The revelation that Cambridge Analytica was able to secretly obtain millions of Facebook users’ data to assist Donald Trump’s presidential campaign is only the latest example in a string of headlines that have exposed the questionable privacy practices of social media companies. For an industry that has collected the personal information of more than 2.5 billion people worldwide (Statista), social media is vastly under-regulated compared to other data-driven sectors such as insurance and banking. The excuse for limited government oversight of these companies has vacillated between an aversion to stifling technological progress and the nihilistic belief that policymaking is forever doomed to lag behind tech innovation. Neither of these excuses rings true, however, and Ireland’s role as the ‘Silicon Valley’ of the EU provides it the leverage to be a forerunner in proactive regulation, both within the EU and globally.
Thanks to industry whistleblowers and dedicated journalists, embarrassing data breaches of companies such as Twitter, Uber, and LinkedIn have lead to a growing public outcry over how private companies handle user and consumer data. This has resulted in policymakers rushing into a half-hearted game of ‘regulatory catch up’ in which privacy debates and proposals, mostly at the EU-level, are du jour. An example is the Commission’s March 2018 Report from the High-Level Expert Group on Fake News and Online Disinformation. Chief among its findings was that companies must be more transparent about the processes by which they secure and facilitate the sharing of information.
Much of the aforementioned rhetoric, however, has yet to translate into action. What would change the status quo, however, is resolve from high-tech-harboring nations, such as Ireland, for more effective regulation. Irish critics of this approach will argue that regulating corporate cash cows, such as Facebook, will jeopardize the country’s attractiveness to FDI. However, as the Irish Times recently pointed out, Ireland’s highly educated workforce and soon-to-be designation as the largest English-speaking country in the EU (let’s not forget about Malta) will likely spell FDI gains.
Ireland’s Three Steps Toward Responsible Regulation
Ireland can do much on its own to rein in these companies’ practices in the interest of public good. First, it can and should support what little action is being taken at the EU-level. Irish Commissioner Phil Hogan, as well as Ireland’s 11 MEPs, should take note of the work being done by the high-level expert group and seek innovative ways to implement the resulting recommendations. Likewise, the Irish Government should stop distancing itself from the General Data Protection Regulation (GDPR)—a scheme to harmonize privacy rules through the EU that will come into effect on 25 May 2018. The government spent last month trying to exempt itself from many of the scheme’s requirements. While GDPR is not perfect, it is the most comprehensive reform of EU privacy law in decades and Ireland, as the home of many global tech firms, has a responsibility to take it seriously. On a more controversial note, Ireland should support the anti-trust work of European Commissioner for Competition, Margrethe Vestager, which includes supporting fines like those she levied against Facebook in 2017 and (more infamously) Apple in 2016. Although Ms. Vestager is mostly concerned with unfair tax practices and tech monopolies rather than privacy, her actions send a strong message to tech companies that unfair corporate actions will not be tolerated in the EU.
Second, Ireland should approach the EU with its own plans for anticipatory tech regulation. When even one compromised election threatens democracy and one data breach leaks the information of 45,000 Irish citizens (as was the case with Cambridge Analytica) Ireland cannot afford to wait to act until the next scandal drops. Luckily, the Irish government has a strong base of tech policy experts on which it can rely to devise forward-thinking policy. For example, the Office of Data Commissioner (DPC), Helen Dixon, has proven an effective launching point for Irish policy, despite being historically underfunded. Her office is already active in supervising data protection of traditional firms, such as banks, but it must develop more innovative policies aimed at emerging tech and social media platforms. Encouragingly, Commissioner Dixon recently said, “Their [social media companies] business model is around monetizing personal data, and this creates very significant challenges in terms of fundamental rights and freedoms of individuals.” However, statements such as this one need to be acted upon and then replicated at the EU level.
Thirdly, Ireland can bypass EU policymaking altogether by enacting stricter laws on its own soil that will place so-called “extraterritorial” pressure on companies to comply with its privacy standards, not only in EU, but throughout the world. Here, it is important to point out some of the gaps in GDPR that effective national regulation could help fill. As Trend Micro, a Japan-based tech security firm noted, GDPR guidelines do not explicitly outline what technologies companies should use to protect user info, instead relying on general phrases such as “state of the art” and “appropriate measures”. Because data breaches require technological solutions, leaving the necessary tools open to broad interpretation will only encourage corner-cutting by companies. GDPR also fails to adequately protect against data threats of an increasing “autonomous internet” run by algorithms and artificial intelligence (AI), technologies that can sort, share and store information with limited human input. Although Article 22(1)of GDPR affords internet users right not to be subject to decisions based “solely on automated processing”. However, a recent paper by scholars Watcher, Mittelstadt and Floridi at the Oxford Internet Institute, calls it “toothless”. This is certainly one area in which Commissioner Dixon’s office can and should become a leading regulatory voice.
The passage of GDPR is proof that the EU is moving in the right direction on protecting digital data, but it is only the first step in the creation of a new, increasingly necessary data protection regime. What is certain is that data will continue to multiply, hacking will become more sophisticated, and platforms will become ever more eager to gather information on their users, thus necessitating a continuously evolving data protection regime. The question for Ireland is whether it will be a regulatory leader or reluctant follower. If Ireland comes to the table with its own ideas, the EU will surely take note, not least because it has historically been the most vocal opponent of regulation of tech multinationals in the bloc, but also because as it home to many of them.
Tyler contributes to projects on trade, multinational corporations, and inequality. Tyler is also broadly interested in the impact of communication technology on society, especially as it relates to democratic participation and freedom of expression. He holds an MA in Global Communication from The George Washington University in Washington, DC, and a BA in Journalism and International studies from Elon University in North Carolina.