Government’s 'underfunding' of data watchdog is bumbling and risky

Net Results: Multinationals worry about perception of petty vengeance over public services card

Multinationals worry about these optics. Photograph: iStock
Multinationals worry about these optics. Photograph: iStock

There's an enduring public (and media) misconception that multinational technology companies looking to establish a base in Europe would be seduced by a country with weak regulatory oversight. The reality is less interesting, more complicated, and – in terms of potential international perception – of direct relevance to recent Government actions here.

As a baseline starting point, what most companies actually want is a national regulatory environment that is, if not overtly business-friendly, then at least aware of business issues. In addition they want regulatory stability and predictability.

Predictability, however, doesn’t mean predetermined decisions. Uncertainty about specific rulings and decisions should be a given, as a regulatory body fairly weighs evidence, facts, concerns and laws. But still, the idea persists that an accommodating regulatory environment would be corporate preference.

Let’s look closer at what companies want, and why.

READ MORE

First, set aside the notion that tech companies prioritise regulatory environment over other considerations because, no matter where they go, they will still be subject to an EU interpretation of EU – and for that matter, local – laws and policies.

So any decision at executive level to choose a country with a biddable regulator would be ridiculously short-sighted. There’s no secret system of regulatory arbitrage where a company can weigh up where to go based on the best deal on offer, because regulatory gaps are quickly bridged in practice.

In terms of data protection – which is the regulatory arena that arguably has the greatest bearing on the operations of all tech multinationals in Europe – challenging any decision by a national regulator is a well-defined process under EU data protection law.

It can be set in motion by any individual EU citizen, who can highlight the existence of such a gap, and file a complaint to their own national regulator or at EU level. If the gap is indeed a gap, it is going to be closed.

International ire

Any company hoping to exploit perceived gaps also faces the likelihood that its attempt to do so will become the stuff of international focus and ire. If your company ends up in Europe’s highest court, with its actions scrutinised in detail and reported internationally, the negative publicity fallout is potentially colossal.

Companies also really don’t want a random national regulatory system where decisions are wildly unpredictable and might fall anywhere on the scale of too lenient to too harsh.

In practice, that type of highly uncertain environment would end with decisions being routinely referred to the European Court of Justice to sort out the details – a long legal process for all parties that would be a costly addition to the bottom line. Better to opt for a location with regulation widely seen as balanced and considered.

All of this is to put into context why the Irish Government was misguided and bumbling in its recent budget decision to fund the Data Protection Commission no more generously than the discredited greyhound racing industry – and with only a third of the increase requested by an office tasked with a data protection oversight job rivalled in size and impact only by the US oversight bodies such as the Federal Communications Commission and Federal Trade Commission.

The decision risks being perceived as an international statement that Ireland is not overly concerned with adequately performing its critical oversight function, and that it is deliberately underfunding a regulator in order to better suit its large base of multinational tech companies – each of which is a point of huge concern to multinationals I've spoken to.

Election issue

There’s also a risk that, if the regulator is underfunded, investigations are hobbled and decisions will be poorer and open to further costly challenges. Investigations may drag on for longer (many here already have been going on for years) or not be pursued at all.

In addition, set in the context of the Government’s decision to – so far – refuse to comply with the regulator’s decision that it must curtail the use of the public services card, the funding refusal runs the risk of looking even more questionable, a petty tit for tat. A formal complaint expressing such a concern has been filed at EU level by Irish data protection specialist Daragh O Brien.

Multinationals worry about these optics. They know data protection regulation is an international election issue, a headline generator and a topic of close public interest. They can be damaged by perception that they want a weakened regulatory environment and might have encouraged a national government to undercut its regulator. Several have been taken aback by the State’s refusal to comply with the ruling on the public services card. One told me the decision to keep its base in Ireland had been quietly reviewed at one point because of these cumulative risks.

The Government would be wise to reconsider what constitutes adequate funding for a regulatory body that has such a significant international role, and take time to ponder the own-goal of undercutting its regulator’s international authority by refusing to recognise a critical domestic decision.