Chancellor Angela Merkel's call for binding agreement on EU data protection rules has been given a guarded welcome by European privacy groups – and put Ireland in the spotlight. After years of Brussels talks on a new data regulation, Merkel said the Snowden affair made quick agreement essential on one particular bone of contention: forcing technology companies to reveal what information they gather on European users after it leaves Europe.
Germany’s own, traditionally tough, data protection rules were moot, she suggested on national television, because Facebook’s EU headquarters were in Ireland and bound by Irish law.
She left unsaid what officials in Berlin – and in other European capitals – say openly: that Ireland, along with Britain, is perceived as the EU’s lowest common denominator on privacy.
The current EU data protection directive allows member states wide interpretation on how to transpose it into national law. The proposed EU regulation would eliminate such wriggle room on privacy issues, thus the heated negotiations in Brussels on striking the right balance.
London, Dublin and others have warned that too much regulation will stifle industry and innovation.
Berlin, meanwhile, is reluctant to adopt any EU regulation offering what it views as inferior data protection to current German laws.
German officials signalled yesterday that Merkel’s intervention represents a shift in Berlin’s thinking: better a new regulation than the status quo.
“We won’t agree to any old thing, but we see a need to compromise and to move the process forward towards agreement,” said a German official familiar with the talks. “Our goal is a data protection regulation of a European nature that is consistently applied, regardless of from where it is regulated.”
Light-touch regulation
Frontline responsibility for EU data protection issues lies with the respective national authority of where companies are based. Thus data protection concerns and complaints regarding Facebook, Google and Twitter are the responsibility of Ireland's Data Protection Commissioner . Talking to data protection veterans around mainland Europe, it's rare to hear any positive views of the office of the commissioner or of Billy Hawkes, who heads up the office.
German officials and privacy lobbyists are particularly caustic, suggesting that Ireland’s tradition of light-touch regulation in its financial sector has shifted seamlessly to its new growth sector: the technology industry.
“The impression people have in Europe is that Ireland is buying residence of large companies with the promise of deliberately weak regulation of European personal data for which it is responsible,” said Joe McNamee of the Brussels-based European Digital Rights.
Lingering resentment
Hawkes's appearance last month on RTÉ's Morning Ireland regarding the US Prism surveillance programme, since posted to YouTube, reheated lingering resentment among many European data authorities.
His admission that he “knew in a general way” about such programmes and didn’t “regard this particular revelation as particularly new” was a red rag to his European colleagues who fear Ireland is the transmission point of wholesale EU data to the US. German data protection advocates are hopeful that the political pressure on Merkel to act on the US National Security Agency affair can, in turn, have a positive influence on Brussels data protection talks.
"If the chancellor says something it usually has consequences," said Thilo Weichert, data protection commissioner in Germany's northern state of Schleswig- Holstein.
“Billy Hawkes would be well advised to start dealing a little more carefully with complaints from elsewhere in Europe on Facebook and others, in particular whether they are sending user data. For Ireland, the pressure is on.”
Brussels-based privacy lobbyists are more cautious that political pressure will have a positive influence on the wider data protection talks — and on Irish thinking towards data issues.
“We are told in Ireland that businesses can largely regulate themselves on data protection but we are using the same methodology to screw up here that we did on banking,” said McNamee .
“You cannot have a healthy market without tight regulation, we Irish know this from the banking sector — to our cost.”
Austrian data protection campaigner Max Schrems agrees, saying: "If you attract an industry you also have to regulate it."