Well, yes...and no. Despite flaws (#RightToBeForgotten), the GDPR has strong, well-crafted, badly needed privacy protections. But to get those protections, Europeans need their privacy regulators to enforce the rules.

That's where the GDPR miracle founders. Europe includes several tax-havens - Malta, Cyprus, the Netherlands, Luxembourg, Ireland - that compete to offer the most favorable terms to international corporations and other criminals.

2/

For these havens, paying little to no tax is just table-stakes. As these countries vie to sell themselves out to giant companies, they compete to offer a favorable regulatory environment, insulating companies from lawsuits over corruption, labor abuses and other crimes.

All of this is made possible - and even encouraged - by the design of European federalism, which lets companies easily shift which flag of convenience they fly.

3/

Once a company re-homes in a country, it can force all Europeans to seek justice in that country's courts, under the looming threat that the company will up sticks for another haven if the law doesn't bend over backwards to protect corporate citizens from the grievances of flesh-and-blood humans.

Big Tech's most aggressive privacy invaders have long flown Irish flags. Ireland is "headquarters" to Google, Meta, Tinder, Apple, Airbnb, Yahoo and many other tech companies.

4/

For many years, it's been obvious that the Irish #In exchange for locating a handful of jobs to Ireland, these companies are allowed to maintain the pretense that their global earnings are afloat in the Irish Sea, in a state of perfect, untaxable grace.

That cozy relationship meant that the US tech giants were well-situated to sabotage Ireland's privacy regulator, who would be the first port of call for Europeans whose privacy had been violated by American firms.

5/

DataProtectionCommission was a sleeping watchdog, with infinite tolerance for the companies that pretend to make Ireland their homes. *87%* of Irish data protection claims involve just eight giant US companies (that pretend to be Irish).

But among for hardened GDPR warriors, the real extent of the Data Protection Commissioner's uselessness is genuinely shocking.

6/

A new report from the #IrishCouncilForCivilLiberties reveals that the DPC isn't merely tolerant of privacy crimes, they're gamekeepers turned poachers, active collaborators in privacy abuse:

iccl.ie/wp-content/uploads/202…

The report's headline figure really tells the story: the #EuropeanDataProtectionBoard - which oversees Ireland's DPC - overturns the Irish regulator's judgments *75% of the time*.

7/

It's actually worse than it appears: that figure only includes appeals of the DPC's enforcement actions, where the DPC bestirred itself to put on trousers and show up for work to investigate a privacy claim, only to find that the corporation was utterly blameless.

8/

But the DPC almost never takes enforcement actions. Instead, the regulator remains in its pajamas, watching cartoons and eating breakfast cereal, and offers an "amicable resolution" (that is, a settlement) to the accused company. 83% of the cases brought before the DPC are settled with an "amicable resolution."

9/

Corporations can bargain for multiple, consecutive amicable resolutions, allowing them to repeatedly break the law and treat the fines - which they negotiate themselves - as part of the price of doing business.

This is illegal. European law demands that cases that involve repeat offenders, or that are likely to affect many people, *must* be fully investigated.

10/

Ireland's government has stonewalled on calls for an independent review of the DPC. The DPC continues to abet lawlessness, allowing corporations to use privacy invasive techniques for surveillance, discrimination and manipulation. In 2022, the DPC concluded 64% of its cases with mere reprimands - not even a slap on the wrist.

11/

Meanwhile, the DPC trails the EU in issuing "compliance orders" - which directly regulate the conduct of privacy-invading companies - only issuing *49* such orders in the past 4.5 years. The DPC has only issues *28* of the GDPR's "one-stop-shop" fines.

The EU has 26 other national privacy regulators, but under the GDPR, they aren't allowed to act until the DPC delivers its draft decisions.

12/

The DPC is lavishly funded, with a budget in the EU's top five, but all that money gets pissed up against a wall, with inaction ruling the day.

Despite the collusion between the tech giants and the Irish state, time is running out for America's surveillance-crazed tech monopolists. The GDPR *does* allow Europeans to challenge the DPR's do-nothing rulings in European court, after a long, meandering process.

13/

That process is finally bearing fruit: in 2021, @johnnyryan and the Irish Council for Civil Liberties brought a case in Germany against the #AdTech lobby group #IAB:

pluralistic.net/2021/06/16/ins…

And the activist @maxschrems and the group @noybeu brought a case against Google in Austria:

pluralistic.net/2020/05/15/out…

14/

But Europeans should have to drag tech giants out of Ireland to get justice. It's long past time for the EU to force Ireland to clean up its act. The @EU_Commission is set to publish a proposal on how to reform Ireland's DPA, but more muscular action is needed. In the new report, the Irish Council For Civil Liberties calls on the European Commissioner for Justice, @dreynders, to treat this issue with the urgency and seriousness that it warrants.

15/

As the ICCL says, "the EU can not be a regulatory superpower unless it enforces its own laws."

--

Image:
Cryteria (modified)
commons.wikimedia.org/wiki/Fil…

CC BY 3.0
creativecommons.org/licenses/b…

eof/

File:HAL9000.svg - Wikimedia Commons

^{commons.wikimedia.org}

Ah, but the EU in general does not enforce its laws.

EU MS have the infrastructure to enforce laws (including EU laws).