Dublin ‘can’t trust itself to do the right thing’: Why Irish EU presidency should recuse itself from regulating Big Tech

There is a type of room, Irish activist Johnny Ryan tells an audience the day before we speak, which exists in the small Irish houses his country built in a wave of construction in the 1960s: the biggest room at the front, usually unused, dust on the silver, fine linens. It is only opened when the priest comes for tea.

“Ireland’s presidency is like us getting the special room ready,” he says on stage at the Re:Publica conference in Berlin earlier this month adding: “This is the moment when Ireland is most interested in looking like something that, in this domain, it is not – a good European.”

Ryan runs Enforce, a litigation and investigation unit set up within the Irish Council of Civil Liberties (ICCL) to drag tech platforms through the regulatory system they are supposed to comply with.

He is unusually succinct for a critic of Big Tech – his crusade pretty much fits on a postcard: Europe’s digital enforcement crisis is, in essence, an Irish enforcement crisis.

The country that hosts almost every American tech firm’s European headquarters is also the country that has decided not to police them. And on 1 July this year, that country takes the rotating EU Council presidency and inherits the agenda-setting powers on the EU crown jewels of tech-laws: Digital Omnibus, the AI Omnibus, the implementing acts of the AI Act, the Cloud and AI Development Act, the Digital Networks Act, and the GDPR. All in one six-month run.

“That should make you worried,” Ryan says. 

Ryan’s worries are not based on vibes or general misgivings. He blew the whistle on the online-ad industry’s real-time bidding system in 2017, from inside it, and filed the first formal GDPR (General Data Protection Regulation) complaints against Google’s ad-tech the following year.

Dr. Johnny Ryan is director of Enforce, a unit of the Irish Council of Civil Liberties that advocates, investigates, and litigates to protect people in the digital age. He is known for global campaigns against Big Tech surveillance, leading to major lawsuits and regulatory actions targeting the ad-tech industry.

Ireland’s job, by way of how the GDPR was drafted, is to defend the rest of Europe when it comes to the tech companies headquartered there. Whichever country a multinational picks for its European headquarters becomes the supervisor responsible for the data of citizens in every other member state – a hospital in Hamburg, a school in Lille. 

Meta, Google, TikTok, Microsoft, LinkedIn, X, Apple all picked Ireland. So did most of their AI activity. Which means, in Ryan’s words: “Ireland is responsible for defending the rest of Europe when those companies abuse Europeans’ data.”

In short: if Dublin doesn’t move, nobody moves. “If the Irish enforcer doesn’t do anything, then other European countries cannot really act either.” One part of Enforce’s job is to break that paralysis, by dragging the Irish DPC, by complaint and litigation and public noise, into doing the work its own mandate requires. It’s a necessary job for reasons that will become obvious.

And also one, that in Ryan’s view, should lead Ireland to recuse itself from managing any digital files in its upcoming European Council rotating presidency.

The race Ireland won

“You have to applaud Ireland for winning the race to the bottom, until you realise that equates to selling out Europe,” he says, not mincing words.

The day before, on the stage in Berlin, he put the same indictment in a more rhetorical register: “Why can’t we protect our children? Why can’t we protect our politics? Why can’t we protect national security? Why can’t we make space in the market for innovators to scale? And the answer is Ireland. One word.”

Ireland: why, though?

The standard line is that the Irish DPC (Data Protection commission) is under-resourced. It used to be, Ryan says.

German activist Max Schrems once photographed the office’s bins by the back door – which was in fact the front door –  a decade ago, and the then German chancellor Angela Merkel reportedly raised doubts on its effectiveness with the Taoiseach.

But Ryan corrects this narrative: The DPC has a €33m budget and around 300 staff, and: “Successive governments have given it more and more money. It’s now among the top in Europe for resources.”

So if it isn’t a lack of money, what is it?

Ryan goes all the way back to the 2008 banking crisis to explain things: The Irish parliament eventually ran a long inquiry into the regulators that had failed to spot what was coming, and the report’s verdict, he paraphrases, was that the regulator, instead of using its powers when it saw a problem, “would instead engage in protracted correspondence, sometimes for a decade or longer. They’d send letters to you, just keep bouncing letters back and forth.”

The regulator relied on what came to be known in Ireland as “moral suasion” – “A culture of deference: We used to call it a cosy consensus,” says Ryan.

“The facts are that to any observer who just judges by behaviour, it certainly looks as though the DPC has been acting as Meta’s protector, Google’s too, and everyone else’s who might be able to contribute to the Irish exchequer.”

Ireland was already a tax haven when the platforms arrived, stacking a regulatory haven on top was a convenient next move. “You could be a regulatory haven and a tax haven,” Ryan says. “Digital regulatory haven, and a financial regulatory haven.” On tax, he says, the policy was deliberate. On data, he won’t go that far: “I’m not aware of any documents or any admissions.” It’s a pattern of behaviour consistent for long enough, and lucrative enough, to look like a strategy though.

He remembers a European Parliament delegation visiting the Irish parliament’s Justice Committee a few years ago: “These MEPs said: ‘We’re a bit concerned, because when we just met with Google, they said they really like your regulator. Get along really well.’ That’s not what we wanted to hear.”

In his arguments Ryan leans heavily on GDPR, which should lead the Irish DPC to stop companies from using data collected for one purpose to gain an advantage in another line of business – what insiders call ‘purpose limitation’. 

What it looks like instead is what he describes as “a massive free-for-all inside your conglomerate, where data taken for one reason is then used for countless purposes and ultimately gives you an unassailable head start in AI training data.”

Ryan says this causes what he calls a cascading monopoly: a taxi app uses its location data to launch a pizza service, then fintech, then health insurance. That’s what the law is meant to stop, but it is not really doing.

His stage version of that last point was blunter: He had shown the audience the running total of GDPR fines issued by the DPC against the platforms, which look like a rounding error in the market caps on display, and, anyway, “almost all fines sit in years-long appeals,” Ryan said.

“We do not have law,” he said, adding: “This is a fantasy. The fines are meaningless.”

*thinking emoji*

The Irish state’s most recent personnel decisions are quite likely not helping, Ryan notes both on stage and in conversation. Take the new data protection commissioner, appointed in September, Niamh Sweeney.

Before this job she was head of public policy at Facebook Ireland during the Cambridge Analytica years and the Frances Haugen disclosures, then EMEA [Europe and Middle East] policy lead at WhatsApp, then comms at Stripe, then a director at a London consultancy that advises tech firms, and the ICCL has filed a formal complaint with the European Commission about her appointment. 

Ryan, on stage: “We have hired a big tech lawyer to police big tech. Someone who actually is not necessarily an expert on data, but is an expert on lobbying.”

He corrects himself in our call: “Actually, I misspoke yesterday. She wasn’t a lawyer, she was a lobbyist.” Either way, he says, the criteria the government used to assess her are wrong for the job: “These people have no experience of enforcement. No real experience of investigation. They’re not trained investigators.”