Do multinational technology companies come to Ireland because they believe it has a "lax" data protection environment and a deliberately underfunded Office of the Data Protection Commissioner?
That idea has started to gain some currency primarily because of questions raised by German data protection officials and by judges last month when the European Court of Justice heard arguments in the case brought by Austrian law postgraduate Max Schrems against Ireland's Data Protection Commissioner.
Schrems argues that his privacy and data protection rights under European law were not respected by Facebook, whose European headquarters are in Dublin. The case is one of a number that have highlighted Ireland's expanding data protection oversight role as the headquarters of choice for internet and social media multinationals.
Schrems has routinely mocked the fact that the Irish DPC has its offices above a shop in Portarlington, a locational casualty of the pointless Fianna Fáil policy of sending departments and agencies into the regions a few years back.
While one might argue that this was fine for some departments, it made no sense at all for the DPC. The majority of its work involves companies, organisations and government bodies based in Dublin.
So yes, its exile was ludicrous. But there’s a difference between intentional disregard and a stupid policy that saw many such relocations and drew widespread public and political criticism.
Is the office deliberately underfunded by the Government to contribute to inadequate oversight, as one judge asked during the ECJ hearing.
That charge too attributes intent to what is in reality indifference. That should be apparent to anyone familiar with the Government’s less than dynamic stance on data protection and privacy matters.
This is, after all, the State that brought in one of the strictest data retention policies in Europe (and worldwide), forcing telecommunications companies to hold and store details about every person's calls, faxes and emails for one of the longest periods internationally.
Data retention
Such policies run contrary to the argument that the State is only concerned with making life easy for corporates. Data retention is anathema to many telecoms, internet and data storage companies, which dislike the longer-term data protection and management obligations and costs imposed alongside the retention requirements.
At any rate, funding was cut to the DPC at a time when funding was cut across Government after the economic crash. I think every data protection commissioner since the office was established has felt the office could use greater funding.
As someone with a particular interest in data privacy and data protection, I’ve talked to the office regularly over the years on many issues. At times, I would have wished for a stronger stance against specific instances of corporate and Government misuse of data, but I’ve never had any sense it was kowtowing to multinationals or pushed towards any particular approach by successive governments.
That said, there’s no doubt that Irish governments have been eager to create a business-friendly environment here and this veered too far towards compromise on issues such as taxation. All of which understandably contributes to some sniping and suspicions among Ireland’s EU partners.
In that sense, the Government has set itself up as a target and has done little to deserve a reputation as a data protection champion. But then many other EU states haven’t either. Some of those which are considered strong on data protection have, ironically, been involved in moves to gut some of the more stringent protections in the proposed new European data protection regulation. So go figure.
My personal take? I would see Ireland as middle of the road on data protection and far more remiss on data retention.
I would say that the EU has an international reputation as a location that speaks loudly about data protection and privacy, but does relatively little still to support and enforce what laws are currently there.
I am in San Francisco this week at the RSA Conference, one of the worlds' biggest security events, and this point of view is widespread.
Rather than needle Ireland, a more productive focus for Europe might be to get a strong new data protection regulation – and not back away from all the provisions that would give it teeth – and then actually enforce it.