The Data Protection Commissioner, Helen Dixon, once again seems to be at odds with her European counterparts. This time it is over the size of the sanction to be imposed on Meta for not following EU rules governing the transfer of user data to the US, where the Facebook and Instagram owner does a lot of its number crunching. The rules – known as the General Data Protection Regulation (GDPR) – are intended to ensure the security of personal information.
The DPC has, reluctantly it seems, imposed a €1.2 billion fine on Meta for various infractions, but not before making the case to its fellow EU regulators that the financial penalty would have no “meaningful dissuasive effect”. Ireland is the lead regulator for Meta in Europe because its European head office is in Dublin, but its rulings must be agreed with EU counterparts via the European Data Protection Board.
We have been here before.
The DPC handles a disproportionate number of data protection cases involving the dominant players in the technology sector because they have their EU headquarters here. They include Google (YouTube), Meta (Facebook, Instagram, WhatsApp), Apple, TikTok and Microsoft (LinkedIn, Xbox).
Markets in Vienna or Christmas at The Shelbourne? 10 holiday escapes over the festive season
Ciara Mageean: ‘I just felt numb. It wasn’t even sadness, it was just emptiness’
Stealth sackings: why do employers fire staff for minor misdemeanours?
Carl and Gerty Cori: a Nobel Prizewinning husband and wife team
[ Meta challenges €395m fines from Ireland’s data protection regulatorOpens in new window ]
[ Ireland’s DPC set to hit Meta with record privacy fine over US data transfersOpens in new window ]
According to a recent report from the Irish Council for Civil Liberties, some three-quarters of the DPC’s decisions relating to the European operations of “Big Tech” have been overruled by EU counterparts. It’s not as dramatic as it seems. There have only been eight such cases.
That said, the only other regulator to have a decision overturned was the French one – it is worth noting here that the decision in question related to Accor, the French hotel and hospitality giant.
The ICCL report also found that the DPC uses its discretion – allowed under Irish law – to come to “amicable resolutions” to settle complaints, rather than issue final decisions after a formal investigation. It did so in 46 of 54 cases. Its EU counterparts don’t do this.
The DPC is a legally independent body and in its corporate governance framework document is unambiguous in setting out its role as “responsible for upholding the fundamental right of individuals in the European Union (EU) to have their personal data protected”.
When it comes to imposing fines, the DPC is required under GDPR to consult with fellow EU regulators under the “article 60″ consultation process through which objection can be heard. Where regulators differ, the “article 65″ dispute resolution mechanism aims to find a consensus where the DPC cannot resolve objections for the other regulators.
On the face of it, the DPC appears to interpret its mandate in a way that is more sympathetic than some of its European counterparts to the companies they regulate. There is nothing surprising about this.
The DPC is independent, but can any organisation operate completely in a vacuum, unaware of national priorities?
The DPC would argue that it can and that it does - and that its record on investigations and fines support this, though in some cases EU regulators have sought much higher fines than those proposed by the DPC.
It is a “national” data protection authority, albeit with responsibility for upholding EU laws. It is no secret that Ireland has assiduously courted inward investment by US technology firms, and they are an important part of the economy.
[ GDPR complaints system is an unfair burden on Ireland and a weakness for EuropeOpens in new window ]
[ Data Protection Commission fines WhatsApp additional €5.5m over GDPR breachOpens in new window ]
There are many ways of looking at the European Union and how it works in practice. One of the more pragmatic ones is that it is a framework that allows member states to further their own interests, while limiting the extent to which gains are at the expense of the other states. The European Commission is the referee.
Members win and lose all the time but, in the long run, they all do better than if they did not submit to these mutually agreed rules. The UK is currently going out of its way to prove this is the case.
But the key point is that they can and do compete using every weapon in their armouries, including regulatory regimes.
If the Irish regulatory regime is compatible with the objectives of upholding EU citizen’s rights under the GDPR, the DPC can choose to interpret its mandate however it sees fit.
Other EU states do this. There is little or no downside for them – and by extension their regulators – in being seen to be tough with the likes of Facebook. The opposite is more likely to be true. If Volkswagen was in the firing line the German regulator might not be so gung ho. This is the way the EU works and, in so far as it produces the compromises on which the entire edifice is built, it can be said to work.
None of this is to say that the Irish regulator’s approach is the correct one. The Irish banking industry prior to 2007 is a very different beast from the tech industry of today. Nevertheless, there are lessons from the past.
The previous “light touch” or “principles-based” regulatory regime imposed on the financial services industry by the Central Bank may have done wonders for the International Financial Services Centre but ended in utter disaster when the Irish banking system imploded. Until then, the banks were considered capable of policing themselves. They weren’t. It’s hard to see a reason to be any more trusting of technology businesses.