Attracting global tech firms here with low taxes brings responsibilities as well as benefits- and not just for Irish consumers. Facebook’s base in Dublin means that Irish regulators will be the forefront of new questions surrounding privacy and data protection whether they want to be or not, writes Dan Hayden.
IN THE EARLY years of globalisation, when a large company expanded from one country to another, shifted their bases of production or their headquarters, it was a massive, multi-year effort. They built new factories, transported heavy plant and relocated hundreds or even thousands of workers.
Today’s blue chip firms are more likely to be moving bytes at light-speed through a fibre optic cable as shipping parts in a container ship. Providing their services online, they can expand quickly from a single base to offer services all over the globe. Even the most modest “lean” start- up looks at their market in global rather than national terms.
This has meant that modern technology firms are uniquely footloose. They have a lot of choice about where they pick as their base, and they are making this decision based upon what they have to gain. Ireland’s efforts to court these firms as they expand from the US into Europe have focused on our corporation tax regime. The resulting list of US tech firms in Ireland reads like a “who’s who” of Silicon Valley, and includes Facebook, Google, Yahoo, Linkedin and Dropbox.
This influx has brought more than jobs. It has also brought the responsibility of regulation, and not just on this turf. Facebook alone has 2.25 million Irish users and more than 250 million across Europe. In fact, because Facebook is headquartered here in Ireland, the firm must answer to Irish Regulators for all its users outside of North America, totalling more than 800 million.
Based in a nondescript building in Portarlington, the 27-strong staff of the Irish Data Protection Commission deal with everyday queries surrounding supermarket loyalty cards, unsolicited marketing postage, phone calls or text messages and the use of CCTV. Now they are also tasked with handling the privacy and data security concerns of those same hundreds of millions of Facebook users.
In the wake of Edward Snowden’s NSA “Prism” programme revelations, these concerns have become more tangible and more politically sensitive. Only this week, Facebook reported that governments requested information on 38,000 users of its service in one six month period, with over half of those requests coming from the US.
As long as user information continues to be routed through US servers, it is within reach of more permissive US laws surrounding how that information can be used and outside the aegis of stronger EU privacy protections.
US tech firms have been compelled to offer US government agencies access to their information, while simultaneously being legally denied the opportunity to explain how and in what circumstances they share that information. This means that issues open to the regulator like how the technologies parse the information they have access to, what information is linked to identifiable accounts, how long data is stored for and how users can remove their information from the system are paramount.
Questioned about the NSA’s data collection program, Data Commissioner Billy Hawkes has said that Irish data protection law is designed for “day to day activities”. Yet as the banking crisis has shown, regulators must be ready to face unforeseen challenges.
In the early 2000s, banking broke into new markets. New technologies developed faster than regulators could keep up, and poor oversight lead to disastrous consequences.
The parallels are not hard to see.
If the EU is successful in implementing a shared European Directive for Data protection in 2014 as they hope, technology firms will have a single standard across the common market. New laws could even offer a competitive advantage for Europe in the eyes of business customers for whom data protection is a priority.
This will reduce regulatory fragmentation and could lower the cost of compliance for firms. Yet even under these new laws, the Irish Regulator will still have responsibility for monitoring and enforcing these standards for the huge companies based in this jurisdiction. Indeed, with a single standard in force, there is likely to be even more scrutiny upon the jurisdiction and the regulator in question.
Strengthening the regime doesn’t need to come at the expense of the services provided. For companies like Google, Linkedin or Facebook to remain cost- free for users, they require access to a certain amount of information to target advertisements. Users have shown a willingness to allow access to information as they are given clear information on the type of access which has been granted and how it can be used.
In such a fast- moving industry, an overly prescriptive approach may not make it easy to keep up with new developments and could risk closing the lines of dialogue that will ensure necessary compliance and flexibility.
The Data Protection Commission must be resourced properly to build the technical expertise to maintain an equal relationship with those firms which have demonstrated good faith to date. With the right approach, there’s an opportunity to further strengthen protections for all European users without compromising the speed of innovation and progress in the industry.
The government has made much of a 20 per cent increase in the DPC’s funding over the last year. This is to be welcomed but it is an incremental increase from a low base as the number of tech companies resident here has increased exponentially. The recent loss of experienced second in command Gary Davis to Apple is also significant.
While the commission might meet normal standards for a data protection office in similar sized countries maybe the more appropriate standard is to examine the value of the industry. The data of each Facebook, Linkedin or Google+ user has a monetary value adding up to billions .The Commission must be funded at a scale to act as both a European and global regulator.
In 2011, David Watters, Facebook’s European policy chief said “There is a difference between privacy and secrecy”. The questions raised by disclosures like the Prism program mean that these differences are prime to be resolved.
Indeed, few public policy questions have shifted in their significance and meaning so wholly in the last decade, or are likely to in the next. Whether they asked for it or not, Irish politicians and regulators will be pivotal in deciding how hundreds of millions of Irish, European and global citizens’ data and privacy are protected.
Dan Hayden is an Irish Research Council Government of Ireland PhD Scholar at the UCD Centre for Regulation and Governance. Follow him on Twitter @danjhayden
To embed this post, copy the code below on your site
have your say