GDPR's birthday
August 2019
The General Data Protection Regulation (GDPR), the EU-powered data protection rules that beefed up our existing laws, was enacted just over a year ago. It is the reason we must nowadays so often ‘accept’ the privacy terms of a website every time we go to it, and why a few American websites are still shy about showing their content in Europe.
In my view, GDPR is a force for good. It makes it harder for organisations to respectably hang onto our details, or to pass them around, and that doesn’t seem like a bad thing to me.
However, the proof of the pudding is, as ever, in the eating, and over the last year a flaw has emerged. Under the rules it is up to the individual regulator in each nation to enforce GDPR in its own territory; there is no Interpol for the Internet.
Not only that, wherever an infringement takes place, it is the location of what is called the ‘data controller’ of each company (usually at the head office but not always) that determines which nation’s regulator should take the lead.
This wouldn’t matter if all countries had good Information Commissioners, but they don’t; significant variations are beginning to surface. One of the most commented on has been the way Ireland punishes its transgressors. Or, to be more precise, the way it doesn’t punish them.
Despite receiving thousands of complaints relating to data privacy since GDPR came into force, the Irish Data Protection Commission has yet to take any enforcement actions against a big tech company and has actually prevented some action. In 2016, a German court ruled that Facebook and WhatsApp were sharing their clients’ data and forbad it, at least for German users. When GDPR came into force, this ruling was trumped by the ‘data controller’ issue, and the Irish Data Commissioner became the lead authority in the matter. The Commissioner, who is not a court, decided that there was no data sharing to worry about and so the ban was never enforced.
This probably wouldn’t matter too much either, if only the Irish Government had not constructed its tax legislation to encourage the largest internet monsters to set up shop there; Facebook, Dell, WhatsApp, Google, Apple, Instagram and others all have significant presences in the Republic, and many of their data controllers reside, and so are regulated, there.
I have written before of the very high regard I have for Elizabeth Denham CBE, the UK Information Commissioner. She is enforcing the rules in a sensible but firm way, unfazed by attempts at political interference; she has fined councils, police forces, even the courts; she has issued Enforcement Notices (akin to a shot across the bows) to many, even HMRC. But even her hands can be tied by this ‘data controller’ issue.
There is no benefit to a regulation if it is not enforced. The current head of the Irish Data Protection Commission is an ex-civil servant with no background in law enforcement or investigation, and the Irish Independent even came across emails suggesting that senior people at Facebook were lobbying the Irish prime minister over who should run the Commission. It doesn’t inspire confidence.
Ultimately, my concern is that this GDPR anomaly might encourage some countries to become data havens that attract companies with a slack approach to data security, much as tax havens attract money that seeks as little scrutiny as possible. I don’t believe that the Irish have this as a plan, and I’m inclined to think that they have simply been slow off the mark. That is certainly the view of some of the more serious observers of this complex world, so let’s be generous.
But let’s keep an eye on them.
A few links...
Report from the Iris Independent on How Facebook chief, Sheryl Sandberg, lobbied Taoiseach Enda Kenny over data protection role and taxation: CLICK HERE
The Irish Data Commission’s report on complaints received: CLICK HERE
DLA Piper GDPR data breach survey: February 2019: Over 59,000 personal data breaches reported across Europe since the introduction of GDPR: CLICK HERE
376
