If you read my last article on the Microsoft Ireland case, you’ll recall that Microsoft operates one of its major cloud storage facilities in Ireland. While not itself eyebrow-raising, Microsoft is not the only corporation making headlines in Ireland. Recently Twitter announced that it would be processing all non-US Twitter users, some 300 million people, in Ireland. Eyebrows elevated yet? Or what about the fact that the top 10 US tech firms all have their international headquarters in Ireland? So what’s the deal with Ireland? Tech companies are flocking to the Emerald Isle, and presumably not just because they are after its Lucky Charms. Ireland appears to be offering a pot of gold for tech companies, so I thought I’d expand upon my discussion of the Microsoft Ireland case to discuss the role Ireland is playing in the US-EU divide over privacy.
To begin, the fundamental takeaway from my discussion of international cyber-jurisdiction is that we just don’t know, and probably cannot know, how jurisdiction will be extended over the Internet. Even a definitive ruling on US cyber-jurisdiction cannot bind the international community, and it is very likely that different countries will take different approaches. While perhaps only mildly frustrating for citizens, this is maddening for multinational corporations. If you are Google or Facebook, you have to comply with each of the laws of each of the countries within which you operate, regardless of their apparent interoperability. The logistics of creating a tiered system of compliance leads to the amusingly simplistic practice of defaulting much of the world to the highest settings. Much like how California can set national standards despite only having jurisdiction over its boundaries, the combination of a large market and strict regulations can create a de facto global standard.
In the (Euro) Zone
The role that California plays on the US stage, the European Union arguably plays on the international one (putting aside China, which deserves its own category). The EU takes a notably different approach to privacy and security than the US, utilizing a top-down, broad spectrum approach to regulation, as opposed to US’s sectoral approach. The EU enacts EU-wide laws called “regulations” and “directives”; regulations are immediately enforceable everywhere, whereas directives require each nation to enact its own law on the matter. The important distinction is that EU countries have leeway in how they enact directives, meaning that there is some variation in how strict or lax the laws in the various EU countries will be. For example, Germany takes a hard line with regard to privacy; Ireland, less so.
The specific directive I want to focus on is the EU Data Protection Directive, which aims to protect EU citizens’ privacy by mandating that all corporations adhere to seven privacy principles, and by preventing corporations from transmitting EU-citizen data to countries which do not meet the directive’s requirements. (Note that as a directive, each country enacts its own law.) So while all EU members should meet these criteria by default, countries outside the EU are basically required to voluntarily adopt the Data Protection Directive if they want to process EU data. The notable problem with this framework is the United States, which is both the largest economy in the world and unlikely to comply with the directive. Denying corporations the ability to transmit to the United States seemed unworkable, and led to the US-EU Safe Harbor Agreement. This allows corporations to “self-certify” that they meet certain requirements, which will then allow them to transmit data from the EU to the US. If this strikes you as a lax standard, you aren’t the only one. But it is the law up to this point.
The Luck of the Irish?
Which brings me to Ireland. US corporations looking for a one stop shop for access to the EU have overwhelming opted for Ireland. Apart from speaking English and utilizing the familiar English court system, Ireland also has one of the lowest corporate tax rates (part of the infamous Dutch sandwich) and is among the least burdensome regulators within the EU, making it an ideal spot for multinational corporations. Indeed Ireland’s pro-corporate policies have led many to suggest that Ireland is effectively buying corporate residence in exchange for lax regulations. Despite these complaints, consolidating tech companies under Irish law has the undeniable benefit of uniformity. A single body of law that all corporations can follow makes privacy governance much easier, and also provides a clear avenue for implementing improvements for privacy regulation. So while Irish standards might currently be wanting, utilizing a single body of law will ease the implementation of improvements, at least in theory.
But not everyone in the EU is as happy with Ireland as corporate America, and Ireland is currently before the European Court of Justice regarding its implementation of the Data Protection Directive. Specifically, EU citizens are asserting that Irish-based corporations which disclose data to US surveillance organizations are in violation of the US-EU Safe Harbor. Facebook is legally allowed to transfer data on EU citizens to its US parent company, which arguably subjects the data to increased US surveillance. Activists argue that this practice cannot be reconciled with the requirements of the Safe Harbor and the European Convention on Human Rights, and that the Irish Data Protection Commissioner (DPC) should audit or restrict all data transmitted to the US. The Irish DPC counters by saying that Facebook is complying with the Safe Harbor, and that the legality of the Safe Harbor in light of the revelations of US surveillance is not within the DPC’s authority to adjudicate.
The Safe Harbor itself basically restates the Data Protection Directive’s principles of Notice, Choice, etc., but the devil is in the details. Broad principles like Notice and Choice are subject to a tremendous amount of variation in interpretation and implementation, so the requirements desired by the EU might not be realized by the Safe Harbor. For instance, what notice is required with regard to US surveillance programs that companies are often legally bound to not discuss? Almost all treaties acknowledge some limitations for national security reasons, and most privacy policies ostensibly give notice that they will disclose personal data in compliance with legal law enforcement requests. The US and EU interpretations of the notice requirement are likely to be different in this context, so exactly how US Surveillance will mesh with the EU Data Protection Directive and the corresponding Safe Harbor remains to be seen.
I should mention as well that a General Data Protection Regulation (read: the same across the EU) has been in development for several years, providing a potential alternative to Irish regulatory dominance. Originally conceived to better target our social media-focused Internet, a pan-European Data Protection Commissioner would allow for a more equitable representation of national interests, and would be better equipped to deal head on with issues relating to the Safe Harbor. The issues that have been raised with regard to Ireland will have a substantial impact on US-EU relations, and will likely require a more centralized EU body to rectify them.
At the end of the rainbow
But the broader issue is that a failure to reach an international agreement on Internet privacy could lead to the stratification of the Internet, with a US-EU-China trichotomy emerging. Already this can be seen by Twitter’s decision to consolidate non-US user data in Ireland: Twitter is compartmentalizing its business to coincide with the US-EU divide over privacy. (Twitter is banned in China, simplifying its equation somewhat.) And EU privacy advocates frequently call for a more strict separation between the EU and US branches of the tech giants. With the EU’s emphasis on collection and use restrictions, as well as developments like the right to be forgotten, the European treatment of Internet regulation is growing increasingly incompatible with the US’s laissez faire approach. And neither the US nor the EU has ever been particularly compatible with China’s more authoritarian model, which explains why QQ and QZone aren’t household names, despite having user-bases surpassed only by Facebook.
Exactly what Internet stratification would mean for the average user is hard to say. While the standard line is that regulation stifles innovation, its worth noting that in many ways the Internet is already getting smaller. Gigantic sites like Facebook and Google serve as the web-gatekeepers to content, and their algorithms can make or break websites. (The rise and fall of the those viral Upworthy videos is largely credited to changes in Facebook’s algorithms.) This is compounded by the fact that Facebook is constantly incorporating other services, like news articles, so that its users never need to leave the website. And the rise of smartphones has others claim that the future of the Internet is really just apps, where a few apps will control your web-exposure. So while a stratified Internet might change where data is stored and how data is processed, I doubt it would alter the trend towards a consolidated Internet experience.
The real concerns of Internet stratification relate to geopolitics and global trade, two issues I am not qualified to talk about. Suffice it to say that increased inter-connectivity and globalization are good for business, and that a singular, unrestricted Internet is arguably the strongest force in support of those two things. So while the world is still unsettled over how to balance digital privacy, surveillance, and jurisdiction, it would be in everyone’s interest to reach some form of global agreement.