Derek Scally: Schrems data privacy ruling creates big headache for Ireland

Are we the front-line defender of EU privacy rights or a digital-era colonial outpost of the US intelligence services?

If you knew a harbour was unsafe, would you anchor your boat there? Probably not.

If the harbour authorities knew of safety issues yet kept silent and refused to act, are they liable if your boat was damaged, washed away or even stolen? Yes.

That is the essence of Tuesday's ruling by Europe's highest court. The European Court of Justice has ruled that Europe's Safe Harbour regulations are invalid and criticised the EU for sitting on its hands. It has also ordered Ireland to pull its socks up.

The thing about Safe Harbour is that it has nothing to do with boats and everything to do with your smartphone.


Even when it’s in your pocket, your smartphone produces endless flows of invisible data. This data is covered by EU data protection laws and the bloc’s fundamental right to privacy, even when it is exported to the US under the Safe Harbour provisions.

The ECJ found the European Commission executive had failed its citizens by allowing the 15-year fantasy of Safe Harbour to persist, a virtual reality that allowed US companies fill in a website form and promise to meet EU data standards.

For privacy campaigners, Safe Harbour was always like emperor's new clothes. In this case it took two men - US whistleblower Edward Snowden and Austrian privacy campaigner Max Schrems - to point out the obvious: the commission had no legal clothes on, and there was nothing safe about Safe Harbour.

Snowden warned that EU citizens' data, including Facebook data, was caught up in a US intelligence dragnet. Schrems decided to see if it was true.

This is no abstract battle being fought in far-away Europe. This is a battle that affects you, your data and Ireland's 21st century business model as a hub for tech giants.

The ECJ ruling tore strips off the European Commission. But it also challenges Ireland’s habit of viewing its international tech hub solely in terms of domestic economic gain. The ECJ reminded Dublin that it also creates legal and moral responsibilities for all 500 million EU citizens.

We live in an era where data is as valuable as currency or precious minerals in the past. But have we allowed Grand Canal Dock become an ex-territorial collection point for digital information, mined from users all over Europe and exported to the US for further processing - legal and illegal?

Ireland is rightly proud of having attracted almost all of the US blue chip tech companies to our shores, creating huge employment and catalysing our own tech start-ups.

But public debate about regulating this international tech sector is trapped in its infancy. Anyone from beyond our shores who questions Ireland’s rigour in regulating companies like Facebook is either ignored or receives a bad-tempered, emotional response.

Austrian campaigner Max Schrems, whose dogged pursuit of Facebook data collection resulted in this landmark ECJ ruling, is viewed by many in official Ireland as a pest. Other EU countries' criticism of Ireland's data regulation regime is dismissed by data protection minister Dara Murphy as thinly-veiled "jealousy" of our tech sector.

Ireland Inc’s thin-skinned “jealousy” arguments were last used to dispense with critics of Ireland’s tax regime for multinationals. After years insisting nothing needed to be done, Dublin has now yielded to international pressure for tax reform.

Similarly, outsiders who dared to mention “light-touch” and Ireland’s financial regulator in the same sentence were attacked; they are now seen as prophets.

Why should things be different with our data protection regulator (DPC)? Ireland Inc insists the regulator is doing a good job but Europe’s highest court disagrees. It has ordered the DPC to investigate Facebook, as Schrems requested, raising serious questions about what factors - legal and political - influenced the DPC’s initial refusal to do so.

If Ireland is serious about data regulation, as it claims to be, then Max Schrems is not an irritant but a canary in the Irish data mine. Criticism of Ireland’s DPC by its European colleagues, and now the ECJ, must be analysed as constructive contributions for improvement.

Rather than shooting critical messengers, Ireland needs to join the global debate about the far-reaching consequences of the massive industry we have attracted to our shores.

Last week in Berlin, German philosopher Peter Sloterdijk said that the Snowden revelations had merely exposed long-standing reality, of links between Google, Facebook and the US intelligence services.

“In this scenario Silicon Valley is just a civil outpost of the Pentagon,” he argued.

Given that, EU member states can either win back sovereignty over its citizens’ data or, he face a a bleak future of US “digital colonialism”.

Ireland has put itself at the heart of this debate and is now trapped between idealism and opportunism - but we’ve been here before.

A century ago, while some Irish women and men planned the 1916 rising, others seized the opportunities afforded to them through imperial migration and made careers for themselves in British commercial and military ventures in India.

Much of the international commentary in the coming day will focus, rightly, on the dilemma the ECJ has created for Facebook and other tech giants: should they heed US demands to share data they collect, including EU citizens’ data, or must they heed the ECJ and refuse to do so unless adequate controls are in place?

But the Luxembourg ruling puts Ireland in a moral and legal quandary, too, and has forced a debate, long avoided, with parallels to the questions of neutrality and sovereignty raised when US war planes refuel in Shannon.

Where do Ireland’s loyalties lie? When it comes to Facebook and other tech giants based in Dublin, does Ireland see itself and its data protection regulator as the front-line defender of Irish and EU citizens’ fundamental rights to privacy, or as a digital-era colonial outpost of US intelligence?