>As far back as 2014, the question of how Ireland would handle the new privacy rules under the GDPR was on the minds of Facebook’s leaders. As it happened, Ireland was in the process of choosing a new chief data regulator to replace Hawkes. Sandberg took it on herself to investigate the matter, lobbying then-Irish Prime Minister Kenny on the sidelines of the World Economic Forum in Davos and also at her offices in Menlo Park, California.
According to emails obtained by the Irish Independent via Freedom of Information requests, Sandberg wanted to know that Hawkes’ successor would be “as strong as” he had been in the role. But if the wrong choice was made, Sandberg suggested, there would be consequences for Ireland’s attractiveness as a destination for tech investment.
“The risk is that companies will revisit their investment strategies for the EU market,” she wrote in a June 2014 email to Kenny, adding that Ireland’s regulator should be a person who would “establish a strong collaborative working relationship with companies like ours.”
The choice of Dixon, a former Irish civil servant with a law degree but no background in law enforcement or regulatory investigation, was in line with Sandberg’s wishes. Before she became one of the most important privacy regulators in the world, Dixon had spent four years working for U.S. software company Citrix, followed by a stint at the business-friendly Irish Department of Enterprise, Trade and Innovation.
Regulatory capture might be an understatement. How about "regulatory innovation?" That will confuse people and make it look like the corporations aren't running yet another banana republic.
Fun fact : a gorilla of the US companies is Amazon, which operates out of Luxembourg due to a sweetheart deal offered by the now-President of the EU Commission.
I think it’s unfair to say that just because there haven’t been legal action, there has been no action.
I live in Denmark, our data-protection agency has only recently gotten cases to a point where they could roll out fines. And that’s just for the small-scale offences that were legally easy to handle.
Some of the larger breaches will take many years to handle before a case is strong enough to be brought to the police. It’s also worth noting, that breaches of the GDPR don’t automatically lead to legal action. It’s only if organisations systematically abuse data or if they fail to fix whatever problems a GDPR audit points out to them, that legal action is the end result.
If you have a breach, like if a supplier forget to exclude an API key from their GitHub repository and I it leaves your employee names vulnerable to the entire world. But you find it, report it, fix it and tell the affected parties ie comply with the GDPR procedures. Then you’ll have breached the GDPR, but won’t have broken the law.
Maybe I'm wrong, but isn't one of the provisions of the GDPR that regional privacy commissioners may take over - exactly to avoid cases of regulatory conflicts of interest like this?
E.g. I think one of the recent fines was put in effect by the french privacy commissioner, even though, going by headquarters, the irish one would have been responsible. However, because french citizens were affected, the french commissioner was allowed to overrule. (At least that was my understanding how it worked)
I mean, Ireland's unwillingness to regulate internet companies is not exactly news. I imagine it was well-known when the regulation was designed (whether or not it actually influenced the design).
Local supervisory authorities can investigate issues that are "[in] the territory of its own Member State"
Where there are cross-border issues, though, the supervisory authority of the main establishment of the controller becomes the lead supervisory authority.
The article suggests that because Facebook, for example, has its European headquarters in Ireland, then complaints under the GDPR must be handled by the Irish data regulator. This is not the case. Any EU citizen can bring a complaint to the data regulator in their own country.
Sure, Ireland drags its heels but that does not prevent the data regulators in other countries from taking action.
You're partially correct. Citizens can bring complaints before their local supervisory authority, but cross-border issues are dealt with first and foremost by the lead supervisory authority.
To wit, article 56(1) of the GDPR:
>Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.
and 56(6):
>The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.
"“We need to be careful and ensure that the margin for maneuver given by the GDPR doesn’t lead to an attractiveness competition between EU countries, as is already the case for taxation,” Marie-Laure Denis, France’s new chief privacy regulator, warned the French parliament in January, in a clear reference to Ireland."
The meta-problem here is (jurisdiction for international matters) is acute.
It totally hamstrings corporate imcome tax as a category of taxation. In the modern economy, that's a big problem. The winner-loser disparity is such that taxing company profits is the ideal strategy. The alternative is taxing revenue/sales, which is far less efficient. A Google or FB could pay a pretty hefty corporate tax without affecting their output much. They literally make more profit than they know what to do with... it's piling up. A VAT alternative doesn't distinguish between them and (eg) auto manufacturers. It also doesn't tax export revenue...
That's a done deal at this point. Politician planning on funding stuff through corporate income tax changes is a sign of naiveté and haplessness. ... international jurisdiction problems are just too unsolvable.
A regulator shopping regime for privacy regulations basically takes regular on off the table, as a viable tool.
AFAIK according to gdpr a DPA can act against a company in another country, there is no such thing as national jurisdiction. (This is already the case for complaints against e.g. google brought to austrian DPA). It even has provisions in case 2 DPAs are in conflict. So what is the article talking about?
>The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.
This is assuming that the lead supervising authority is the one in Ireland. Since facebook deals with data in all states, and doesn't make decisions about those data in Ireland (but in the US), it is not clear if Ireland is their sole LSA.
> Millions of Americans rely on Europe's tough new privacy rules
...do they? I'm an American, and I sure wish the GDPR would crawl back from whence it came. The only thing it does for me is show me gratuitous popup messages that I have to mindlessly click through.
GDPR is not just cookie banners. It's about putting the users in control of their data. It empowers you more than ever to find out what kind of data is collected about you, how/why it is used and with whom it gets shared.
Hahaha yeah right. If you can navigate the dark patterns to find the links to the opt outs from tracking then click through to 100 other websites and find their own opt outs (if they exist). Then trust them that they’re actually going to comply, won’t accidentally lose your settings etc.
Browser extensions to block them in the first place are still much more effective.
Ok that's great - what does that mean? How do I make them make it an opt in?
I contacted ICO in the UK about a breach (amazon sending unsolicited marketing emails through the order update system) - ICO told me to talk to Amazon, who said "Oh we're sorry" and ignored me. Just because it's against the law, doesn't mean companies wo'nt do it.
>“We need to be careful and ensure that the margin for maneuver given by the GDPR doesn’t lead to an attractiveness competition between EU countries, as is already the case for taxation,” Marie-Laure Denis, France’s new chief privacy regulator, warned the French parliament in January, in a clear reference to Ireland.
Of course the big and wealthy countries in the EU want to make sure that the smaller countries aren't attractive for businesses. It reminds me of Macron's proposal to screw over truckers from Eastern Europe.
These regulators knew that GDPR was going to have an effect like this. Why are people acting surprised now? Whenever I see talk that pertains to the Irish not doing enough with the tech companies it's always politicians from countries like France and Germany. I'm guessing that they don't like that tech companies set up shop in a country that isn't theirs.
> Of course the big and wealthy countries in the EU want to make sure that the smaller countries aren't attractive for businesses.
I'm not seeing that kind of thing happening at all.
It's just that the equation of how much to win (for a large number of Dollars brought into Ireland when Amazon opens a data center, for example), versus how much to lose (in lost regulatory power, tax revenue etc when domestic companies start asking for the same deal) looks different for a small country than it does for a large country.
...that is also the reason why tax havens tend to be small island countries. A country like Bermuda has a lot to gain from a zero-corporate-tax tax regime if it means it can fill the island with banks and law firms and little to lose if it has next to zero domestic economy and therefore it is by definition the case that the loss in tax revenue pertains to income that would have otherwise been taxed elsewhere anyway.
The article you linked to requires login, so it's difficult for me to comment on what's written there. -- The viewpoint I'm coming from is this: Go to https://en.wikipedia.org/wiki/List_of_countries_by_tax_rates Sort by corporate tax rate. Look at the ones that say 0%. Notice how many of them are island nations. The list goes Anguilla, Bahamas, Bahrain, Bermuda, Cayman Islands, ...
It makes sense that countries trying to follow the rules will be the ones complaining about those skirting them. You're not very well going to see complaints from Ireland about itself, are you?
Also, if Ireland wanted to be competitive for business they'd actually do something about having near-SF rents with 20-30%-SF wages. Or maybe try to foster our own companies for a change.
This is an incredibly well reported story.
>As far back as 2014, the question of how Ireland would handle the new privacy rules under the GDPR was on the minds of Facebook’s leaders. As it happened, Ireland was in the process of choosing a new chief data regulator to replace Hawkes. Sandberg took it on herself to investigate the matter, lobbying then-Irish Prime Minister Kenny on the sidelines of the World Economic Forum in Davos and also at her offices in Menlo Park, California.
According to emails obtained by the Irish Independent via Freedom of Information requests, Sandberg wanted to know that Hawkes’ successor would be “as strong as” he had been in the role. But if the wrong choice was made, Sandberg suggested, there would be consequences for Ireland’s attractiveness as a destination for tech investment.
“The risk is that companies will revisit their investment strategies for the EU market,” she wrote in a June 2014 email to Kenny, adding that Ireland’s regulator should be a person who would “establish a strong collaborative working relationship with companies like ours.”
The choice of Dixon, a former Irish civil servant with a law degree but no background in law enforcement or regulatory investigation, was in line with Sandberg’s wishes. Before she became one of the most important privacy regulators in the world, Dixon had spent four years working for U.S. software company Citrix, followed by a stint at the business-friendly Irish Department of Enterprise, Trade and Innovation.
Regulatory capture might be an understatement. How about "regulatory innovation?" That will confuse people and make it look like the corporations aren't running yet another banana republic.
Imagine, one gov appointed person can move left or right tens of billions of dollars in market cap. Maybe, even, hundreds of billions.
Oh, and that person makes, maybe, $150K a year. Anyone gets what I'm saying. We're all flesh and blood.
For some balance from the same publication the next day. Irish privacy regulator opens investigation into Facebook over passwords
https://www.politico.eu/article/facebook-ireland-investigati...
Ireland... Tax haven and advocate of US companies in the EU. This is unsurprising, unfortunately.
Fun fact : a gorilla of the US companies is Amazon, which operates out of Luxembourg due to a sweetheart deal offered by the now-President of the EU Commission.
But... let the pot-shots fly. Bad Ireland.
What kind of defense is that? "Look, the other guy did less of the same bad thing!"
I'm not defending Ireland, I'm pointing out double standards.
I think it’s unfair to say that just because there haven’t been legal action, there has been no action.
I live in Denmark, our data-protection agency has only recently gotten cases to a point where they could roll out fines. And that’s just for the small-scale offences that were legally easy to handle.
Some of the larger breaches will take many years to handle before a case is strong enough to be brought to the police. It’s also worth noting, that breaches of the GDPR don’t automatically lead to legal action. It’s only if organisations systematically abuse data or if they fail to fix whatever problems a GDPR audit points out to them, that legal action is the end result.
If you have a breach, like if a supplier forget to exclude an API key from their GitHub repository and I it leaves your employee names vulnerable to the entire world. But you find it, report it, fix it and tell the affected parties ie comply with the GDPR procedures. Then you’ll have breached the GDPR, but won’t have broken the law.
Maybe I'm wrong, but isn't one of the provisions of the GDPR that regional privacy commissioners may take over - exactly to avoid cases of regulatory conflicts of interest like this?
E.g. I think one of the recent fines was put in effect by the french privacy commissioner, even though, going by headquarters, the irish one would have been responsible. However, because french citizens were affected, the french commissioner was allowed to overrule. (At least that was my understanding how it worked)
I mean, Ireland's unwillingness to regulate internet companies is not exactly news. I imagine it was well-known when the regulation was designed (whether or not it actually influenced the design).
Local supervisory authorities can investigate issues that are "[in] the territory of its own Member State"
Where there are cross-border issues, though, the supervisory authority of the main establishment of the controller becomes the lead supervisory authority.
The article suggests that because Facebook, for example, has its European headquarters in Ireland, then complaints under the GDPR must be handled by the Irish data regulator. This is not the case. Any EU citizen can bring a complaint to the data regulator in their own country.
Sure, Ireland drags its heels but that does not prevent the data regulators in other countries from taking action.
You're partially correct. Citizens can bring complaints before their local supervisory authority, but cross-border issues are dealt with first and foremost by the lead supervisory authority.
To wit, article 56(1) of the GDPR:
>Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.
and 56(6):
>The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.
The key point is this, I think:
"“We need to be careful and ensure that the margin for maneuver given by the GDPR doesn’t lead to an attractiveness competition between EU countries, as is already the case for taxation,” Marie-Laure Denis, France’s new chief privacy regulator, warned the French parliament in January, in a clear reference to Ireland."
The meta-problem here is (jurisdiction for international matters) is acute.
It totally hamstrings corporate imcome tax as a category of taxation. In the modern economy, that's a big problem. The winner-loser disparity is such that taxing company profits is the ideal strategy. The alternative is taxing revenue/sales, which is far less efficient. A Google or FB could pay a pretty hefty corporate tax without affecting their output much. They literally make more profit than they know what to do with... it's piling up. A VAT alternative doesn't distinguish between them and (eg) auto manufacturers. It also doesn't tax export revenue...
That's a done deal at this point. Politician planning on funding stuff through corporate income tax changes is a sign of naiveté and haplessness. ... international jurisdiction problems are just too unsolvable.
A regulator shopping regime for privacy regulations basically takes regular on off the table, as a viable tool.
It'll bleed into other areas as well.
AFAIK according to gdpr a DPA can act against a company in another country, there is no such thing as national jurisdiction. (This is already the case for complaints against e.g. google brought to austrian DPA). It even has provisions in case 2 DPAs are in conflict. So what is the article talking about?
https://gdpr-info.eu/art-60-gdpr/
Article 56(6):
>The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.
This is assuming that the lead supervising authority is the one in Ireland. Since facebook deals with data in all states, and doesn't make decisions about those data in Ireland (but in the US), it is not clear if Ireland is their sole LSA.
https://iapp.org/news/a/is-it-possible-to-choose-your-lead-s...
Ireland: Europe's Texas.
Nope. More like Europe's Delaware
> Millions of Americans rely on Europe's tough new privacy rules
...do they? I'm an American, and I sure wish the GDPR would crawl back from whence it came. The only thing it does for me is show me gratuitous popup messages that I have to mindlessly click through.
Well, Americans who are EU residents like myself appreciate it greatly.
And you usually can get by those popups with reader mode - https://support.mozilla.org/en-US/kb/firefox-reader-view-clu...
I appreciate the European Collective Bargaining against corporations
To be fair, there are hundreds of millions of Americans, so that statement may be literally true.
Not sure why you’re being downvoted. This is a fair comment.
GDPR is not just cookie banners. It's about putting the users in control of their data. It empowers you more than ever to find out what kind of data is collected about you, how/why it is used and with whom it gets shared.
I un-downvoted the comment but millions do appreciate that at least somebody is trying to do the right thing.
I think there’s some truth on both sides. The cookie warnings are definitely annoying.
The new warnings the GDPR came with are much better. Now you can actually say no.
Hahaha yeah right. If you can navigate the dark patterns to find the links to the opt outs from tracking then click through to 100 other websites and find their own opt outs (if they exist). Then trust them that they’re actually going to comply, won’t accidentally lose your settings etc.
Browser extensions to block them in the first place are still much more effective.
That's a violation of GDPR. They need to be opt-in to be legal, not opt-out.
Ok that's great - what does that mean? How do I make them make it an opt in?
I contacted ICO in the UK about a breach (amazon sending unsolicited marketing emails through the order update system) - ICO told me to talk to Amazon, who said "Oh we're sorry" and ignored me. Just because it's against the law, doesn't mean companies wo'nt do it.
You have to complain to the organisation first, before a supervisory authority will take action.
You can also appeal any decision of the ICO to the Information Tribunal if you're unsatisfied.
>“We need to be careful and ensure that the margin for maneuver given by the GDPR doesn’t lead to an attractiveness competition between EU countries, as is already the case for taxation,” Marie-Laure Denis, France’s new chief privacy regulator, warned the French parliament in January, in a clear reference to Ireland.
Of course the big and wealthy countries in the EU want to make sure that the smaller countries aren't attractive for businesses. It reminds me of Macron's proposal to screw over truckers from Eastern Europe.
These regulators knew that GDPR was going to have an effect like this. Why are people acting surprised now? Whenever I see talk that pertains to the Irish not doing enough with the tech companies it's always politicians from countries like France and Germany. I'm guessing that they don't like that tech companies set up shop in a country that isn't theirs.
> Of course the big and wealthy countries in the EU want to make sure that the smaller countries aren't attractive for businesses.
I'm not seeing that kind of thing happening at all.
It's just that the equation of how much to win (for a large number of Dollars brought into Ireland when Amazon opens a data center, for example), versus how much to lose (in lost regulatory power, tax revenue etc when domestic companies start asking for the same deal) looks different for a small country than it does for a large country.
...that is also the reason why tax havens tend to be small island countries. A country like Bermuda has a lot to gain from a zero-corporate-tax tax regime if it means it can fill the island with banks and law firms and little to lose if it has next to zero domestic economy and therefore it is by definition the case that the loss in tax revenue pertains to income that would have otherwise been taxed elsewhere anyway.
The small island nation as tax haven is more of a stereotype than an absolute truth.
If you look at it objectively, most observers say the US is either the biggest or second biggest tax haven in the world.
Eg see this article https://www.bloomberg.com/news/articles/2018-01-30/u-s-seen-...
The article you linked to requires login, so it's difficult for me to comment on what's written there. -- The viewpoint I'm coming from is this: Go to https://en.wikipedia.org/wiki/List_of_countries_by_tax_rates Sort by corporate tax rate. Look at the ones that say 0%. Notice how many of them are island nations. The list goes Anguilla, Bahamas, Bahrain, Bermuda, Cayman Islands, ...
I think it’s because it combines 2 factors.
First, those islands hadn’t other ressources to sell. So to attract money in their banks they started no tax laws
And then it’s a nice place to spend a couple of days since they build hotels with the money they won on getting the no tax regulation.
> Of course the big and wealthy countries in the EU want to make sure that the smaller countries aren't attractive for businesses
Where “not attractive for business” means “weak rule of law” tho
It makes sense that countries trying to follow the rules will be the ones complaining about those skirting them. You're not very well going to see complaints from Ireland about itself, are you?
Also, if Ireland wanted to be competitive for business they'd actually do something about having near-SF rents with 20-30%-SF wages. Or maybe try to foster our own companies for a change.