Can Ireland's Regulators Stand Up for Internet Privacy?
European regulators don’t always agree about what Net companies should do to protect the privacy of their users. Witness the uproar in Germany over Street View, a Google Maps feature that shows pictures of the buildings and scenery along roads. Google agreed to blur the houses of Germans who requested that their homes not be shown, delaying Street View’s launch. Elsewhere in Europe, Street View was largely unremarked upon.
In late January, the European Union proposed simplifying the patchwork of regulations by making each Web company responsible to a single regulator in an EU country where it processes data. For many major technology companies, that means Ireland. The island nation has spent decades wooing U.S.-based businesses with its low corporate tax rate and young, tech-savvy workforce. If the EU proposal is approved by its member countries—and that could take years—it would likely mean that Ireland’s Data Protection Commissioner’s Office would oversee Facebook, Twitter, LinkedIn, Google, and other technology companies with major operations in the Emerald Isle.
That would be a hefty task for the government agency, which now has a staff of only 22, none of whom write code. Since 2009, as Ireland slashed its public spending and accepted a €67.5 billion emergency bailout, the data office’s budget has shrunk 16 percent, to €1.5 million in 2011, even as its workload soared. If the EU proposal passes, “We would obviously have some resource problems,” says Gary Davis, Ireland’s deputy data protection commissioner.
The data regulator’s capabilities were put to the test last year when Max Schrems, an Austrian law student, made 22 complaints about Facebook’s compliance with EU privacy rules, such as the company keeping photos on its servers after they’d been deleted. The Irish agency conducted the investigation because Facebook’s European headquarters are located in Dublin. “We put a big focus into the Facebook audit,” says Davis. He says the agency hired a technology consultant to do a “very detailed scrutiny and examination” of Facebook’s code during the three-month process. “It was 90 percent me in terms of the written output and in terms of the interaction” with the company, says Davis. Facebook agreed to several changes as a result of the investigation, including limits on how long its servers would store photos and other data after users delete them, and said it would be more forthright about how data is used.
Ireland’s ability to regulate Internet companies “is something that causes a lot of worry to data protection authorities” elsewhere in Europe, says TJ McIntyre, a law lecturer at University College Dublin who calls the data protection office “massively under-resourced.” Regulators in Germany, in particular, have been critical of how the Irish agency handled the Schrems complaints. The data protection commissioner for the state of Schleswig-Holstein said in December that he “can’t understand” why the Irish agency’s report listed privacy problems but did not declare them illegal. Hamburg’s data protection authority has said some of the Irish agency’s recommendations were “unclear.” Davis says his office’s main obligation was to resolve the Schrems complaints, which it is doing.
Schrems also is skeptical of Ireland’s ability to regulate Web companies, arguing that the sluggish economy means the country is less likely to make decisions that could scare off the technology industry, which makes up a third of the country’s exports by value, according to the government. “Ireland is trying to be very pro-business to attract other businesses in Ireland, especially in the IT sector,” says Schrems. “They’re not interested in serious enforcement of data protection law at all.”
One company that endorses the EU proposal: Facebook. In its initial public offering filing, the social network listed “complex and evolving U.S. and foreign laws and regulations regarding privacy, data protection, and other matters” among the risk factors. Letting Ireland take the lead on regulatory matters would allow “a clear understanding that the definitive view is the view taken by the regulator we’re dealing with,” says Facebook’s director of public policy, Richard Allan. “The biggest area of uncertainty are these jurisdictional questions” among the EU’s many data protection regulators because they can have “very different views.”
Davis, meanwhile, says that bolstering the data protection office is the pro-business thing to do. The EU’s proposed rules could require tech companies to get data regulators’ approval before launching new features, and the companies would be tempted to move if big backlogs develop. “If companies come and choose Ireland, we’re going to have to have the resources to deal with them,” he says.