Now with added video!
The Irish data protection regulator has unveiled a progress report on GDPR on the first anniversary of the rules, perhaps defending itself from a perception of inaction.
As Europe’s lead regulator for GDPR, the Data Protection Commission (DPC) is in an incredibly important position. It is supposed to lead the bloc into an era of increased privacy and data protection, though considering its economy is largely dependent on the very firms GDPR has been designed to punish, it is a tricky position.
Despite some suggesting GDPR is failing to live up to the promise of holding the technology giants accountable, the DPC has defending its positions, actions and ambitions.
“The GDPR is a strong new platform from which we can all demand and drive higher standards of protection of our personal information,” said Commissioner for Data Protection, Helen Dixon.
“As the national supervisory authority, the Data Protection Commission (DPC) is firmly committed to its role in public enforcement of the new law, while also working hard to provide guidance to sectors as they seek to comply with the new requirements.
“The DPC is grateful for the positive and energetic engagement with the GDPR that we have seen from all quarters, particularly from consumers and concerned persons who have raised queries about the processing of their personal data with the office.”
Looking at the numbers, 6,624 complaints have been received since the introduction of GDPR, while 5,818 valid data security breaches were notified. 54 investigations have been opened, 19 of which are cross-border investigations into multinational technology companies and their compliance with the GDPR. Last week, the DPC announced its most recent investigation into Google.
Interestingly enough, more than half of these investigations will see either Facebook, WhatsApp and Instagram as the focal point. The question which remains is whether the rules are having a material impact on data protection and privacy across the world?
According to the International Association of Privacy Professionals, more than 500,000 data protection officers have been appointed at firms across the world, while more than 200,000 instances of data breaches have been reported. However, the largest fine which has been levied at one of the internet giants is €50 million.
Back in January, French data watchdog CNIL fined Google €50 million for various different violations of GDPR. These violations included a lack of transparency, overly complicated wording and inaccessible information on how a user’s data is being collected, stored and processed. This might serve as a wake-up call for the ‘normal’ companies across the world, but it is might not be considered a deterrent for the worst offenders, the tech giants who collect billions in profit each year by monetizing data.
As mentioned previously, the DPC is in a slightly precarious position. Ireland will want to protect the interests of the technology giants due to the role the industry plays in the country. The technology sector has largely been credited with saving Ireland from economic recession a decade ago, and now employees a significant number of individuals. The industry has also fuelled a rise in entrepreneurship, creating bright prospects as the world strides towards the digital economy.
Reading between the lines, this is perhaps the rationale behind today’s announcement from the DPC. It is working to uphold the promise of GDPR.
What is worth noting is one year is not a lot of time. Investigations into complaints will take months on months, due to the number of companies involved, collections of statements and all the relevant information, and the complex nature of data processing business models. The big data machine is incredibly complicated and understanding whether there have been any violations of rules is even more so; some clauses and sections made grey areas to be exploited.
One year one, GDPR has clearly had an impact on the world, but whether this is enough of an impact to create a privacy-orientated digital society still remains to be seen.
Ireland’s data protection watchdog has kicked off a GDPR investigation into Google following a complaint from ad-free web browser Brave.
Although GDPR is approaching its first birthday, there is yet to be an example of the towering fines which were promised for non-compliance. Perhaps everyone is playing merrily by the rules, or it might be that they are very good at covering their tracks. Brave will be hoping to chalk up a victory over Google with this investigation however.
“The Irish Data Protection Commission’s action signals that now – nearly one year after the GDPR was introduced – a change is coming that goes beyond just Google,” said Johnny Ryan, Chief Policy Officer at Brave. “We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR.”
The complaint itself is directed at Google’s DoubleClick/Authorized Buyers advertising system. While giving evidence to the Data Protection Commission, Ryan has suggested the way in which data is processed through the system violates Article 5(1)(a), (b) and (f) of GDPR, as well as Section 110 of the Irish Data Protection Act.
DoubleClick/Authorized Buyers advertising system is active on 8.4 million websites, allowing the search giant to track users as they scour the web. This information is then broadcast to more than 2,000 companies who bid on the traffic to deliver more targeted and personalised ads.
This information can potentially be incredibly personal. Google has various different categories which internet users are neatly filed into, including ‘eating disorders’, ‘left-wing politics’, ‘Judaism’ and ‘male impotence’. The companies bidding on this data will also have access to geo-location information and the type of device which the user is on.
Under Article 5 (1)(f) of the GDPR, companies are only permitted to process personal information if it is tightly controlled. Brave suggests Google has no control over the data once it is broadcast and is therefore violating GDPR.
With the Irish watchdog, Europe’s lead for GDPR, investigating the system in Ireland, similar complaints have been filed the UK, Poland, Spain, Belgium, Luxembourg and the Netherlands. Should Google be found non-compliant, it would be forced to ditch the DoubleClick/Authorized Buyers advertising system and could face a fine as much as 4% of annual turnover. Based on 2018 revenues, that figure would be $5.4 billion.
“For too long, the AdTech industry has operated without due regard for the protection of consumer data,” said Ravi Naik of ITN Solicitors, who will be representing Brave for the complaint. “We are pleased that the Data Protection Commissioner has taken action. The industry must change.”
GDPR is supposed to be a suitable deterrent for the internet economy, but without enforcement and demonstrable consequences little will change. If GDPR is to work as designed, a monstrous fine will have to be directed at someone sooner or later. Could this be the first domino to fall?
UK data protection and privacy advocacy group Privacy International has submitted complaints to European watchdogs suggesting GDPR violations at several US firms including Oracle, Equifax and Experian.
The complaints have been submitted to regulators in the UK, Ireland and France, bringing the data broker activities of Oracle and Acxiom into question, as well as ad-tech companies Criteo, Quantcast and Tapad, and credit referencing agencies Equifax and Experian. The complaints are specifically focused on the depth of personal data processing, which Privacy International believes violates Articles five and six of the General Data Protection Regulation (GDPR).
“It’s been more than five months since the EU’s General Data Protection Regulation (GDPR) came into effect,” a Privacy International statement read. “Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement.
“Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people’s data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged.”
The GDPR Articles in question relate to the collection and processing of information. Article Five dictates a company has to be completely transparent in how it collects and processes information, but also the reasons for doing so. Reasonable steps must be taken to ensure data is erased once the purpose has been fulfilled, this is known as data minimisation. Article Six states a company must seek consent from the individual to collect and process information for an explicit purpose; broad brush collection, storage and continued exploitation of data is being tackled here.
In both articles, the objective is to ensure companies are being specific in their collection of personal information, and that it is utilised in a timely manner before being deleted once it has served its purpose. These are two of the articles which will hit the data-sharing economy the hardest, and it will be interesting to see how stringently GDPR will be enforced if there is any evidence of wrong-doing.
This is where Privacy International is finding issue with the firms. The advocacy group is challenging the business practises on the principles of transparency, fairness, lawfulness, purpose limitation,
data minimisation, accuracy and integrity and confidentiality. It is also requesting further investigations into Articles 13 and 14 (the right to information), Article 15 (the right of access), Article 22 (automated decision making and profiling), Article 25 (data protection and by design and default) and Article 35 (data protection impact assessments).
While GDPR sounds very scary, the reality is no-one has been punished to the full extent of the regulation yet. This might be because every company has taken the guidance on effectively and is operating entirely within the legal parameters, though we doubt this is the case. It is probably a case of no-one being caught yet.
The threat of a €20 million fine, or one which is up to 3% of a business’ total revenues, is nothing more than a piece of paper at the moment. If there is no evidence or fear authorities will punish to the full extent of the law, GDPR doesn’t act as much of a protection mechanism or a deterrent. When a genuine violation of GDPR is uncovered, Europe needs to bear its teeth and demonstrate there will be no breathing room.
This has been the problem for years in the technology industry; fines have been dished out, though there has been no material impact on the business. The staggering growth of revenues in the industry has far exceeded the ability of regulators to act as judge and executioner. Take the recent fines for Apple and Samsung over planned obsolescence in Italy. The $10 million and $5 million fines for Apple and Samsung would have taken 20 and 16 minutes respectively to pay off. This is not good enough.
Regulators now have the authority to hold the suspect characters in the industry accountable for nefarious actions concerning data protection and privacy, but it has to prove itself capable of wielding the axe. Until Europe shows it has a menacing side, nothing will change for the better.
After the Irish government announced it has recovered Apple’s €13 billion tax debt, the European Commission has confirmed it will also drop its lawsuit against the country.
Having begrudgingly collected €13 billion in back taxes from the iLeader, it seems the Irish government has jumped through enough hoops to avoid the courtroom and having to explain why it was willing to help Apple’s tax avoidance strategy.
“In light of the full payment by Apple of the illegal State aid it had received from Ireland, Commissioner Vestager will be proposing to the College of Commissioners the withdrawal of this court action,” Commission spokesman Ricardo Cardoso said in an email statement to Reuters.
While the lawsuit, which was filed on the grounds Apple was receiving illegal tax benefits, was filed last year, Ireland did not collect the first payment until May. That said, the full amount has been collected, currently placed in escrow due to an Irish appeal, and it would seem this is enough for the European Commission.
“While the Government fundamentally disagrees with the Commission’s analysis in the Apple State Aid decision and is seeking an annulment of that decision in the European Courts, as committed members of the European Union, we have always confirmed that we would recover the alleged State Aid,” Irish Finance Minister Paschal Donohoe said.
Ireland is clearly not happy, though you can understand why. In allowing Apple to conduct ‘creative’ accounting practises, the technology industry has thrived in the country. Apple is not the sole reason for this recovery, though it would certainly be a contributing factor. €13 billion is of course a lot of money, though a technology renaissance has meant a lot more to the Irish economy and society. No wonder Ireland was content in keeping Apple happy.
What is always worth remembering is the employment history of European Commission President Jean-Claude Juncker. Prior to bagging the top job in Brussels, Juncker was the 23rd Prime Minister of Luxembourg and also the Minister for Finances, during which time the country turned into a major European centre of corporate tax avoidance. This was also a time Juncker spent a considerable amount of time secretly blocking EU efforts to tackle tax avoidance by multinational corporations.
But at least he’s willing to sue Ireland for facilitating tax avoidance now it suits his agenda.
French operator Iliad has teamed up with its founders private investment vehicle, NJJ, to buy a majority stake in Ireland’s largest telco, Eir.
As part of the new deal, Iliad will pay roughly €320 million to acquire 31.6% of Eir, while NJJ will take 32.9%, while existing shareholders Anchorage Capital Group and Davidson Kepner will retain a combined 35.5% of the Irish telco. While this is a minority stake for the moment, there are options for Iliad to take operational control of the telco in 2024.
The call option is exercisable in 2024 and would enable Iliad to acquire 80% of NJJ’s stake in Eir, at a 12.5% discount of fair market value. This discount would be determined by an independent valuation expert.
Such an acquisition will serve to feed Iliad’s geographical diversification ambitions, offering a strong entry into the Irish market. Aside from the domestic French market, Iliad has made moves into Switzerland and Italy also.
Eir is currently the market leader on the fixed line side, commanding a 32% market share, while it is in an attractive challenger position for mobile, holding 18% of the market. Revenues across Eir for the financial year ending June 2017 stood at €1.3 billion.
The news follows several months of debt restructuring for the Irish telco, and upon completion of the deal, its current CEO Richard Moat has said he will step down. The new management team will be determined by Iliad and NJJ.
Networking vendor Huawei’s quest for global domination shows no sign of slowing in the run up to Christmas, with raids on Dublin and Cairo.
There’s nothing Huawei likes more than photos of people in business attire, symbolically shaking hands or signing important-looking pieces of paper. Visits to Trinity College, Dublin and the Cairo ICT conference afforded rich pickings for the company photographer.
A new research partnership with Trinity is, we’re told, emblematic of Huawei’s growing R&D footprint in Ireland. Rotating CEO Guo Ping and Patrick Prendergast – Provost of Trinity – can be seen below holding up bits of paper in time-honoured fashion. Apparently Huawei is dropping $21 million on R&D in Ireland this year.
“Huawei’s continued investment in Ireland illustrates the innovative technology ecosystem we have developed, with more and more major international tech firms basing and growing their operations here,” said Irish Taoiseach Leo Varadkar (pictured below, with Guo Ping). “The company’s new research partnership with Trinity and its expanding R&D footprint across its Dublin, Cork and Athlone operations are a strong endorsement of Ireland’s tech credentials and illustrates Huawei’s ongoing commitment to its Irish operations. Bilateral trade between Ireland and China is now worth over €12 billion each year, and by strengthening our links with companies like Huawei we can increase this further in the years ahead.”
Meanwhile Huawei launched the Cairo OpenLab in… Cairo, during the Cairo ICT 2017 conference, also, conveniently, in Cairo. It managed to get a bunch of dudes to take a commemorative photo of the occasion, which you can see at the top of this piece.
“We established the OpenLab in Cairo so that we can make full use of the advantages of Egypt and serve all of Northern Africa,” said Ni Zheng, President of Huawei Enterprise Business Group, Northern Africa Region. “First, the ICT industry market in Cairo is relatively mature and its marketing capabilities influence surrounding countries.
“Second, Egypt recognizes the significance of industrial digital transformation, and the local industry chain ecosystem supports this transition for a number of industry enterprises. In addition, the education industry in Egypt is relatively well developed, with more than half of the top 15 African universities of UK QS Ranking located in Egypt, also contributing to the advancement of the region.”
Lastly, back in China, Huawei Wireless X Labs was instrumental in the creation of a Wireless Connected Factory Special Interest Group (SIG). This is actually the third SIG this bit of Huawei has got involved in, and looks set to be a cracker, with half of the company apparently involved in the inevitable photo (below).
“The mission of exploring future wireless use cases lies with X Labs,” said Ying Weimin, Huawei Wireless R&D President. “Huawei hopes that SIGs such as those set up by X Labs can discover and inspire many more 5G use cases and promote 5G technologies’ application in future smart manufacturing. Such efforts will contribute to the rise of connected factories. Huawei will work diligently alongside its partners to simulate further growth and innovation.”
The European Commission has ruled that Luxembourg illegally let Amazon off €250 million of taxes and must now get them back.
This is the latest round of a general purge by the EC of European countries effectively bribing US tech companies to use them as their European hub by dangling the carrot of reduced taxes. Last year the EC ruled that Apple owed Ireland €13 billion in back taxes, on which more later.
“Luxembourg gave illegal tax benefits to Amazon,” said Commissioner Margrethe Vestager. “As a result, almost three quarters of Amazon’s profits were not taxed. In other words, Amazon was allowed to pay four times less tax than other local companies subject to the same national tax rules. This is illegal under EU State aid rules. Member States cannot give selective tax benefits to multinational groups that are not available to others.”
On one level this seems fair enough; why should big companies get special tax treatment? On the other hand you could argue that if a country wants to use the tax system to general local jobs then that’s its business, so this comes down to a matter of sovereignty. But unless countries are going to take the brave step of leaving the EU then they have to put up with it. Here’s a handy infographic if you’re struggling to get your head around the matter.
The EC has also piped up on the matter of Apple’s Irish billions, grassing Ireland up to the European Court of Justice for dragging its feet over the matter. Ireland politely disagreed with the original decision and accordingly doesn’t seem to have acted on it, hence the referral to the ECJ.
“Ireland has to recover up to 13 billion euros in illegal state aid from Apple,” said Vestager. “However, more than one year after the Commission adopted this decision, Ireland has still not recovered the money, also not in part. We of course understand that recovery in certain cases may be more complex than in others, and we are always ready to assist. But member states need to make sufficient progress to restore competition. That is why we have today decided to refer Ireland to the EU Court for failing to implement our decision.”
While it’s safe to assume the phrase ‘feckin euro eejits’ may have been uttered at subsequent Irish cabinet meetings, it’s hard to see what alternatives they have. This escalation by Europe, however, may at least give Ireland more legal weapons to use in its bid to recover the cash and it wouldn’t be surprising if the sanctions against Apple start ramping if it doesn’t make more of an effort to resolve the matter.
Lastly, in other Ireland/ECJ news, the latter has been asked to rule on the case brought by Austrian Lawyer Max Schrems, challenging the Safe Harbour/Privacy Shield system whereby US companies can transfer European data to the US. This specifically concerns Facebook which, by complete coincidence, is based in Ireland. We’ve no doubt it pays absolutely loads of tax there but Ireland has nonetheless asked the ECJ to make a ruling on the matter, the details of which you can access here.
Sky Ireland has signed an exclusive wholesale contract with BT Ireland for its rollout of ultrafast broadband across the country.
As part of the agreement, BT will provide Sky Ireland with various different services, including backhaul network, to help bring its ultrafast broadband offering to the market. Part of this rollout includes rural homes which are included in the National Broadband Plan.
“This deal with BT reflects our continued commitment to investment in infrastructure in Ireland and will mean our customers can avail of the highest fibre speeds in the country across the widest possible footprint,” said JD Buckley, MD of Sky Ireland. “It will also allow us to bring fibre to currently underserved rural customers as part of the Government’s National Broadband Plan.”
“We are delighted that Sky Ireland chose BT to support the next phase of its rollout of next generation broadband technology,” said Shay Walsh, MD of BT Ireland. “It’s great news for the market in general, because competition brings choice and now consumers and businesses will have more providers to choose from for phone and broadband services.”
BT Ireland claims to be the only ‘access agnostic provider’ of wholesale broadband services in Ireland, counting more than 50 providers as customers.