Ireland's privacy regulator is a gamekeeper-turned-poacher
This Saturday (May 20), Iâll be at the GAITHERSBURG Book Festival with my novel Red Team Blues; then on May 22, Iâm keynoting Public Knowledgeâs Emerging Tech conference in DC.
On May 23, Iâll be in TORONTO for a book launch thatâs part of WEPFest, a benefit for the West End Phoenix, onstage with Dave Bidini (The Rheostatics), Ron Diebert (Citizen Lab) and the whistleblower Dr Nancy Olivieri.
When the EU passed its landmark General Data Protection Regulation (GDPR), it seemed like a privacy miracle. Despite the most aggressive lobbying Europe had ever seen, 500 million Europeans were now guaranteed a digital private life. Could this really be?
If youâd like an essay-formatted version of this post to read or share, hereâs a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Well, yesâŠand no. Despite flaws (Right to Be Forgotten), the GDPR has strong, well-crafted, badly needed privacy protections. But to get those protections, Europeans need their privacy regulators to enforce the rules.
Thatâs where the GDPR miracle founders. Europe includes several tax-havensâââMalta, Cyprus, the Netherlands, Luxembourg, Irelandâââthat compete to offer the most favorable terms to international corporations and other criminals. For these havens, paying little to no tax is just table-stakes. As these countries vie to sell themselves out to giant companies, they compete to offer a favorable regulatory environment, insulating companies from lawsuits over corruption, labor abuses and other crimes.
All of this is made possibleâââand even encouragedâââby the design of European federalism, which lets companies easily shift which flag of convenience they fly. Once a company re-homes in a country, it can force Europeans across the union to seek justice in that countryâs courts, under the looming threat that the company will up sticks for another haven if the law doesnât bend over backwards to protect corporate citizens from the grievances of flesh-and-blood humans.
Big Techâs most aggressive privacy invaders have long flown Irish flags. Ireland is âheadquartersâ to Google, Meta, Tinder, Apple, Airbnb, Yahoo and many other tech companies. In exchange for locating a handful of jobs to Ireland, these companies are allowed to maintain the pretense that their global earnings are afloat in the Irish Sea, in a state of perfect, untaxable grace.
That cozy relationship meant that the US tech giants were well-situated to sabotage Irelandâs privacy regulator, who would be the first port of call for Europeans whose privacy had been violated by American firms. For many years, itâs been obvious that the Irish Data Protection Commission was a sleeping watchdog, with infinite tolerance for the companies that pretend to make Ireland their homes. 87% of Irish data protection claims involve just eight giant US companies (that pretend to be Irish).
But among for hardened GDPR warriors, the real extent of the Data Protection Commissionerâs uselessness is genuinely shocking. A new report from the Irish Council for Civil Liberties reveals that the DPC isnât merely tolerant of privacy crimes, theyâre gamekeepers turned poachers, active collaborators in privacy abuse:
The reportâs headline figure really tells the story: the European Data Protection Boardâââwhich oversees Irelandâs DPCâââoverturns the Irish regulatorâs judgments 75% of the time. Itâs actually worse than it appears: that figure only includes appeals of the DPCâs enforcement actions, where the DPC bestirred itself to put on trousers and show up for work to investigate a privacy claim, only to find that the corporation was utterly blameless.
But the DPC almost never takes enforcement actions. Instead, the regulator remains in its pajamas, watching cartoons and eating breakfast cereal, and offers an âamicable resolutionâ (that is, a settlement) to the accused company. 83% of the cases brought before the DPC are settled with an âamicable resolution.â
Corporations can bargain for multiple, consecutive amicable resolutions, allowing them to repeatedly break the law and treat the finesâââwhich they negotiate themselvesâââas part of the price of doing business.
This is illegal. European law demands that cases that involve repeat offenders, or that are likely to affect many people, must be fully investigated.
Irelandâs government has stonewalled on calls for an independent review of the DPC. The DPC continues to abet lawlessness, allowing corporations to use privacy invasive techniques for surveillance, discrimination and manipulation. In 2022, the DPC concluded 64% of its cases with mere reprimandsââânot even a slap on the wrist.
Meanwhile, the DPC trails the EU in issuing âcompliance ordersââââwhich directly regulate the conduct of privacy-invading companiesâââonly issuing 49 such orders in the past 4.5 years. The DPC has only issues 28 of the GDPRâs âone-stop-shopâ fines.
The EU has 26 other national privacy regulators, but under the GDPR, they arenât allowed to act until the DPC delivers its draft decisions. The DPC is lavishly funded, with a budget in the EUâs top five, but all that money gets pissed up against a wall, with inaction ruling the day.
Despite the collusion between the tech giants and the Irish state, time is running out for Americaâs surveillance-crazed tech monopolists. The GDPR does allow Europeans to challenge the DPRâs do-nothing rulings in European court, after a long, meandering process. That process is finally bearing fruit: in 2021, Johnny Ryan and the Irish Council for Civil Liberties brought a case in Germany against the ad-tech lobby group IAB:
But Europeans should not have to drag tech giants out of Ireland to get justice. Itâs long past time for the EU to force Ireland to clean up its act. The EU Commission is set to publish a proposal on how to reform Irelandâs DPA, but more muscular action is needed. In the new report, the Irish Council For Civil Liberties calls on the European Commissioner for Justice, Didier Reynders, to treat this issue with the urgency and seriousness that it warrants. As the ICCL says, âthe EU can not be a regulatory superpower unless it enforces its own laws.â
Catch me on tour with Red Team Blues in Toronto, DC, Gaithersburg, Oxford, Hay, Manchester, Nottingham, London, and Berlin!
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
[Image ID: A toddler playing with toy cars. The cars are Irish police cars. The toddler's head has been replaced with the menacing, glowing red eye of HAL9000 from Stanley Kubrick's '2001: A Space Odyssey.' The toddler's knit cap is decorated with the logos for Apple, Google, Facebook and Tinder.]
Norway Wants Europe-Wide Ban on Facebook Behavioral Ads
Norway is urging the European Data Protection Board (EDPB) to ban Meta (formerly Facebook) from harvesting user data for advertising purposes permanently and extend the ban across Europe.
European Privacy Watchdogs Assemble: A United AI Task Force for Privacy Rules
In a significant move towards addressing AI privacy concerns, the European Data Protection Board (EDPB) has recently announced the formation of a task force on ChatGPT. This development marks a potentially important first step toward creating a unified policy for implementing artificial intelligence privacy rules.
Following Italy's decision last month to impose restrictions on ChatGPT, Germany and Spain are also contemplating similar measures. ChatGPT has witnessed explosive growth, with more than 100 million monthly active users. This rapid expansion has raised concerns about safety, privacy, and potential job threats associated with the technology.
The primary objective of the EDPB is to promote cooperation and facilitate the exchange of information on possible enforcement actions conducted by data protection authorities. Although it will take time, member states are hopeful about aligning their policy positions.
According to sources, the aim is not to punish or create rules specifically targeting OpenAI, the company behind ChatGPT. Instead, the focus is on establishing general, transparent policies that will apply to AI systems as a whole.
The EDPB is an independent body responsible for overseeing data protection rules within the European Union. It comprises national data protection watchdogs from EU member states.
With the formation of this new task force, the stage is set for crucial discussions on privacy rules and the future of AI. As Europe takes the lead in shaping AI policies, it's essential to stay informed about further developments in this area. Please keep an eye on our blog for more updates on the EDPB's AI task force and its potential impact on the world of artificial intelligence.
European regulators are increasingly focused on ensuring that AI is developed and deployed in an ethical and responsible manner. One way that regulators could penalize AI is through the imposition of fines or other penalties for organizations that violate ethical standards or fail to comply with regulatory requirements. For example, under the General Data Protection Regulation (GDPR), organizations can face fines of up to 4% of their global annual revenue for violations related to data privacy and security.
Similarly, the European Commission has proposed new regulations for AI that could include fines for non-compliance. Another potential penalty for AI could be the revocation of licenses or certifications, preventing organizations from using certain types of AI or marketing their products as AI-based. Ultimately, the goal of these penalties is to ensure that AI is developed and used in a responsible and ethical manner, protecting the rights and interests of individuals and society as a whole.
Meta dodged a âŹ4BN privacy fine over unlawful ads, argues GDPR complainant
A âŹ390M privacy fine for Meta announced earlier this month in the European Union â for running behavioral ads on Facebook and Instagram in the region without a valid legal basis â was several billion dollars smaller than it should have been, and orders of magnitude too tiny to be a deterrent for others going big on breaking the blocâs privacy laws, according to the not-for-profit which filed theâŠ
EDPB on Dark Patterns: Lessons for Marketing Teams
EDPB on Dark Patterns: Lessons for Marketing Teams
âDark patternsâ are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on âdark patterns in social media platform interfacesâ confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The badâŠ
La guida autonoma, le linee guida dellâEDPB e i principi sul trattamento dei dati personali
La guida autonoma, le linee guida dellâEDPB e i principi sul trattamento dei dati personali
In un sistema in cui le auto connesse ormai popolano le nostre strade e la guida autonoma rappresenta il prossimo futuro, individuare i principi per il trattamento dei dati personali che queste auto processano Ăš la base di partenza per qualsiasi studio e sviluppo nel settore automobilistico.
La guida autonoma, le linee guida dellâEDPB e i principi sul trattamento dei dati personali
di Federica DeâŠ
