Shortly after Europe imposed the General Data Protection Regulation, we decided to examine a pretty simple question: How is this going to work? And is it really going be a serious problem for big data-centric companies like Facebook?

It so happened that the responsibility fell largely to Ireland, a country of less than 5 million people whose economy is disproportionately reliant on foreign investment and where the tech industry makes up an estimated 10% of GDP. Not only was Ireland the lead enforcer of GDPR for the European operations of Facebook, Twitter, Microsoft and others, it also was in charge of investigating privacy problems on behalf of other EU countries via a newly established body called the European Data Protection Board.

This setup raised other questions: Was Ireland’s regulatory agency ready to take exacting measures against companies that form the bedrock of its economic livelihood? Was the regulator fully independent, empowered and acting in the interests of some 500 million European citizens?

I reported this story for 10 months and found that the answer to the first question is probably not, and the answer to the second question is no.

The story goes into detail, but it basically lays out a pattern of accommodating corporate interests, avoiding disruptive enforcement action and prioritizing "engagement" — consulting — with companies whenever possible.

Ask me anything.


EDIT: Thanks for the questions, everyone. I'm signing off now but feel free to keep dropping questions below and I'll try to get to a few more tomorrow. – Nick

Comments: 275 • Responses: 25  • Date: 

AMAInterrogator287 karma

Are you surprised?

Has anyone threatened you yet?

If you were to estimate how much it would cost to purchase gentler enforcement, how much do you think it would cost?

politico333 karma

Hi there! A lot of what came out in the reporting did surprise me yes - notably as regards Ireland's 2011 audit of Facebook. It was the most thorough examination of the company's privacy practices to date and it brought up matters that only came into perspective later. For example the Irish regulator flagged that Facebook needed to do a better job screening apps - which we now know was a central issue in the Cambridge Analytica scandal. But then the regulator gave Facebook basically a clean bill of health less than a year later... What happened? It's a big question.

Then there was everything the regulator didn't do - investigation of Google, sending people to Facebook, issuing any enforcement action on known privacy breaches...

And no! Thankfully no threats. Some tough questions from Irish people, but that's to be welcomed.

– Nick

politico89 karma

On the cost of gentler enforcement, that's a tough one. I suppose you can look at the aggregate of tech investment into Ireland and use that as a metric. —N

MrFantasticallyNerdy38 karma

You should follow up on key personnel in the European Data Protection Board. I wouldn't be surprised if quite a number of them later "retired" into lucrative positions in the industry they are overseeing now. It's not any different than with any regulatory oversight, since the regulators often require education, knowledge or training to be good at oversight, and those skills are sometimes complementary to some industry positions. The more cynical would argue that most are playing into the "revolving door" model that only benefits companies and the regulators, while leaving the public ignorant and hapless.

politico1 karma

FWIW, the regulator who oversaw Facebook's audit, Gary Davis, now works for Apple. So does Sandy Parakilas, a former Facebook employee-turned-critic of the company. — Nick

MentallyUnchallenged74 karma

Does "digital privacy" still exist? Is there a way to protect ourselves, or are we already past the point of no return?

politico142 karma

Hi - good point. I'd be inclined to answer: no, digital privacy does not really exist, unless you cut yourself off from the internet and major apps totally. Even if you delete Facebook, for example, your data will still be captured if you use Instagram, WhatsApp or any other of their properties. The same goes for Google products. Basically, when we go on the Internet we leave a trail of data that is monetized whether we like it or not. The GDPR tries to fix that, by forcing the cos to obtain your explicit consent before taking your data - as in "yes" or "no". But the hard truth is that's not applied in that way. Do you come across websites that allow you NOT to share your data - ie., allow you to access the site even if you say no data collection? They are super rare in the EU, almost non-existent in the US. Sadly, GDPR is not being applied in that way quite yet, or maybe ever. — Nick

politico20 karma

Hi - good question. The short answer is no, not really. Even if you decide for example to delete Facebook, your data will still be captured if you use Instagram, WhatsApp or any related app... Same goes for Google programs. Whenever we go online, we leave a digital data trail that is immediately monetized. There is nothing in way of laws in the US to stop that. The GDPR is meant to fix that, by forcing companies to obtain your explicit consent before collecting data- as in "yes or no." But even here, the rule is not applied to the letter. Have you ever been to a site that asks you yes or no, if you'll share data, then let you visit even if you say no? It's rare. So I think we're past a point of no return, unless ther'es a radical change of mentality. —Nick

Ayasta38 karma

Thank you for your investigation and taking the time to answer our questions.

Are there european parties or candidates to the election that are willing to tackle this issue and confront Ireland ?

Also, what have been the reaction to this in Ireland's population ? Do people care or are even aware of what is happening ?

politico48 karma

Thank you for reading!

If you mean in terms of a sanction or warning from other EU states, the answer is no. I'm not even sure there is anything in the law that would allow for that. The various EU agencies are meant to cooperate and help each other's investigations via the European Data Protection Board, which is sort of a consultative body and not really an authority.

That being said, you're starting to hear more frustration from other EU regulators about what Ireland is doing, or rather not doing. France's new data protection chief has warned about the risk of regulatory safe zones in Europe, which was almost definitely a reference to Ireland, and several agencies in Germany (there are 16!) have publicly criticized Ireland's failure to act, namel yon facial recognition and data exchanges between Facebook and WhatsApp.

The Irish regulator chalks this up to "cultural differences," as in we don't do things the same way the Germans or the French do.. The problem is, because of the way the system is set up, Ireland is the lead regulator for 500 million Europeans, not just Irish people. So the cultural difference argument is a bit hard to accept on the face of it.

– Nick

politico27 karma

There are a lot of tech savvy politicians in Europe, but I honestly think they are not really aware yet of this matter and the challenge of applying GDPR. People like Guy Verhofstadt and plenty others like him have been shouting for investigations into Facebook. They just haven't really connected the dots and pointed a finger at Ireland to say: It's up to you. In the next Parliament, which gets elected in May, there are going to be some hawks that I suspect will raise pressure, in particular Katarina Barley, who's Germany's current justice minister and a very vocal critic of Facebook — Nick

politico28 karma

As for the Irish themselves, it's a tough one. I mean, they know their economy has really benefitted from Silicon Valley, and they are thankful for the jobs it brings. So it's a bit of a taboo over there to take on the big tech companies - everybody depends on 'em! In other ways, the Irish are very privacy conscious and want to limit things like state surveillance. It's just that so far I think they might be worried about taking measures that would scare away a Facebook or a Google, which makes sense because some tech companies have threatened implicitly that they can withdraw investment. — Nick

CheesyStravinsky34 karma

What is the biggest problem or issue in data privacy law now? How might it be fixed?

politico64 karma

Um, there are a lot, but for me it's probably the use of facial recognition for mass surveillance. Basically, there are no laws now that stop authorities from collecting your biometric data and putting that into a central database where it can be used to track or, if necessary, stop you from travelling etc. This is basically a reality in Uighur regions of China already, but it's on its way here (EU and US). Europe for example is developing a traveler database for non-EU people that will include biometric information. The States already has one. Facebook has giant stores of biometric information from your photos. Imagine combining that with state surveillance capacities to track people? — Nick

politico36 karma

It might be fixed by a specific law on biometric data collection - that it needs to be deleted after a set time etc. — Nick

NeverEnufWTF30 karma

How long does Ireland have this gig? Is it open-ended, or is there a time limit after which some other country gets the nod?

politico22 karma

Hi NeverEnuf. There is no time limit. The one-stop-shop mechanism is the law of the land, until further notice. Cheers — Nick

dubviber23 karma

Another one: you report that FB claims that 'the Irish regulator had never requested any changes that would have prevented the Cambridge Analytica scandal.' Schrems raised access to data by third-party apps in his complaint and it was covered in the two audits carried out by the DPC. Did FB provide any argument to refute the conclusion that if they had shut down such data access in 2011/12 then it would have been impossible in 2014 for Aleksandr Kogan's app to collect the data which would be passed on to CA?


politico26 karma

Boom, that is really the money question... Basically, they said that the Irish regulator was nowhere near the issue, that they fulfilled the recommendation, and when they did act to cut off the Kogan app and other "corrupt apps", it was on their own initiative. But in 2011, the Irish regulator specifically talks about the screening of third party apps and quality control as a problem in a lengthy recommendation. Even after the 2012 report is issued, clearing Facebook, there is continuing dialogue between the DPC and Facebook.. presumably behind closed doors. Helen Dixon refers to this non public exchange in testimony to Irish Parliament in 2017, saying they were still working with FB on an "iterative" basis to fix problems. But tantalizingly she doesn't reveal what those were. Then, Facebook acts in 2014 -- presumably on its own! -- to cut off Kogan

politico13 karma

Make of that what you will. But it seems plausible that an ongoing dialogue is happening between 2012 and 2014, that leads to the cutting off of corrupt apps -- and Kogan's -- in 2014. That is my analysis - not the reporting. Thanks — Nick

rickydingo12 karma

Is there anything an average citizen can do about this?

politico17 karma

For sure, if you care about the way your personal data is used, you can advocate for a federal privacy law (I am assuming you are based in the United States). As the saying goes, sign a petition or just call your congressman or congresswoman. On a personal level, you can start paying attention to consent-gathering pages on websites. You should have the opportunity to refuse to have your data collected and still visit the site. If not, that site is not compliant with EU data protection rules. — Nick

TheRealOneTwo9 karma

There companies that take GDPR very seriously and while it appears enforcement is compromised or at least has a conflict of interest, it is better than what the US has. Have you investigated the need for privacy protection in the US and where the money is coming from that opposes it?

politico14 karma

I definitely agree that GDPR is a lot better than what the US has, because currently there is no federal privacy regulation. There is a law in California, and one in Washington state that is likely to get killed this weekend (!) In the latter case, we saw how big tech companies, namely Microsoft, got heavily involved in the writing of the bill, and basically scrubbed out the threat of any serious sanctions. At the same time, there is an FTC investigation into Facebook and the CA scandal that may yield a big fine. But what really matters is changing the co's behavior, and that can only come with laws. These companies are so big they can shrug off even a large fine. — Nick

politico15 karma

PS: One big difference is that corporate lobbying is often less effective in the EU-- especially when the legislation is not going to affect a European company! The GDPR largely affects American ones. But the Europeans aren't perfect - look at the diesel emissions scandal, for example... — Nick

dubviber9 karma

Hi Nick,

Enjoyed the article. How did the entry into force of the GDPR allow FB to start sharing the data of Whatsapp users again? I understand that Ireland became the lead authority but not why that should have led to the setting aside of the decision of the Hamburg Data Protection Authority.

- dubviber

politico14 karma

Um, I agree that's a pretty baffling one. Basically, when the GDPR came into force, it replaced any legal precedent on data privacy throughout the EU. So whichever bans were in place on specific issues like that, they were mooted. Facebook then argued that it was obtaining "consent" for facial recognition on the site, but the way the consent was gathered was problematic. It was not an easy yes or no option. — Nick

politico11 karma

This allowed them to bring the tool back, with the tacit approval of the Irish regulator. —Nick

el_pedrodude7 karma

Hi Nick

In your opinion are there any structural problems (as opposed to political causes or corruption) with the Irish regulator that significantly contribute towards this apparent lax enforcement of the GDPR?

You note that the regulator describes itself as:

"one of the most strongly resourced data protection authorities in Europe"

But that's a relative statement. It'd be interesting to hear whether you think 140-180 staff is anywhere near enough to deal with these complicated issues and given the density of tech companies in Ireland.

Also, how much coordination is there between the regulator and law enforcement? This type of issue is often highly technical and with the added legal angle I wouldn't be surprised if the poor enforcement performance was due to under-resourcing (although I'm not suggesting that it is, and equally willing to believe there are conflicts of interest, corruption, etc.).

politico11 karma

Yea that is a really good point. 180 staff sounds great, and is almost equivalent to the French regulator for example. The enormous difference is that Ireland's responsibility is vastly disproportionate to its size. So if you went by the size of the companies Ireland is supposed to police, they might have upwards of 500 or even 1000 staff. But it's funded by the Irish state and that's not going to happen.

On the second point, there is actually not a good system. Ireland's legal system is prohibitively expensive. If the Irish regulator sanctions a Facebook or a Google, they are going to court, and the court case is going to cost them millions and millions of euros. Facebook and Google and go on forever with their deep pockets - not so much the DPC. In fact until recently, there was a budget limit on the DPC that effectively ruled out expensive legal cases. Now nominally there is no limit, but it's hard to see them spend potentially 10s of millions on a giant case, especially if an Irish court could rule against them in the end! — Nick

alasestrellas6 karma

It seems to me that on a worldwide scale, digital privacy is continually being eroded. Obviously there will be some cases where that isn't true, but that's the general sense that I've been getting.

Would you agree with this assessment? Why or why not?

politico10 karma

I would have to agree. Just look at what is happening in China with mass surveillance and a social credit system - it's worrying. In Europe, we have strong rules, but they are very unevenly if not even at all applied. There are also huge exemptions for law enforcement, which allows authorities to access, gather and process a great deal of data, even when rules like the GDPR in theory should stop them. Take a look at what the EU is preparing in terms of a traveler registry for non-EU citizens. — Nick

Anything135792 karma

Apple said they really prioritise its user’s privacy. How much is this true?

politico1 karma

What can be said about Apple is they do not propose micro-targeting services for advertising on their platforms. So a whole range of potential abuses that exist on Facebook, Google etc — the fact that such targeting can be used in ways we would consider abusive, like influencing small groups with specially crafted political messages — is not relevant to Apple. However, there are other ways personal data can be leveraged, and there is little doubt that Apple is gathering a lot of it. See reporting on Apple health apps, etc. Exactly what Apple is doing with this data is a bit of a mystery. Another point: It's not very easy to see what sort of data is being gathered by an app you download from the Apple appstore. They are closed boxes, much more so than websites. — Nick

gidoBOSSftw57312 karma

What benefits, if any are worth my privacy? I get that Google maps timeline feature isn't worth it but what about Google assistant? YouTube recommendations? Free email?

politico2 karma

That is really one for each and every one of us to think about. The basic point is this: we've not been given an option on whether or not to give up our data in an exchange for a service. The services, as good as they were, were presented as "free," and we had very little understanding of what we were giving up in exchange, or the range of abuses linked to the wholesale gathering of personal data. Europe's GDPR takes an important step of enshrining ownership of personal data as a "fundamental right." In other words, as an individual you have a fundamental right of control over information about you. If someone asks for it, be it a private corporation or a government, the terms under which it's gathered and how it will be used need to be made clear, and you need a clear, simple choice of saying "yes" or "no" to having your data collected. It's pretty simple and, unfortunately, it's widely ignored. — Nick

pandamaster22 karma

Is any other EU country in a position to replace Ireland as the primary country?

politico2 karma

Not under the current system. EU countries agreed to the one-stop-shop regulator system, and this is the way it will be unless some major scandal prompts a reevaluation. — Nick

PrivacyViking1 karma

How do you feel about the role of the EDPB in ensuring consistency in approach between the DPA’s in Europe?

How do you feel about the cooperation models between DPAs?

Do you think any of that is actually going to be effective?

politico1 karma

Like the GDPR itself, the EDPB is a new and inexperienced. Its head, Giovanni Buttarelli, is outspoken and a good advocate for privacy. But so far there is little to show for the EDPB's role as a coordinator... Have you ever seen a joint communiqué crafted by the EPDB calling for examination of some privacy matter? The EPDB is meant as a forum to discuss privacy investigations, etc, but there is no visibility into those discussions. All we know is from the public statements of DPAs in other European countries, who are frustrated with the current system. I don't see it as a very effective system, no. — Nick

Freethecrafts1 karma

In your opinion, how probable will it be that the EU will enforce criminal statutes against regulators who engage in these types of actions?

politico1 karma

Hi Freethecrafts. In my opinion, the likelihood of any sort of coercive action by the European Commission against a national regulator is very slim. What you might see is growing public awareness of discrepancies between enforcement cultures in different EU states.

One thing to keep in mind is that Ireland's Data Protection Commission is looking for a new boss, as Helen Dixon's term is coming up. A robust public debate about the commission's track record and Ireland's role as a regulator might weigh into the recruitment process and steer people toward someone with a history in investigations and/or law enforcement. — Nick