Ireland has failed to regulate Facebook on behalf of Europe

New EU rules will allow data-protection organisations to oversee the work of the DPC in Dublin

Last year the north side of Fitzwilliam Square was the ninth most profitable place in Dublin to clamp cars, generating almost €42,000 in clamping fees. The principle is clear: if you park here illegally you must pay a fine to get your car back.

Different principles seem to apply on the other side of the square which has been the home of the Dublin office of the Irish Data Protection Regulator (DPC) since 2015 .

For the last seven years – following a complaint from Austrian privacy campaigner Max Schrems – Ireland’s regulator has been “engaging” with Facebook through meetings and audits on whether its business practices adhere to or breach EU law.

Because Facebook and other tech giants have their international headquarters in Ireland, the Irish regulator has front-line responsibility for policing them. At no point has Facebook feared the DPC.

Instead the social network shares the view of many European data regulators who liken Ireland to George Orwell's Animal Farm: the larger and more powerful you are, the less likely the DPC is to clamp you.

Among its caseload for 2011, the DPC tackled a veterinary practice for disclosing a dog owner’s personal data; censured a leisure centre that requested excessive personal data from patrons; and warned a marketing company to stop calling numbers on the national opt-out register.

We still don't know if EU citizens' data were sucked up by the app linked to Cambridge Analytica

Another case came on its radar that year: Facebook. Unlike those quick, snappy rulings on small Irish businesses, the DPC – seven years later – it is still grappling with the social media giant on behalf of its 374 million active users in Europe.

EU law

After the Cambridge Analytica scandal broke, Irish data regulator Helen Dixon said she would “follow up” on a 2011-12 audit into Facebook. This investigation included a complaint by Schrems that Facebook’s Dublin operation was operating outside EU law.

In one prescient point he argued that “third-party consent”, cited by Facebook as the legal basis for data collection by third-party apps, had no basis in EU law. Leading data protection figures across Europe share this view.

In its audit reports, however, the DPC – apart from a few minor quibbles – appears to side with Facebook. Your personal data can be sucked up by apps not installed by you – but by a Facebook “friend” – to be stored and sold by a company you’ve never heard of.

You may not have known this was happening, but Facebook argues you should have.

And if you had a problem with this, you should have switched off the default “share” setting in your Facebook profile.

We still don’t know if EU citizens’ data were sucked up by the app linked to Cambridge Analytica. But, given thousands of such apps exist, it’s likely many EU Facebook users had their data grabbed by others on the DPC’s watch.

You may not know them, but these companies now know everything about you – from your political to your sexual preferences. The vast consequences are only beginning to become clear.


Taoiseach Leo Varadkar insisted this week, somewhat disingenuously, that the loophole allowing for this “was closed in 2015”. This was because of a Facebook systems update, not because it felt any urgency to respond to non-existent DPC pressure.

In other words, the horse was kind enough to close the door as it bolted. This is data-protection regulation Irish-style.

In 2013, when I visited the DPC headquarters in Portarlington, Co Laois, then regulator Billy Hawkes insisted his consensual approach to regulating Facebook – viewed critically by many EU peers – was more effective than waving a regulatory stick because “it is good to use powers of persuasion backed up by enforcement powers”.

From a European perspective, the Cambridge Analytica scandal is not a series of unfortunate events but a new low point in a long narrative of deliberate neglect in Ireland

In 2014, as Cambridge Analytica was culling information it says handed Donald Trump the White House, Hawkes insisted to me that Facebook “is in compliance with its obligation under Irish and European data-protection law”. Really?

Now that the extent – and consequences – of its data-trading have become public, Facebook is shocked – shocked – by what happened.

In reality, Facebook is shocked because it was caught out. It walked into this with its eyes open, allowing problematic – possibly illegal – data-collection via third-party apps. And it earned money in the process from data-collecting app developers it knew it couldn’t control.

And yet Facebook is simply doing what it was programmed to do. Contrary to its soft-soap PR, Facebook is not here to heal the world Michael Jackson-style. Altruism is a happy by-product of its main mission: to make money by digitising people’s DNA and selling it to the highest bidder.

Until 2014,when Cambridge Analytica went to work, Facebook’s motto was “move fast and break things”. We now know it may have helped break US democracy. Oops.

New low point

From a European perspective, the Cambridge Analytica scandal is not a series of unfortunate events but a new low point in a long narrative of deliberate neglect in Ireland.

Ireland’s “consensual” regulation of Facebook has failed – spectacularly. From May new EU rules will allow data-protection organisations around Europe to oversee the work of the DPC in Dublin

The message from Europe to Ireland’s DPC is clear: regulate or you will be regulated. Clamp or you will be clamped.

Because failing to stop powerful companies breaking data-protection law is not regulation, it is complicity.

Derek Scally is Berlin Corespondent