Login | March 23, 2023

GDPR five years on: Languishing enforcement because Ireland

Technology for Lawyers

Published: February 17, 2023

OK first year law students, here’s a question: Can a contract between two private entities negate a law? How about some kind of adhesion contract, like the one you signed/ didn’t know about that you have with Facebook/Meta?
Answer: Of course not.
Meta: Oh yeah? Look at this defense.
Recently the European courts imposed a fine of almost 400 million euros on Meta for violating the GDPR by forcing targeted advertising down the throats of everyone on Facebook. You might have seen that.
Meta is fighting back. Its defense is that users signed a contract (Terms of Service) to receive targeted advertising, and that, somehow, that private contract obviates the law. Meta has been ordered to stop targeted advertising in Europe. Meta says that it will not.
(GDPR explainer: If you don’t know what it is, look it up).
This case was somewhat of a breakthrough, but don’t expect it to create a precedent.
Enforcement of GDPR has been lax since it went into effect, to say the least. GDPR’s enforcement articles say that a case must be filed against a company in the country in which the company has its EU headquarters. In Meta’s case, that country is Ireland.
In fact, most large tech companies have their European HQs in Ireland.
Why Ireland? Well enforcement in Ireland is, shall we say, rather lax.
The country’s economy depends on foreign investment—particularly from the large tech companies headquartered there. So filing a case against a tech company there can be an exercise in waiting.
Ireland has a backlog of over 300 GDPR cases filed against the tech companies there—some from as far back as 2018.
Somehow, regulators have still fined companies more than 2.8 billion euros. But the tech companies have Ireland on their side and doing anything about their behavior is a difficult undertaking, according to several analyses.
So a group has decided to bring an action against Meta under GDPR in the UK, filing it under Article 21.2, which gives a user the absolute right to object to the use of personal data. We will see if the UK courts are any more sympathetic to user privacy than the Irish courts.
Stay tuned!