Politico reports lax Irish GDPR enforcement protects Facebook use of facial biometrics
There have been 1,928 complaints of data privacy violations in Ireland in the first year of GDPR, but no enforcement actions taken against big tech, despite the country’s predominance as the lead regulator for big tech firms, according to a Politico report. The article suggests the relationship between Ireland’s government and tech giants may even be protecting Facebook from enforcement action over its reintroduction of facial biometrics in Europe.
Ireland is the de facto lead regulator for GDPR, because the statute dictates that the country leading regulatory action is the one in which the data controller of company subject to the action is based. Politico reports that this provision was sought by tech companies, and the data controllers of most big tech firms are based in Ireland. Politico notes Ireland’s history of catering to Silicon Valley firms to bring business and jobs to the country.
Ireland’s Data Protection Commission head complained in a 2011 audit that Facebook was allowing third-party app developers to access huge volumes of “friend” data, Politico reports, but gave the company a nearly perfect score for privacy practices the following year. Years later, the loophole discovered by the Commission was infamously used by Cambridge Analytica.
Facebook reintroduced its facial recognition feature in Europe last year when GDPR came into effect, and was criticized at the time by a former European Commission Justice Commissioner for manipulating consent.
Politico also reports that Irish regulators had said they had not opened an investigation into Google’s information sharing practices because the paperwork giving then lead authority had not been completed. The paperwork was reportedly finished in January, but no investigation has been announced.
Irish Data Protection Commission spokesperson Graham Doyle told Poitico the agency takes its responsibilities seriously, and that it has seven probes involving Facebook and 16 investigations against companies including Twitter, WhatsApp, Instragram, LinkedIn, and Apple underway. Doyle also noted that the commission is currently expanding from 140 to 180 employees.
Privacy advocates express skepticism in the enforcement efforts. “They’ve basically gotten smarter about not doing things,” says Austrian advocate Max Schrems, who has led successful legal challenges of tech companies. A source also told Politico that the commission had not sent any agents to Facebook’s Dublin headquarters to pursue its investigations. The commission is funded through the Justice Ministry, rather than industry, which Politico says may make it vulnerable to interference from government officials who have close relationships with the tech industry.
Sources who attended a meeting with Facebook as it planned its reintroduction of facial biometrics in Europe said the company had been warned of possible violations of GDPR.
“They are analyzing every photograph, even those where they don’t have permission, and their argument is this is not processing biometric data because they don’t take the final step of identifying the person,” Dublin privacy lawyer Simon McGarr told Politico. “From a privacy standpoint, this is cloud cuckoo land.”
According to Doyle, however, the regulator has not yet determined if a statutory investigation into the practice is necessary.
Facebook has faced extensive criticism over its privacy practices in North America and Europe, but it is also worth noting that many companies appear to be unclear of their responsibilities under GDPR.