
Ireland blocks the world on data privacy - timthorn
https://www.politico.eu/interactive/ireland-blocks-the-world-on-data-privacy/
======
Despegar
This is an incredibly well reported story.

>As far back as 2014, the question of how Ireland would handle the new privacy
rules under the GDPR was on the minds of Facebook’s leaders. As it happened,
Ireland was in the process of choosing a new chief data regulator to replace
Hawkes. Sandberg took it on herself to investigate the matter, lobbying then-
Irish Prime Minister Kenny on the sidelines of the World Economic Forum in
Davos and also at her offices in Menlo Park, California.

According to emails obtained by the Irish Independent via Freedom of
Information requests, Sandberg wanted to know that Hawkes’ successor would be
“as strong as” he had been in the role. But if the wrong choice was made,
Sandberg suggested, there would be consequences for Ireland’s attractiveness
as a destination for tech investment.

“The risk is that companies will revisit their investment strategies for the
EU market,” she wrote in a June 2014 email to Kenny, adding that Ireland’s
regulator should be a person who would “establish a strong collaborative
working relationship with companies like ours.”

The choice of Dixon, a former Irish civil servant with a law degree but no
background in law enforcement or regulatory investigation, was in line with
Sandberg’s wishes. Before she became one of the most important privacy
regulators in the world, Dixon had spent four years working for U.S. software
company Citrix, followed by a stint at the business-friendly Irish Department
of Enterprise, Trade and Innovation.

~~~
bayareanative
Regulatory capture might be an understatement. How about "regulatory
innovation?" That will confuse people and make it look like the corporations
aren't running yet another banana republic.

------
dmoo
For some balance from the same publication the next day. Irish privacy
regulator opens investigation into Facebook over passwords

[https://www.politico.eu/article/facebook-ireland-
investigati...](https://www.politico.eu/article/facebook-ireland-
investigation-passwords-privacy/)

------
ahartmetz
Ireland... Tax haven and advocate of US companies in the EU. This is
unsurprising, unfortunately.

~~~
timrichard
Fun fact : a gorilla of the US companies is Amazon, which operates out of
Luxembourg due to a sweetheart deal offered by the now-President of the EU
Commission.

But... let the pot-shots fly. Bad Ireland.

~~~
ahartmetz
What kind of defense is that? "Look, the other guy did less of the same bad
thing!"

~~~
timrichard
I'm not defending Ireland, I'm pointing out double standards.

------
jaabe
I think it’s unfair to say that just because there haven’t been legal action,
there has been no action.

I live in Denmark, our data-protection agency has only recently gotten cases
to a point where they could roll out fines. And that’s just for the small-
scale offences that were legally easy to handle.

Some of the larger breaches will take many years to handle before a case is
strong enough to be brought to the police. It’s also worth noting, that
breaches of the GDPR don’t automatically lead to legal action. It’s only if
organisations systematically abuse data or if they fail to fix whatever
problems a GDPR audit points out to them, that legal action is the end result.

If you have a breach, like if a supplier forget to exclude an API key from
their GitHub repository and I it leaves your employee names vulnerable to the
entire world. But you find it, report it, fix it and tell the affected parties
ie comply with the GDPR procedures. Then you’ll have breached the GDPR, but
won’t have broken the law.

------
xg15
Maybe I'm wrong, but isn't one of the provisions of the GDPR that regional
privacy commissioners may take over - exactly to avoid cases of regulatory
conflicts of interest like this?

E.g. I think one of the recent fines was put in effect by the _french_ privacy
commissioner, even though, going by headquarters, the irish one would have
been responsible. However, because french citizens were affected, the french
commissioner was allowed to overrule. (At least that was my understanding how
it worked)

I mean, Ireland's unwillingness to regulate internet companies is not exactly
news. I imagine it was well-known when the regulation was designed (whether or
not it actually _influenced_ the design).

~~~
M2Ys4U
Local supervisory authorities can investigate issues that are "[in] the
territory of its own Member State"

Where there are cross-border issues, though, the supervisory authority of the
main establishment of the controller becomes the lead supervisory authority.

------
nemoniac
The article suggests that because Facebook, for example, has its European
headquarters in Ireland, then complaints under the GDPR must be handled by the
Irish data regulator. This is not the case. Any EU citizen can bring a
complaint to the data regulator in their own country.

Sure, Ireland drags its heels but that does not prevent the data regulators in
other countries from taking action.

~~~
M2Ys4U
You're partially correct. Citizens can bring complaints before their local
supervisory authority, but cross-border issues are dealt with first and
foremost by the lead supervisory authority.

To wit, article 56(1) of the GDPR:

>Without prejudice to Article 55, the supervisory authority of the main
establishment or of the single establishment of the controller or processor
shall be competent to act as lead supervisory authority for the cross-border
processing carried out by that controller or processor in accordance with the
procedure provided in Article 60.

and 56(6):

>The lead supervisory authority shall be the sole interlocutor of the
controller or processor for the cross-border processing carried out by that
controller or processor.

------
dalbasal
The key point is this, I think:

 _" “We need to be careful and ensure that the margin for maneuver given by
the GDPR doesn’t lead to an attractiveness competition between EU countries,
as is already the case for taxation,” Marie-Laure Denis, France’s new chief
privacy regulator, warned the French parliament in January, in a clear
reference to Ireland."_

The meta-problem here is (jurisdiction for international matters) is acute.

It totally hamstrings corporate imcome tax as a category of taxation. In the
modern economy, that's a big problem. The winner-loser disparity is such that
taxing company profits is the ideal strategy. The alternative is taxing
revenue/sales, which is far less efficient. A Google or FB could pay a pretty
hefty corporate tax without affecting their output much. They literally make
more profit than they know what to do with... it's piling up. A VAT
alternative doesn't distinguish between them and (eg) auto manufacturers. It
also doesn't tax export revenue...

That's a done deal at this point. Politician planning on funding stuff through
corporate income tax changes is a sign of naiveté and haplessness. ...
international jurisdiction problems are just too unsolvable.

A regulator shopping regime for privacy regulations basically takes regular on
off the table, as a viable tool.

It'll bleed into other areas as well.

------
return1
AFAIK according to gdpr a DPA can act against a company in another country,
there is no such thing as national jurisdiction. (This is already the case for
complaints against e.g. google brought to austrian DPA). It even has
provisions in case 2 DPAs are in conflict. So what is the article talking
about?

[https://gdpr-info.eu/art-60-gdpr/](https://gdpr-info.eu/art-60-gdpr/)

~~~
M2Ys4U
Article 56(6):

>The lead supervisory authority shall be the sole interlocutor of the
controller or processor for the cross-border processing carried out by that
controller or processor.

~~~
return1
This is assuming that the lead supervising authority is the one in Ireland.
Since facebook deals with data in all states, and doesn't make decisions about
those data in Ireland (but in the US), it is not clear if Ireland is their
sole LSA.

[https://iapp.org/news/a/is-it-possible-to-choose-your-
lead-s...](https://iapp.org/news/a/is-it-possible-to-choose-your-lead-
supervisory-authority-under-the-gdpr/)

------
bayareanative
Ireland: Europe's Texas.

~~~
Fordec
Nope. More like Europe's Delaware

------
darawk
> Millions of Americans rely on Europe's tough new privacy rules

...do they? I'm an American, and I sure wish the GDPR would crawl back from
whence it came. The only thing it does for me is show me gratuitous popup
messages that I have to mindlessly click through.

~~~
mwilliaams
I think there’s some truth on both sides. The cookie warnings are definitely
annoying.

~~~
baroffoos
The new warnings the GDPR came with are much better. Now you can actually say
no.

~~~
tomatocracy
Hahaha yeah right. If you can navigate the dark patterns to find the links to
the opt outs from tracking then click through to 100 other websites and find
their own opt outs (if they exist). Then trust them that they’re actually
going to comply, won’t accidentally lose your settings etc.

Browser extensions to block them in the first place are still much more
effective.

~~~
CalRobert
That's a violation of GDPR. They need to be opt-in to be legal, not opt-out.

~~~
maccard
Ok that's great - what does that mean? How do I make them make it an opt in?

I contacted ICO in the UK about a breach (amazon sending unsolicited marketing
emails through the order update system) - ICO told me to talk to Amazon, who
said "Oh we're sorry" and ignored me. Just because it's against the law,
doesn't mean companies wo'nt do it.

~~~
M2Ys4U
You have to complain to the organisation first, before a supervisory authority
will take action.

You can also appeal any decision of the ICO to the Information Tribunal if
you're unsatisfied.

------
Mirioron
> _“We need to be careful and ensure that the margin for maneuver given by the
> GDPR doesn’t lead to an attractiveness competition between EU countries, as
> is already the case for taxation,” Marie-Laure Denis, France’s new chief
> privacy regulator, warned the French parliament in January, in a clear
> reference to Ireland._

Of course the big and wealthy countries in the EU want to make sure that the
smaller countries aren't attractive for businesses. It reminds me of Macron's
proposal to screw over truckers from Eastern Europe.

These regulators knew that GDPR was going to have an effect like this. Why are
people acting surprised now? Whenever I see talk that pertains to the Irish
not doing enough with the tech companies it's always politicians from
countries like France and Germany. I'm guessing that they don't like that tech
companies set up shop in a country that isn't theirs.

~~~
stakhanov
> Of course the big and wealthy countries in the EU want to make sure that the
> smaller countries aren't attractive for businesses.

I'm not seeing that kind of thing happening at all.

It's just that the equation of how much to win (for a large number of Dollars
brought into Ireland when Amazon opens a data center, for example), versus how
much to lose (in lost regulatory power, tax revenue etc when domestic
companies start asking for the same deal) looks different for a small country
than it does for a large country.

...that is also the reason why tax havens tend to be small island countries. A
country like Bermuda has a lot to gain from a zero-corporate-tax tax regime if
it means it can fill the island with banks and law firms and little to lose if
it has next to zero domestic economy and therefore it is by definition the
case that the loss in tax revenue pertains to income that would have otherwise
been taxed elsewhere anyway.

~~~
tomatocracy
The small island nation as tax haven is more of a stereotype than an absolute
truth.

If you look at it objectively, most observers say the US is either the biggest
or second biggest tax haven in the world.

Eg see this article [https://www.bloomberg.com/news/articles/2018-01-30/u-s-
seen-...](https://www.bloomberg.com/news/articles/2018-01-30/u-s-seen-as-
world-s-second-biggest-tax-haven-after-switzerland)

~~~
stakhanov
The article you linked to requires login, so it's difficult for me to comment
on what's written there. -- The viewpoint I'm coming from is this: Go to
[https://en.wikipedia.org/wiki/List_of_countries_by_tax_rates](https://en.wikipedia.org/wiki/List_of_countries_by_tax_rates)
Sort by corporate tax rate. Look at the ones that say 0%. Notice how many of
them are island nations. The list goes Anguilla, Bahamas, Bahrain, Bermuda,
Cayman Islands, ...

~~~
JeanMarcS
I think it’s because it combines 2 factors.

First, those islands hadn’t other ressources to sell. So to attract money in
their banks they started no tax laws

And then it’s a nice place to spend a couple of days since they build hotels
with the money they won on getting the no tax regulation.

