Luck of the Irish Puts All Europeans in Danger

Dublin has become the European Union’s bottleneck in privacy regulation. The world’s biggest and richest Technology companies have opened their European legal headquarters in Dublin and thus made the IDPC the lead supervisory authority. The IDPC features eight employees on it’s about page and fails to load a pdf with the “full organisation chart” upon request. To say that an authority of one of the European Union’s smallest Member States with so few employees can and should be in charge of legal proceedings into the world’s most powerful corporations would be funny if it didn’t have such potentially dire consequences.

Whether you record a little dance on TikTok; give your political views on Twitter or play Farmville on Facebook you create a constant stream of valuable data. So valuable that only a few months ago US Tech stocks' (mostly Apple, Microsoft, Alphabet, Amazon, and Facebook) market capitalisation totalled $9.1 trillion and was thus worth more than all European stocks combined. Your data is so valuable because collecting it costs the companies nearly nothing and selling it provides for the world’s best targeted advertisement. All your digital habits are used to predict when and what you will spend money on. Most profitably, by hooking you with micro dopamine hits engineered into the apps, your behaviour is being changed to fit that of the highest bidder.

Thus, making sure that your Data is not simply given to the highest bidder regardless of your consent or knowledge is among others the task of Commissions such as the IDPC. The European Union has gone ahead globally and established some of the highest standards for personal data protection in the General Data Protection Regulation. Thousands of complaints for breaches of its rules have reached data protection commissions in Europe since. The most important ones against Facebook, Google and co are held up in Dublin.

A rule not observed is a rule non-existent and so year-long delays on complaints, fines and breaches provide global companies with a certainty that as long as their breaches of cross-border data transfers or other GDPR-related infringements will be dealt with in cosy Ireland, they are remarkably safe to ignore most rules and proceedings and continue. Move fast and break things. To blame the IDPC itself is unfair as it requested to increase its resources and budget significantly but was shut down by the Irish government. Some of the larger Data Protection authorities such as Germany have offered support in huge cases against giant platforms, but their offer has not yet been taken up.

The mass transfer of user data out of the European Union to the USA has recently been successfully challenged in Europe’s highest court. The Schrems II ruling that broke the Privacy shield program showed that the lack of an appeals mechanism for European individuals in the USA breaches European law. This has gotten US giants to scramble for other means to continue racking in billions with European data subjects, while leaving them without any redress or appeal mechanism. This case shows that fast and effective rulings on complaints against US tech giants are now more important than ever. Europe simply cannot wait decades for Dublin to get its act together.

A second, potentially more dangerous threat comes from countries like China. It presently is under quite a hurry to establish its commercially most successful data gatherer, TikTok a main legal representation in Dublin. Its parent company ByteDance thinks that also TikTok should benefit from the famous Irish regularity vacuum by making it its lead supervisory authority.

TikTok has several investigations running against it by the French, Dutch and Danish Data regulators for not securing its users data properly and for sending user data to China. If TikTok were to legally move to Ireland and the company were to trigger a certain one-stop-mechanism according to the European Data Protection Boards latest opinion. Dublin would become the lead supervisory authority and all these pesky investigations would have to be transferred to Ireland and likely stay there unresolved for years or decades. A successful example of this working is a Swedish probe into Google’s location tracking practices that had to be handed over to Ireland and is lost in the void for over 2 years and counting. Anticipating this the EDPB has even established a European TikTok taskforce to counter fragmented decisions and regulations from several Member States not with much success so far it seems.

The Zhenhua data leak gives us a glimpse of what a Marxist-Leninist authoritarian regime might do with all this data about you dancing and philosophising online. A Chinese data gathering company linked to military intelligence has comprised detailed profiles of 2.3 million people of interest and 650,000 organizations from publically and non-publicly available information. The non-public part is important as it is often taken without the users consent or knowledge and would go against European rules. According to expert analysis, China is using these very detailed profiles to manipulate, bribe, extort and otherwise compromise current and future leaders to follow its will. These profiles are also a goldmine for producing believable dis-information campaigns. As luck or karma would have it, 963 influential Irish citizens have been found in the leaked data base comprising “politicians, trade unionists, scientists, tech entrepreneurs, academics, bankers, business leaders, diplomats and even high-profile criminals”.

There is no simple one off solution, but we need a well-funded European Data Protection Commission, that focuses all the expertise that Member states have to oversee and independently and quickly rule over cases involving European Data Transfers to jurisdictions like China or the US. We can’t afford to wait for Dublin any longer.