Ireland: prisoner of Big Tech?
A data-protection case in the High Court this week brought into focus the relationship between the State and the big tech companies located here. Some say we are regulating Facebook, Google and others too lightly
Safeguarding privacy: Austrian law student Max Schrems (right) gives a press conference after his meeting with European Facebook representatives in Vienna. Photograph: Dieter Nagl/AFP/Getty Images
The financial regulator wasn’t the only one under legal scrutiny this week in Dublin. As the Anglo Irish Bank trial ended, with considerable criticism from the judge for the former financial regulator, another court case began scrutinising another regulator: the Data Protection Commissioner.
This was not a trial but a judicial review. The question before the High Court: was the commissioner right not to probe allegations by the whistleblower Edward Snowden that Facebook’s Dublin subsidiary may have passed on data of its European users to the US intelligence services?
Under the Prism programme, launched by the US National Security Agency (NSA) in 2007 and exposed by the Guardian newspaper last summer, US companies are obliged to turn over data that meets court-approved search terms. The NSA says the programme had prevented terrorism and operated under full judicial oversight. Whether European data was involved is unclear.
When asked to investigate further by an Austrian privacy campaigner, Max Schrems, the Data Protection Commissioner, Billy Hawkes, ruled that Facebook’s Prism transfers were covered by existing EU-US data agreements, so were beyond his remit and required no further attention.
This week’s court date to challenge his ruling was not the first encounter between Hawkes and Schrems, but it was by far the most public. For years the Austrian has demanded that the commissioner’s office investigate a company he views as a disingenuous data magpie that collects more information than it lets on and that he believes runs rings around the Irish regulator.
After two audits of Facebook International, the commissioner says the social networking company is compliant with European data laws.
This latest battle between Schrems and Hawkes ensures the final ruling on June 18th of Mr Justice Gerard Hogan, who specialises in constitutional and EU law, will find a broad audience around Europe.
Watching closely are data protection regulators around the continent, many unhappy that they must defer to Hawkes’s office on complaints their citizens make against Facebook, Google and other tech companies based in the State.
Such cross-border disputes expose the divergent views, legal traditions and cultural expectations around Europe about privacy. Tempers flare and misunderstandings abound.
Britain’s information commissioner believes Hawkes does a good job in very difficult legal circumstances. Until a new European data protection regulation* that is– currently being negotiated comes into force, all national data-protection bodies process complaints based on national interpretations of 20-year-old rules written before the emergence of Google and Facebook.
“Under the current legal regime,” says David Smith, Britain’s deputy information commissioner, “we cannot be expected to apply other countries’ legal standards across the board to cases that affect their citizens but also ours”.
Germany’s federal and state data protection commissioners are perhaps the most vocal – and negative – in Europe about the Irish commissioner. They all express respect for their Irish colleague but doubt the Data Protection Commissioner would ever take on a deep-pocketed multinational like Facebook in the courts.
“The problem we have with Facebook is that it appears to have chosen a location where not only the tax but also the data protection regime suits its business practices,” says Johannes Caspar, data protection regulator in Hamburg, suggesting that decisions by the Irish regulator are friendlier to business than they would be elsewhere.
Asked for an example, Caspar cites a dispute about Facebook’s facial-recognition feature, developed to automatically name-tag people in photographs that users upload.
According to Facebook, the Irish regulator found that the tag-suggest feature is legally compliant. The Irish DPC found the feature was compliant if additional information was provided to users, while German regulators said it was highly problematic for Facebook to scan and digitally measure faces for a private biometric database – a resource that, in future, could potentially be requested for surveillance.
Hawkes accepts there was fundamental agreement on this point but says his office engaged with European authorities to find a consensual agreement.
“We see this as an endorsement of our co-operative approach, involving all of our colleagues taking in their concerns,” he said.Facebook eventually abolished the feature and deleted the database for European users, but Hamburg’s data protection commissioner Johannes Caspar believes the feature would still be operational if it had not been for European regulators’ intervention. “Facebook eventually rowed back on this after our offices opened an administrative procedure,” against them, he says.
Other German data protection officials worry the Irish regulator’s office, in Portarlington, is too small to monitor the tech giants clustered around Grand Canal Dock.
“Billy Hawkes does his best, but why is he expected to take on a plane like Facebook with a catapult?” says Joachim Wahlbrink, data protection commissioner in Lower Saxony. “Not being adequately resourced shows me how the political wind blows in Ireland.”
Hawkes disputes claims that his office is under-resourced, pointing to a recent staff increase and a budget to hire in technical staff for audits. The commissioner’s auditing and amicable resolution approach should not, he says, be confused with light-touch regulation. “People confuse fines with enforcement, but fines don’t necessarily lead to compliance,” he said. “We have extremely strong enforcement powers, and people know we have them.”
But it’s not just foreign observers who are concerned. An Irish privacy campaigner sees a disconnect between official Ireland’s enthusiasm in attracting companies to our shores– and courting them when they are here – and in regulating them.
“There is little official awareness or interest in Ireland in what Facebook or Google do, so there is no concern,” argues TJ McIntyre, a lecturer in information technology law at University College Dublin and chairman of Digital Rights Ireland. “But apathy is not a policy.”
McIntyre argues that Ireland applies the same lax standards to its European privacy obligations as it does to domestic cases, where Irish public servants, from gardaí to Revenue officials, face censure but never prosecution when caught snooping on others’ files in official databases.
While Irish audiences hang on every word of the Facebook executive Sheryl Sandberg when she visits, a debate is raging around Europe about the long-term effects of Facebook, Google and others on the media, democratic values and even how we perceive the world around us.
The debate began in Germany’s Frankfurter Allgemeine daily newspaper, when Google’s executive chairman, Eric Schmidt, warned that “heavy-handed regulation . . . risks creating an innovation desert in Europe”.
In an frank response, Matthias Döpfner, chief executive of Germany’s Axel Springer AG media group, wrote that “we are afraid of Google” and its insatiable appetite for data on what users read, where they go, who they know and what they think. “Forget Big Brother,” he added, “Google is better.”
In the latest Frankfurter Allgemeine contribution to the topic, Shoshana Zuboff, professor emeritus at Harvard Business School, says Google bears characteristics of an absolute power that tolerates no dissent. Behind its rhetoric of openness – demanding full transparency from users as the price for using its “free” services – Google demands absolute privacy to collect and evaluate the mountains of user data its services generate.
Worse, she says, its penetrating curiosity about users’ habits, movements, thoughts and secrets have, via the Prism programme, made US tech companies Trojan horses for US intelligence services.
Ireland’s success in attracting tech giants could put it on a collision course with its European neighbours. Some EU governments suggest Europe’s best response to the NSA scandal would be to make Europe a global leader in privacy issues.
Economies based on secure digital storage and data integrity – not free cloud storage with complementary NSA oversight – could, goes the argument, attract a lot of international business and generate robust growth for Europe. But it would contradict the business model of the tech giants in Ireland.
The prime resource of this century is data; analysing that data to sell advertisements and influence human behaviour is the golden coin of the digital realm. By attracting Facebook and Google to its shores Ireland – its citizens, Government and Data Protection Commissioner – oversees the digital mining licences for Facebook and Google, deciding how deep they can drill into 500 million Europeans’ private lives.
See also: “Google building kingdom of unaccountable power”, Shoshana Zuboff’s Frankfurter Allgemeine article on Google. (left)
*This article was amended on Saturday May 3rd, 2014