Can democracies stand up to Facebook? Ireland may have the answer
Liberal democracies struggle to tackle the might of the tech giants when it comes to protecting users’ data
Last month, the Irish data protection commissioner (DPC) sent Facebook a preliminary order ordering it to stop sending the data of its European users to the US. This was a big deal, because in order to comply with the ruling, Facebook would have to embark on a comprehensive re-engineering of its European operations, or to shut down those operations entirely, at least for a time.
Such a shutdown would of course be traumatic for the poor souls who are addicted to Facebook and Instagram, but it would be even worse for the company – for two reasons.
The first is that it makes more money from European users’ data – an average of $13.21 (£10.19) per user in 2019 – than from any other territory except the US (where it earns $41.41 per user); the second is that failure to comply could land it with a fine of up to 4% of its global revenue, which in Facebook’s case would come to about $3bn. Given the scale of its revenues, that’s not a showstopper, but it would nevertheless be annoying.
Predictably, the company was furious, threatening, as one commentator put it, “to pack up its toys and go home if European regulators don’t back down and let the social network get its own way”.
Facebook’s lawyer lodged an application for judicial review of the DPC’s ruling. If the decision were upheld, wrote Yvonne Cunnane, Facebook Ireland’s head of data protection and associate general counsel, “it is not clear to [Facebook] how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU”.
Cunnane, clearly auditioning for a lead role in a revival of Evita, protested that her poor little employer had been given only three weeks to respond to the ruling at a time when they are all flat out making money.
Warming to her theme, she also complained that she was “not aware” that any of the other tech companies that transfer data to the US – under the same legal fudge arranged after the EU-US Privacy Shield was struck down by the European court of justice – had been singled out by the DPC. So innocent Facebook was being picked on by a malevolent official. It was all most unfair.
So far, so predictable. But there is also a menacing tone in part of Cunnane’s submission. “I say,” she declares, “that the fact that one person is responsible for the entire process is also relevant to the Applicant’s [Facebook’s] concerns, in respect of the inadequacy of the investigative process engaged in and/or independence of the ultimate decision-making process.”
This is a legalistic shot directly aimed at the Irish DPC, Helen Dixon, and you don’t have to be Sherlock Holmes to understand what is being implied here.
So let’s unpack it a little. The reason it’s the Irish DPC that is taking action against Facebook’s data-exporting practices is that the company – like most of the other tech giants – has established its European HQ in Dublin.
This is partly because they want to be in the EU and partly because of the Irish Republic’s long-established, tax-friendly and, er, relaxed, attitudes to huge foreign corporations.
So Facebook comes under Dixon’s jurisdiction. But the imbalance between, on the one hand, the DPC’s responsibilities and her 140 staff and, on the other, Facebook’s colossal legal, financial and technical resources is positively grotesque. Which is why it’s tempting to read the company’s legal response as the enraged response of a tiger that has suddenly been bitten by a flea.
My guess – as a lay reader – is that there are lots of technical issues here that will keep lawyers busy for months, or even years. In which case, European users’ data will continue to flow freely into Facebook’s servers in the US, where they will be open to snooping by that country’s security and other services, under less rigorous oversight that would be the case had they been kept on servers in Europe.
But in a way, this skirmish in Dublin provides a preview of a much bigger question about state capacity in these networked times. In discussions about these issues, I’ve sometimes found it useful to frame it provocatively as a simple proposition that goes like this: the only states that now have the capacity to tame or control tech giants are authoritarian ones.
Liberal democracies are no longer up to the job because they have to stay within the bounds of the neoliberal legal frameworks they have been assiduously constructing over half a century.
Large corporations have the resources to spin things out for years or even decades, while governments and their elites are increasingly trapped in the attention-deficit syndrome brought about by five-year electoral cycles.
Which is why a visitor to Dublin a decade from now might discover that the case of Facebook Ireland Limited v Data Protection Commission is still going strong in the high court there.
Such a shutdown would of course be traumatic for the poor souls who are addicted to Facebook and Instagram, but it would be even worse for the company – for two reasons.
The first is that it makes more money from European users’ data – an average of $13.21 (£10.19) per user in 2019 – than from any other territory except the US (where it earns $41.41 per user); the second is that failure to comply could land it with a fine of up to 4% of its global revenue, which in Facebook’s case would come to about $3bn. Given the scale of its revenues, that’s not a showstopper, but it would nevertheless be annoying.
Predictably, the company was furious, threatening, as one commentator put it, “to pack up its toys and go home if European regulators don’t back down and let the social network get its own way”.
Facebook’s lawyer lodged an application for judicial review of the DPC’s ruling. If the decision were upheld, wrote Yvonne Cunnane, Facebook Ireland’s head of data protection and associate general counsel, “it is not clear to [Facebook] how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU”.
Cunnane, clearly auditioning for a lead role in a revival of Evita, protested that her poor little employer had been given only three weeks to respond to the ruling at a time when they are all flat out making money.
Warming to her theme, she also complained that she was “not aware” that any of the other tech companies that transfer data to the US – under the same legal fudge arranged after the EU-US Privacy Shield was struck down by the European court of justice – had been singled out by the DPC. So innocent Facebook was being picked on by a malevolent official. It was all most unfair.
So far, so predictable. But there is also a menacing tone in part of Cunnane’s submission. “I say,” she declares, “that the fact that one person is responsible for the entire process is also relevant to the Applicant’s [Facebook’s] concerns, in respect of the inadequacy of the investigative process engaged in and/or independence of the ultimate decision-making process.”
This is a legalistic shot directly aimed at the Irish DPC, Helen Dixon, and you don’t have to be Sherlock Holmes to understand what is being implied here.
So let’s unpack it a little. The reason it’s the Irish DPC that is taking action against Facebook’s data-exporting practices is that the company – like most of the other tech giants – has established its European HQ in Dublin.
This is partly because they want to be in the EU and partly because of the Irish Republic’s long-established, tax-friendly and, er, relaxed, attitudes to huge foreign corporations.
So Facebook comes under Dixon’s jurisdiction. But the imbalance between, on the one hand, the DPC’s responsibilities and her 140 staff and, on the other, Facebook’s colossal legal, financial and technical resources is positively grotesque. Which is why it’s tempting to read the company’s legal response as the enraged response of a tiger that has suddenly been bitten by a flea.
My guess – as a lay reader – is that there are lots of technical issues here that will keep lawyers busy for months, or even years. In which case, European users’ data will continue to flow freely into Facebook’s servers in the US, where they will be open to snooping by that country’s security and other services, under less rigorous oversight that would be the case had they been kept on servers in Europe.
But in a way, this skirmish in Dublin provides a preview of a much bigger question about state capacity in these networked times. In discussions about these issues, I’ve sometimes found it useful to frame it provocatively as a simple proposition that goes like this: the only states that now have the capacity to tame or control tech giants are authoritarian ones.
Liberal democracies are no longer up to the job because they have to stay within the bounds of the neoliberal legal frameworks they have been assiduously constructing over half a century.
Large corporations have the resources to spin things out for years or even decades, while governments and their elites are increasingly trapped in the attention-deficit syndrome brought about by five-year electoral cycles.
Which is why a visitor to Dublin a decade from now might discover that the case of Facebook Ireland Limited v Data Protection Commission is still going strong in the high court there.
