The European Court of Justice’s recent “safe harbour” judgment regarding the transfer of personal customer data from Europe back to the US has highlighted Ireland’s role as the home of Europe’s head privacy regulator, and showed that we may not have been up to such a task.
The Irish Data Protection Commissioner is the privacy regulator for a number of multinationals based in Dublin, including Facebook. In 2013 when Edward Snowden revealed that US intelligence agencies had used Facebook and other digital companies to access huge quantities of personal information, an Austrian student, Max Schrems, complained to the DPC.
“Frivolous or vexatious” was how the DPC described his case, as such data transfers were covered by the “safe harbour” agreement between Europe and the United States. But he proceeded to the High Court, which then referred it to the ECJ in July last year. On Tuesday the court ruled that “safe harbour” was invalid. The agreement was cast as a hollow tool which data protection agencies could use to wave off EU citizens who might be concerned that their privacy was being violated.
So where does this leave us? The DPC, until a few months ago was an underfunded regulator based in a small Irish town without a presence in Dublin. It is expected that the ruling may open the floodgates to similar complaints, so there is much scepticism as to whether the DPC will be able to fulfil its full obligations. Its budget has been doubled to €3.65m and it is now opening a Dublin office, however some criticism runs deeper, suggesting that Ireland simply does not take data protection as seriously as some other countries.
This may be something that policymakers would want to address, as privacy experts say big US tech companies are looking more and more to strong data and privacy regulation over low corporation tax when choosing where to locate.
By Jack O’Sullivan