Why Isn't GDPR Being Enforced?

Politico has a long article making the case that the lead GDPR regulator, Ireland, has too cozy a relationship with Silicon Valley tech companies to effectively regulate their privacy practices.

Despite its vows to beef up its threadbare regulatory apparatus, Ireland has a long history of catering to the very companies it is supposed to oversee, having wooed top Silicon Valley firms to the Emerald Isle with promises of low taxes, open access to top officials, and help securing funds to build glittering new headquarters.

Now, data-privacy experts and regulators in other countries alike are questioning Ireland's commitment to policing imminent privacy concerns like Facebook's reintroduction of facial recognition software and data sharing with its recently purchased subsidiary WhatsApp, and Google's sharing of information across its burgeoning number of platforms.

EDITED TO ADD (5/13): Daragh O Brien, a regular critic of the DPC and who was quoted in the story, believes that he was misquoted, and that the article wasn't entirely fair.

Posted on May 2, 2019 at 5:17 AM • 20 Comments

Comments

MikeMay 2, 2019 7:15 AM

I thought any EU country could investigate these giants and whoever finds them guilty gets the money.

Does it have to be Ireland that enforce the regulation?

JOMay 2, 2019 7:30 AM

In my opinion, this is the major problem with your desire to always increase government regulation to "solve" problems in information security rather than let the markets work. I'm sure you've heard about regulatory capture, but for those who have not, when the government heavily regulates an industry, large corporations use that to their advantage to shut out competition, and yet the major purpose of the regulation usually isn't fulfilled due to crony capitalism (collusion of the corporations with the government). It's almost inevitable. The usual solution to prevent it is, wait for it, additional regulation.

Look at the example of DuckDuckGo. It's not trying to *force* Google to protect people's privacy, it's providing what it thinks is a better product. Maybe it will be successful, maybe people will decide their privacy isn't worth that much to them. It's not for those in ivory towers to look down on the public and tell them what products they should be allowed to have. Educate, don't regulate!

Petre Peter May 2, 2019 7:34 AM

I still have hopes for GDPR but it seems like the enforcers of GDPR are intentionally underfunded.

Officer XMay 2, 2019 8:24 AM

They are not exactly the "lead GDPR regulator". Every country has a potential Lead Authority who look after the organisations with multinational presence. Since for EU the tech companies are principally registered in IE, they are most likely the Lead Authority, although of course every member state can go after them in their country.

Bob RobertsonMay 2, 2019 10:35 AM

Those who place their trust in princes deserve what happens.

How can anyone believe in benevolent government? The people who populate government are, and always have been, just people. They act, as everyone acts, in their own self interest.

Not yours.

justinacolmenaMay 2, 2019 10:49 AM

… the lead GDPR regulator, Ireland, has too cozy a relationship with Silicon Valley tech companies to effectively regulate their privacy practices.

Sounds like an Irish Mob boss: regulatory capture is the technical term for that.

Dentists regulate dentists for the mutual benefit of a non-profit dental association, and the patients are left without recourse under the law of Moses for the unnecessary loss of their teeth. Dentists do have to make money at what they do, after all.

ChelloveckMay 2, 2019 11:15 AM

@JO: Unfortunately, the market is not a good solution for this sort of thing. It's been shown time and again that the majority of people don't act in their own self-interest regarding their privacy or security. Cost is always an overriding factor. "You can use this service for $1/month, or you can use this service for free if you just give us access to your personal data." Most people undervalue their personal data and will jump at the chance to sign up for free. Yeah, you said education. Good luck with that. Even people who should know better will jump at a deal, or undercut their own security for the sake of convenience.

Also, it's not just about the people who knowingly use said services. The services build profiles of people who've never actually visited them, too. One never needs to explicitly go to facebook.com for Facebook to have a profile of them. If you go to any site that loads a "Like this!" button from Facebook, Facebook is collecting data on you regardless of whether or not you click. Read the mouseover text on the social media buttons on this very site for details. Now, if I'm not knowingly visiting Facebook, how can I apply market forces to prevent them from collecting my data?

@Bob Robertson: "How can anyone believe in benevolent [government] corporations? The people who populate [government] corporations are, and always have been, just people. They act, as everyone acts, in their own self interest." Just as pithy, and just as true. So what are we left with?

Denton ScratchMay 2, 2019 12:54 PM

@Petre Peter

"I still have hopes for GDPR but it seems like the enforcers of GDPR are intentionally underfunded."

It's not Ireland's fault. No EU member government wants the Directive enforced.

The Data Protection Directive wasn't enforced much, either. The DPA (the UK's implementation of the Directive) was enforced mainly against local authorities; they only got penalized when they ignored the series of polite letters that were sent to them, notifying them of their failings. Private companies typically just got a warning.

GDPR is on the face of it *much* more burdensome. Organizations that handle personal data must register; they are required to appoint a trained member of staff (the Data Protection Officer) to oversee compliance and put procedures in place; all staff that handle personal data must also be trained; potential fines are huge.

These laws were never really meant to be enforced. They are for show - to pacify the plebs. I retired a couple of years ago, so I'm not sure; I was briefly my employer's DPO. but I suspect that the vast majority of private organizations in the UK have no Data Protection Officer. Nearly all organizations have employees and/or customers, so they handle personal data.

GDPR was introduced with a two-year phasing-in period, even though everyone knew when it would become effective long before that. No process has been put in place to (e.g.) inquire of organizations whether they have taken any measures to come into compliance, or whether they have even thought about it. It's nuts - if you even so much as run a private society with a mailing list, then the GDPR applies to you, and you must register, appoint a DPO, and adopt a policy and compliant procedures.

In 2004 the EU introduced a Regulation requiring member countries to prevent spam. But it didn't specify penalties. It took Belgium about ten years before they got around to implementing legislation to comply with that Regulation; I don't think anyone even told them off. Bulgaria took even longer. Most member countries apparently took the view that spam was simply commercial communication, and that preventing it was an impediment to legitimate business. No member country wanted to impede legitimate business, especially if that would place them at a disadvantage compared to other member countries. The UK implementation of that Regulation required all prosecutions to be undertaken by the Information Commissioner's Office - a chronically underfunded, understaffed and overloaded government agency. This is no coincidence; nothing the ICO is supposed to do is a thing the UK government wants done.

So if you're waiting for swingeing fines, don't hold your breath.

Fazal MajidMay 2, 2019 6:08 PM

The wheels of justice grind slowly, specially in countries like Ireland that have the misfortune of having English Common Law as their legal system, since the level of capricious arbitrariness allowed to judges makes any legal action a gamble, potentially an expensive one for the regulator.

Since GDPR allows the data controllers to choose their "one-stop shop" data protection authority, they will not choose one in a tougher Civil (Roman) Law jurisdiction where the law is what the legislature says it is and judges apply it but don't get to make things up the way corporate personhood was invented in the landmark US Supreme Court case Santa Clara County v. Southern Pacific Railroad Co..

Now there are cultural differences between European countries, not just in the realm of privacy. Just one example: the Dutch tax authorities are used to negotiating the amount of tax a company will pay, rather than applying uniform rules, which is why it's a popular destination for corporate HQs.

justinacolmenaMay 2, 2019 6:31 PM

It's been shown time and again that the majority of people don't act in their own self-interest regarding their privacy or security. Cost is always an overriding factor. "You can use this service for $1/month, or you can use this service for free if you just give us access to your personal data."

Same old door locks.

Possession of lock-picking tools and key-cutting equipment is strictly prohibited by law, and do-not-duplicate is enforced by municipal code.

Meanwhile, police officers, landlords, lenders, realitors, military officers, and private security guards, all of whom have the free run of our homes, are always on the lookout and search to make sure that we do not possess any such equipment.

I am sorry.

The keycuttery, locksmithery, machine-shoppery, and insurance agency fellowship cannot save us from burglary, robbery, and armed invasion when we are denied the right to possess and carry firearms and tasked with a duty to retreat from any and all fire under color of law.

They took too much property of ours by the unjust use of force under color of law: we shall have no option but to resist them, slow them down to a stop, turn the tide, and exercise force on the offensive to take back that which by force was wrongfully taken from us.

JukkaMay 3, 2019 2:04 AM

It is being enforced. But like everything in the public sector, enforcement takes time.

This is a battle that spans decades, not years or months.

Of course, it is partially also the responsibility of public-interest technologists and civil society groups to ensure rigorous enforcement.

JohnBMay 3, 2019 2:43 AM

Ireland is the wild west of unenforced regulations. We operate a massive tax haven in our capital, which - in order to operate optimally - we didn't set and enforce financial/banking regulations effectively. This led directly to the worst economic crisis in the countries history - and almost nothing has changed today.

The country has a very long history of fraud and regulatory laxity/corruption, and a pliable population which today is barely able to afford a place to live, due to government complicity/corruption, in allowing the property/rental/construction markets to become massively warped in a way that escalates the cost of living beyond most peoples practical means.

Don't look to Ireland to effectively regulate anything.

DavisMay 3, 2019 8:48 AM

GDPR has made zero real difference other than (1) made users explicitly accept outrageous data collection policies and (2) produced toothless internal “GDPR officer” positions.

PGLMay 4, 2019 7:03 AM

@Bruce summarizes the article perfectly:
“Politico has a long article making the case that the lead GDPR regulator, Ireland, has too cozy a relationship with Silicon Valley tech companies to effectively regulate their privacy practices.”

@JohnB (Irish citizen) states:
Don't look to Ireland to effectively regulate anything.

@Jo (let Silicon Valley run wild)
Educate, don't regulate...
Jo, this is an selfish extremist point-of-view. Humans receiving great, undeserved power cannot control themselves and make bad choices. The current result is ongoing criminal investigations against Silicon Valley bad actors.

Smart Regulation of Hi-Tech Works Great!
Ironically in the past year Silicon Valley has submitted to far-reaching, dramatic, intense REGULATION largely authored by President Tr*mp and usually strong anti-regulation REPUB conservatives.
[1]

The New Rules of Silicon Valley
Whatever the reality, the T*ump administration’s posture toward China is having consequences. Quietly, over the past year, as many as a dozen China-linked firms have scaled back their US investment programs, some dramatically, Recode has learned, due to more aggressive behavior by a regulatory body called the Committee on Foreign Investment in the United States, or CFIUS.
https://www.vox.com/recode/2019/5/1/18511540/silicon-valley-foreign-money-china-saudi-arabia-cfius-firrma-geopolitics-venture-capital

These effective, tangible results prove SMART REGULATION of SILICON VALLEY is extremely effective. But only when the ultra-rich tech gods don’t pay off politicians or reward with plum jobs (as in Ireland and the USA).

[1] The programs success isn’t even deemed newsworthy by the politicized MSM

chuckMay 4, 2019 2:53 PM

All the effect from GDPR I can see - the ugly popups blocking webpages unless I use VPN to Americas.

Clive RobinsonMay 4, 2019 3:13 PM

@ PGL,

Recode has learned, due to more aggressive behavior by a regulatory body called the Committee on Foreign Investment in the United States, or CFIUS.

The author of that piece Theodore Schleifer is either politically naive or actually touting the line the Republican MIC War Hawks want you to incorrectly believe, and if the latter it should scare you a lot, as it's probably the most significant security question US Citizens will have to face upto.

If you look at this paragraph it's fairly easy to see it's wrong,

    The debate around accepting money from China pits two opposing bedrock political beliefs about China against each other: Either China is a highly sophisticated US adversary coyly infiltrating Silicon Valley through communist-aligned actors who arrived here to steal intellectual property or it is just like any other foreign player seeking financial gains — but is being unfairly targeted by a belligerent government that stereotypes all Chinese actors.

There is a third reason that is actually more probable than the two given in that paragraph. China has for quite some time now been "investing in peace".

The whole point is that China as part of a long term stratagy has been investing in the US as has Russia to reduce the likely hood of either another proxie war in the south China Seas or an all out World War.

Whilst trade and investment is a two way street, it also puts the handcuffs on any Military Endevors by both sides. That is it's a little daft to go to war with a country that supplies not just your civilian but military with technology that is used from the earphones in personal entertainmrnt systems through to parts for the engines used in all US manufactured aircraft, likewise quite a large number of the display systems again in personal entertainment systems through to high end military systems, and a whole lot more technology as well. As long as two nations economies get locked together by trade and investment neither side will gain by warfare against the other, because if you destroy the other economy your economy is dependent on, then you are effectively cutting your own throat.

The current US President as quite a few have noticed is very war adverse, which is not what the MIC want to hear because it hurts their profits and promotion prospects greatly. It's also out of line with the aims and objectives of various people around him, which is John Bolton and Co who's sole interest in life is trying to foster situations where US citizens will be filling body bags one way or another.

Jhon Bolton and Co clearly look on the current US President as a "usefull idiot" and thus they slipped the new regulations for the previously toothless Committee on Foreign Investment in the United States, or (CFIUS) regulator under his pen as part of his anti-China make US great fantasy. Which will turn as a minimum into an economic disaster for the US...

Traditionaly a foreign war has opened the Treasury Doors and created wealth for the lucky few in the MIC. In the more distant past it also stimulated the manufacturing industry in the US thus briefly lifted the US economy, but that was back when the US had raw resources to burn, which is nolonger the case. The US is now increasingly dependent on raw resources it gets from places that tradditionaly it "subjugated" which is currently what it is trying to do in South America yet again but with a lot less success than previous times.

But another difference now is technology has moved on greatly "iron, coal, oil and nitrates" are nolonger what will give you leading edge technology. As I've pointed out on this blog over the years amongst other things are rare earth minerals which are now a "critical need". It just so happens that China and North Korea appear currently to be the part of the world where they are most easily obtained, which is something the more fantasy minded war hawks such as John Bolton and Co do not apear to have grasped in their mantra and myths.

Perhaps one of the things that has annoyed these various US MIC War Hawks the most is that China is too big to even rational think about subjugating and contrary to what the war hawks have been trying to foster for well over half a century, war with North Korea is realistically not possible and has not been all that time contrary to the nonsence John Bolton and Co espouse in a rose tinted fashion about the Ronie "ray-gun" - "Mad-Maggie" Thatcher era.

What the US people do not need is another proxy-war around the South China Seas as they have always been a disaster and will almost certainly be more so now that China is flexing it's muscles and telling the US it's "Willy-waving" activities in the South China Seas are no longer wanted. One of the real reasons that the US want's out of the Intermediate range missile treaty is it's pointless and they will grasp at any excuse to do so. The reason is it never included China or other nations such as India and Pakistan which all have developed such weapons to keep both each other as well as Russia and the US out of range...

The reality of geo-politics is Russian is considerably more at threat from China than they are from the US. So Russia have anounced they are starting to investigate and design new delivery mechanisms that are likley to be in the treaty fringes. But they are actually for pointing East towards China, India and Pakistan currently, not West such as the US,(that is they are not intercontinental).

However if the US carries on with it's actions in the Middle East and Europe, which has produced no end of problems including an upsurge in terrorism where none existed before, that has now spread into Europe, it would not be surprising if Russia did start pointing intermediate range nukes into the Middle East and Eastern Europe. Remember Russia has had more issues with terrorism than the US has and will do what it sees as "ptagmatic" to defend it's self. Whilst Russia have not yet started in on the faux "First Strike Defence" argument the US invented to hide the "bomb them back to the stone ages" strategy used for subjugation, Russia has in the past and almost certainly will continue to do in the future,is take various actions in countries around it's borders, to build a buffer zone, just as China does.

As for IP stealing, well for the US to play that card is somewhat laughable. History shows the US was IP stealing one way or another all through the last century and for atleast half a century before that.

Ironically China used the shortsighted behaviour of US share holders against the companies that were likewise "short term (mis)managed". China has several effective monopolies and a large labour force that were considerably cheaper than elsewhere in the world for various reasons (mainly that it was an effectively self sufficient agrarian society).

Thus US companies "out-sourced" for short term profit to China and thought they could play fast and loose with the Chinese Government and it's legislation and judicial system. Some US and other Western Countries companies failed to be "duly diligent" and thus lost out by their greed or lack of diligence. When companies started to wise up China used it's effective monopoly on rare earth metals to continue to entice Western Companies to bring in their technology. The simple fact is China in no way forced any of those companies managers to be stupid, the managers just were, and because of their shortsighted greed to make shareholders happy thus get the big bonus and run they threw their IP at China. Or if the managers got caught out, cry "Snot-Fair" via lobbyists etc to US and other legislators...

What is realy sad is that the Obama administration had come up with a way to cut this behaviour back with trade deals designed by US corporates for US corporates and the likes of China were happy to sign up on them. But guess what US Political behaviour true to idiotic form blew that out of the window... Which has thoroughly delighted the US MIC war hawks.

Getting rid of trade with China and Russia, makes in their myopic eyes very profitable war way way more likely...

The real question is of course will the US citizens actually get to see what those new regulations for the Committee on Foreign Investment in the United States (CFIUS) realy are which is "A prelude to war without economic benifit?".

It's probably the most serious security question people should be considering right now...

PGLMay 5, 2019 7:39 AM

The chief timeless conflict here is well defined: One between the traditional western ideas, which saw China in racist and imperialist terms, and emerging nationalism[1].

Endless China Debate
"No man who favors the unequal treaties has the right to call himself a Christian!" Others reply "It is time for the Society for Propagation of the Gospel to step aside. It is time for the Society for Propagation of Cannonballs to bring them to their senses."

Turning Tables Ironies
Look whose espousing traditional higher-plane[2] western values. Good show chap! We agree that unbridled excess capitalism is like giving a 15 year old the keys to a muscle car.

At the other end is China and Russia, whose central authority limits those who’s actions run contrary to national goals. That;s smart but then they too go overboard and never know when to stop.

Smart GDPR Regulation
The West would do well to reign in the excess of capitalism. The EU’s Smart GDPR Regulations are becoming increasingly effective and are a free model for other countries to follow.

Smart CFIUS Regulation
The Smart Committee on Foreign Investment in the United States (CFIUS) Regulations are are becoming increasingly effective and are a free model for other countries to follow.

These excess capitalism regulations reduce the transfer IP/data both ways [3] and increase national security. They largely level the playing field. Smart regulations are absolutely necessary for the protection of citizens, corporations and governments in digital non-dictatorial capitalist societies.

The technology and security IP battle now moves-on to vulnerable allies including the EU, India, Israel, and Southeast Asia.[4]. Or the commandeering critical Belt Road projects in Asia, South America and Africa.

Look forward to watching 1966 The Sand Pebbles with an emphasis on the beautiful Candice Bergen and her idealistic missionary father. https://en.wikipedia.org/wiki/The_Sand_Pebbles

Homework: Could his mindset been able to stop China’s/Xi 2025 world domination plan? While the Americans blame the GDPR for Silicon Valley data-mining excess, who’s blaming the Americans CFIUS for Xi’s hook-or-by-crook excess?


[1] In 2019 China has put millions into concentration camps often for harmless offenses. Western companies must surrender their IP as a cost of doing business in China

[2] can’t finger It explicitly

[3] To prevent the foolish sale of high-tech ARM to China

[4] Vox: “It’s not as though all these Chinese investors are now suddenly twiddling their fingers. Venture capitalists in other parts of the world — like India, Israel, and Southeast Asia — report more Chinese investors approaching their companies than ever.“

mikeMay 6, 2019 5:33 AM

@Clive Robinson wrote,

"There is a third reason that is actually more probable than the two given in that paragraph. China has for quite some time now been "investing in peace"."

This has been done in the past. Most famously the "japanese" investments in US of A in the 80s. This is in many ways interpreted at face value by political and business commentators alike. The deep sitting factors were often not discussed even in academic fields.

"Thus US companies "out-sourced" for short term profit to China and thought they could play fast and loose with the Chinese Government and it's legislation and judicial system. Some US and other Western Countries companies failed to be "duly diligent" and thus lost out by their greed or lack of diligence."

When we speak of war, we often think in terms of attrition. however, in economic terms, attrition is a non-factor because money isn't a finite resource. Thus, if you think carefully, the money supply can expand to meet any volume of "out-sourced" goods flowing the opposite direction, negating any type of economic playingfield advantage.

RoyMay 23, 2019 6:35 AM

It's not realistic, and unfair, to expect the Irish regulator alone to take the lead - some of these companies have revenues which aren't much smaller than the entire Irish state. The regulator has to be extremely careful with any findings, knowing full well they will be scrutinised by teams of very well paid corporate lawyers.

There is also an additional issue which is that privacy regulations are interpreted and implemented differently across Europe. Ireland takes a pro-business approach in general to regulation, whereas other countries (e.g. Germany) take a very pro-individual privacy approach, largely because of historical reasons. Whereas an Irish regulator might ask a business to modify their approach before considering issuing a fine, a German regulator might decide to fine first - each country takes a different approach. Both approaches are equally valid, and both are allowed under the regulations, which can cause confusion and frustration.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.