improvement, rather than wielding the big stick in an attempt to beat them into submission.”
Danny O’Brien, international director of the Electronic Frontier Foundation (EFF), an aggressive privacy advocacy group, also isn’t troubled—at least not yet—about GDPR enforcement taking some time to get in gear.
“There’s a lot about how the whole system was going to be organized that was left unsaid in the GDPR, so I think it’s fair to say that no-one was expecting anything to happen very quickly,” he said. “It’s not necessarily the Irish DPC’s fault.”
Besides, Ireland’s status as lead regulator in these cases doesn’t mean the hands of every other country are tied. “Individuals can bring complaints to any country, plus the central regulator, the EDPS, can determine wider EU standards,” O’Brien said.
This, he said, doesn’t mean privacy advocates don’t need to remain vigilant. “Until we actually see some widespread enforcement, we can only guess,” he said, “but the people to watch are groups like Max Schrems’ None of Your Business.”
O’Brien said Schrems, an attorney, author and activist, “is now primarily bringing cases in his own country of Austria, rather than the expensive and frequently dismissed cases he had to pursue in Ireland before the GDPR took effect.”
Indeed, it was complaints from None of Your Business and the French NGO La Quadrature du Net that led to the $57 million fine against Google, announced in January.
Schrems told Vinocur that he doubts Ireland will be aggressive about protecting privacy. “They’ve basically gotten smarter about not doing things,” he said.
Polonetsky still remains optimistic. Ultimately, he said, “I’m confident that Ireland will set a future of GDPR that has teeth.”