Ireland vs. Big Tech: The wait continues

Forgive me, then, for getting a bit antsy as we pass the 18-month mark since the European Union’s General Data Protection Regulation (GDPR) went into force and we’ve seen very few precedent-setting actions taken by data protection authorities (DPAs). Of the 28 EU member states, at least 23 have issued fines for violations of the GDPR, but there’s been one country notable in its absence from that list: Ireland.

Why is the world keeping such a close eye on the Emerald Isle? It is the European home (and data privacy regulator of record) to some of the United States’ biggest technology companies: Google, Facebook, and Twitter, to name a few. It has historically been kind to Big Tech, which begs the question of how it will handle potential violations of the GDPR.

Major tech firms are the subject of at least 19 investigations into potential GDPR violations by the Irish Data Protection Commission, including at least 10 probes into the practices of Facebook alone. Both Google and Facebook have tangled with governments over their alleged abuse of the personal data of their users, but never has a regulator been in a position to make as big an impact on one of these company’s bottom lines as Ireland is.

The maximum fine for a GDPR violation is 4 percent of a company’s annual turnover, which means for a company like Facebook, for example, it could be up to $2.2 billion (4 percent of the company’s annual revenue in 2018). That’s far from the pocket-change $643,000 it was penalized by the U.K.’s DPA for the Cambridge Analytica data scandal, which predated the GDPR.

Why such a long wait, then? Could it be that a reluctant Ireland is dragging its feet? Sure … but there could also be another explanation.

“We have to aim first, not shoot.”

That’s a quote from Ventsislav Karadjov, deputy chair of the European Data Protection Board, speaking at the recently concluded Compliance Week Europe conference. He said it not about Ireland in particular but on the general importance of letting the investigative and enforcement processes play out at their own pace.

His point was that every enforcement action taken for GDPR violations is going to be heavily scrutinized not only by the business community but more importantly by the courts. And that means every case they make needs to be airtight.

“It’s very important that everything is done by procedure under the law,” he explained. “We have to prove each of the actions taken. If we don’t, we are at risk that when companies go to court, we’ll lose the case. And if that happens, we’ll lose credibility as a regulator and credibility in the eyes of data subjects.”

 Sounds logical, even if we’re still wary about Ireland’s appetite to pick a fight with Big Tech.