Never forget

Happy Saint Patrick’s Day!🍀💚☘️

“Bed of Clover” (digital illustration) — CW

Leprechaun (1982)

Fintown, County Donegal, Ireland

💚

erin go bragh ☘️🍻

ig: badmotorartist

Ireland's privacy regulator is a gamekeeper-turned-poacher

This Saturday (May 20), I’ll be at the GAITHERSBURG Book Festival with my novel Red Team Blues; then on May 22, I’m keynoting Public Knowledge’s Emerging Tech conference in DC.

On May 23, I’ll be in TORONTO for a book launch that’s part of WEPFest, a benefit for the West End Phoenix, onstage with Dave Bidini (The Rheostatics), Ron Diebert (Citizen Lab) and the whistleblower Dr Nancy Olivieri.

When the EU passed its landmark General Data Protection Regulation (GDPR), it seemed like a privacy miracle. Despite the most aggressive lobbying Europe had ever seen, 500 million Europeans were now guaranteed a digital private life. Could this really be?

If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2023/05/15/finnegans-snooze/#dirty-old-town

Well, yes…and no. Despite flaws (Right to Be Forgotten), the GDPR has strong, well-crafted, badly needed privacy protections. But to get those protections, Europeans need their privacy regulators to enforce the rules.

That’s where the GDPR miracle founders. Europe includes several tax-havens — Malta, Cyprus, the Netherlands, Luxembourg, Ireland — that compete to offer the most favorable terms to international corporations and other criminals. For these havens, paying little to no tax is just table-stakes. As these countries vie to sell themselves out to giant companies, they compete to offer a favorable regulatory environment, insulating companies from lawsuits over corruption, labor abuses and other crimes.

All of this is made possible — and even encouraged — by the design of European federalism, which lets companies easily shift which flag of convenience they fly. Once a company re-homes in a country, it can force Europeans across the union to seek justice in that country’s courts, under the looming threat that the company will up sticks for another haven if the law doesn’t bend over backwards to protect corporate citizens from the grievances of flesh-and-blood humans.

Big Tech’s most aggressive privacy invaders have long flown Irish flags. Ireland is “headquarters” to Google, Meta, Tinder, Apple, Airbnb, Yahoo and many other tech companies. In exchange for locating a handful of jobs to Ireland, these companies are allowed to maintain the pretense that their global earnings are afloat in the Irish Sea, in a state of perfect, untaxable grace.

That cozy relationship meant that the US tech giants were well-situated to sabotage Ireland’s privacy regulator, who would be the first port of call for Europeans whose privacy had been violated by American firms. For many years, it’s been obvious that the Irish Data Protection Commission was a sleeping watchdog, with infinite tolerance for the companies that pretend to make Ireland their homes. 87% of Irish data protection claims involve just eight giant US companies (that pretend to be Irish).

But among for hardened GDPR warriors, the real extent of the Data Protection Commissioner’s uselessness is genuinely shocking. A new report from the Irish Council for Civil Liberties reveals that the DPC isn’t merely tolerant of privacy crimes, they’re gamekeepers turned poachers, active collaborators in privacy abuse:

https://www.iccl.ie/wp-content/uploads/2023/05/5-years-GDPR-crisis.pdf

The report’s headline figure really tells the story: the European Data Protection Board — which oversees Ireland’s DPC — overturns the Irish regulator’s judgments 75% of the time. It’s actually worse than it appears: that figure only includes appeals of the DPC’s enforcement actions, where the DPC bestirred itself to put on trousers and show up for work to investigate a privacy claim, only to find that the corporation was utterly blameless.

But the DPC almost never takes enforcement actions. Instead, the regulator remains in its pajamas, watching cartoons and eating breakfast cereal, and offers an “amicable resolution” (that is, a settlement) to the accused company. 83% of the cases brought before the DPC are settled with an “amicable resolution.”

Corporations can bargain for multiple, consecutive amicable resolutions, allowing them to repeatedly break the law and treat the fines — which they negotiate themselves — as part of the price of doing business.

This is illegal. European law demands that cases that involve repeat offenders, or that are likely to affect many people, must be fully investigated.

Ireland’s government has stonewalled on calls for an independent review of the DPC. The DPC continues to abet lawlessness, allowing corporations to use privacy invasive techniques for surveillance, discrimination and manipulation. In 2022, the DPC concluded 64% of its cases with mere reprimands — not even a slap on the wrist.

Meanwhile, the DPC trails the EU in issuing “compliance orders” — which directly regulate the conduct of privacy-invading companies — only issuing 49 such orders in the past 4.5 years. The DPC has only issues 28 of the GDPR’s “one-stop-shop” fines.

The EU has 26 other national privacy regulators, but under the GDPR, they aren’t allowed to act until the DPC delivers its draft decisions. The DPC is lavishly funded, with a budget in the EU’s top five, but all that money gets pissed up against a wall, with inaction ruling the day.

Despite the collusion between the tech giants and the Irish state, time is running out for America’s surveillance-crazed tech monopolists. The GDPR does allow Europeans to challenge the DPR’s do-nothing rulings in European court, after a long, meandering process. That process is finally bearing fruit: in 2021, Johnny Ryan and the Irish Council for Civil Liberties brought a case in Germany against the ad-tech lobby group IAB:

https://pluralistic.net/2021/06/16/inside-the-clock-tower/#inference

And the activist Max Schrems and the group NOYB brought a case against Google in Austria:

https://pluralistic.net/2020/05/15/out-here-everything-hurts/#noyb

But Europeans should not have to drag tech giants out of Ireland to get justice. It’s long past time for the EU to force Ireland to clean up its act. The EU Commission is set to publish a proposal on how to reform Ireland’s DPA, but more muscular action is needed. In the new report, the Irish Council For Civil Liberties calls on the European Commissioner for Justice, Didier Reynders, to treat this issue with the urgency and seriousness that it warrants. As the ICCL says, “the EU can not be a regulatory superpower unless it enforces its own laws.”

Catch me on tour with Red Team Blues in Toronto, DC, Gaithersburg, Oxford, Hay, Manchester, Nottingham, London, and Berlin!

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2023/05/15/finnegans-snooze/#dirty-old-town

[Image ID: A toddler playing with toy cars. The cars are Irish police cars. The toddler's head has been replaced with the menacing, glowing red eye of HAL9000 from Stanley Kubrick's '2001: A Space Odyssey.' The toddler's knit cap is decorated with the logos for Apple, Google, Facebook and Tinder.]

Image: Cryteria (modified) https://commons.wikimedia.org/wiki/File:HAL9000.svg

CC BY 3.0 https://creativecommons.org/licenses/by/3.0/deed.en

the British will really colonize you and rename your town something like this

Irish Cookie for SDt. Pat's Day!

Erin Go Bragh Irish phrase Ireland Forever T-Shirt

https://www.teepublic.com/t-shirt/57793333-erin-go-bragh-irish-phrase-ireland-forever?store_id=2123844

March 17th is the feast day of the patron saint of Ireland, St. Patrick. In the United States, it is also the day of shamrocks, leprechauns, and green beer (and green everything else). Blue was once the color traditionally associated with St. Patrick, but the color green has several links to Ireland, including its use on Ireland’s flag in the form of a stripe, its symbolism of Irish nationalism and the country’s religious history, and its connection to Ireland’s nickname, The Emerald Isle. On St. Patrick’s Day, people turn to their dictionary to look up Erin go bragh, which means “Ireland forever.” The original Irish phrase was Erin go brách (or go bráth), which translates literally as “Ireland till doomsday.” It’s an expression of loyalty and devotion that first appeared in English during the late 18th-century Irish rebellion against the British.