If Facebook’s top executives can’t control it, how can Ireland?
Net Results: The State says it intends to regulate Facebook as needed. Sigh. Go on, try
In the dark? Facebook’s chief operating office Sheryl Sandberg. Photograph: Jim Watson/AFP/Getty Images
The New York Times broke a story last week revealing that the company used “delay, deny and deflect” tactics against critics and legislators, hiring a conservative-backed public relations agency that worked to discredit Facebook’s detractors.
Yet its top two executives – founder, chief executive and chairman Mark Zuckerberg and chief operations officer Sheryl Sandberg – say they knew nothing about all this, which – added to all the other scandals – should deeply perturb Facebook’s board.
Perhaps the real question should be: is Facebook even capable of being regulated?
Any answer still bounces back to Ireland, because the best laws for making an attempt to do so are European data protection and antitrust laws and, under the General Data Protection Regulation (GDPR), Ireland is Facebook’s EU regulator.
So concerns about Ireland’s adequacy for this task are valid, if not new. Ever since Austrian Max Schrems took a case against former Irish data protection commissioner Billy Hawkes, challenging whether his office had adequately investigated whether Facebook handled Schrems’s data in accordance with European law, some have had doubts.
That case, initiated in the Irish High Court, was referred to the European Court of Justice, which firmly agreed that the Irish Data Protection Commission had failed to examine Schrems’s valid concerns. Not good optics for Ireland.
But that was a decision against just one ruling of a former commission. Issues arising out of that case continue through the Irish court network in a second case brought by the current commissioner, and heard in the Commercial Court, on the adequacy of the contracts Facebook and other companies use for transatlantic data transfers.
Facebook asked the Irish Supreme Court to decide whether the Commercial Court’s referral to the European Court of Justice of that case, too, is valid (it’s hard to imagine the court will do other than confirm the referral’s propriety).
Yet this referral, in a case taken by the data protection commissioner against Facebook, raises questions about the approach of the commission. I’ve spoken to many legal experts and none can understand why the office decided to name not just Facebook as a defendant but also Max Schrems, the complainant.
It also chose the State’s most expensive court, the Commercial Court, for the case. Costs mounted into the millions, even though numerous legal experts (still) believe the referral could have been requested in lower courts, and without making Schrems a defendant. By taking the approach it did, the commission inexcusably exposed Schrems, a private citizen, to the real risk of shouldering a share of the case’s exorbitant costs. That makes no sense.
The commission did eventually ask that Schrems be indemnified against costs. But its approach has created a real chilling effect by introducing the possibility that a complainant could end up being exposed to vast costs – negligible to multinationals – simply by filing a complaint.
Granted, prosecuting the case in this expensive way at least highlighted a problem within EU law that needs to be fixed.
However, despite taking the largest and most costly data enforcement action action in the history of the State, the commission is also accused by some of harbouring an undeclared policy to go soft on multinationals such as Facebook, because such companies are so important to Ireland’s economy – a view publicly stated by a former German data commissioner. Surely the worst of all worlds.
I don’t believe this to be true, not least because, under GDPR, a national regulator’s decision can be challenged and reconsidered by an EU arbitration panel. This creates unwanted regulatory uncertainty for companies, which prefer even a firm regulatory environment to one with “soft” decisions that invite appeal. Anyway, companies come here for a long roster of reasons.
I also believe that Data Protection Commissioner Helen Dixon and her office are working to create an office adequate to its task with their needed, and well-deserved, additional staff and significantly increased State funding (though, at €11.7 million, it still just a droplet compared to Facebook’s financial reservoir).
But abroad, there’s embedded scepticism about Ireland’s regulatory commitment. I know, because I’ve been asked by international media publications and privacy professionals countless times about this.
It doesn’t help appearances that the office, and the appointment of its commissioner, fall under the aegis of the Government rather than standing independently. No matter how neutral the office may be, it remains vulnerable to the perception that it is quietly directed by the same Government that also wishes to attract and accommodate multinationals such as Facebook.
Still, the State has also said it intends to regulate Facebook as needed. Sigh. Go on, try.
Every additional scandal confirms that Facebook is a data juggernaut beyond effective control – of its own executives, much less the occasional sabre-rattling of national legislators or the reach of any state regulator.
The truth is, no state or regulator anywhere has yet shown an ability to meaningfully regulate Facebook, even though failure to take on this powerful, globally entrenched, secretive company ultimately exposes us all.
On evidence, Ireland seems highly unlikely to break this pattern, but I’d be happy to be proven wrong.