BusinessCantillon

Compromise required to resolve impasse on data privacy regulation

Regulation of GDPR rules has become a political, legal and cultural tug of war

The Data Protection Commission in Dublin is effectively the pan-European regulator for big tech companies such as Meta. Photograph: The Irish Times

Ireland will play a big role whenever the early history of Europe’s data-based economy is written, but it remains open whether it will be positive or negative.

Nearly five years after a new EU data protection regime (GDPR) came into effect, efforts to create a cohesive pan-European regime – for citizens and business – remain contested.

This is a political, legal and cultural tug of war – between profitable data collection and EU citizens’ right to opt out of such practices – where the focus is on US tech companies whose European headquarters in Dublin gives the Irish Data Protection Commission (DPC) frontline responsibility.

After a three-year DPC investigation into Meta’s data collection and a mild draft decision in 2021, fellow European regulators demanded higher fines last year because – in their view – Meta services have been breaking the law since GDPR came into effect on May 25th, 2018.

READ MORE

Even after the decision in January by the DPC and fines of €395 million the row is unresolved: Meta is likely to appeal in the Irish courts while the Dublin-based regulator plans to ask the European court in Luxembourg whether its EU colleagues can intervene not just in its decisions but also its investigative practices.

If this legal standoff is to end, everyone will have to compromise. Meta will have to accept that, unlike in the US, EU member states mean business on data protection. This may lower its profits but hardly break their business model.

Some EU regulators will have to accept that not all Europeans want to be protected from themselves: many are happy, given a chance to make an informed choice, to use Meta services.

The European Commission, shaken awake by Irish privacy campaigners and European Ombudsman Emily O’Reilly, has to accept that it is a participant and not a bystander in securing GDPR.

Ireland’s DPC will have to accept that its earnest belief – that it is regulating in line with European rules – is not universally held.

Even the Government will realise eventually that reform of the regulator and its underlying data protection legislation will create legal certainty for tech companies – on which the Irish economy depends.