While illicit data sharing might affect citizens from all 27 EU states, revenue from General Data Protection Regulation (GDPR) fines usually stays in the country where the offending company is based — because the regulatory framework falls under national jurisdiction, an exclusive Cybernews investigation can reveal.
What this essentially means is that Ireland, for instance, gets to keep every cent of the €2.5 billion it has fined Meta for GDPR infractions, because the social media giant’s European operation is headquartered there for tax purposes.
If your initial reaction to this is “so what” — I urge you to think again and keep reading.
It’s common knowledge by now that platforms such as Facebook and Google hoover up troves of user data, which they then monetize by selling on to the highest bidders, who in turn use it to make their money by targeting us with tailored online advertisements.
What is essentially missing from this arrangement is our cut: the public’s data trails are, apparently, something we are entitled to create but not to profit from.
No wonder then that the GDPR, which celebrated its fifth birthday this year, has been hailed by so many as a landmark piece of legislation: it supposedly gives recourse against encroaching big tech firms, who can be obligated to cough up hefty sums if the EU finds them guilty of data sharing and privacy violations. Quite simply, it implies restitution.
Unfortunately, the truth is not quite so clean cut.
GDPR: who really benefits?
When total fines levied under GDPR topped €4 billion this year, I began to wonder where all that money was going. In May, a single fine levied against Meta stripped it of a whopping €1.2 billion, bringing the total fines against Mark Zuckerberg’s social media behemoth to more than twice that figure.
Now, that’s a lot of loot: true, life is more expensive nowadays than ever, but spent wisely a few thousand million can still go a long way towards helping society. And what of the actual victims of data-sharing infringements themselves? Does this money go to them directly, by way of compensation?
Well, apparently not — unless you put in a claim on your own behalf as an EU citizen, you likely won’t get anything by way of compensation from Meta or any other firm that you suspect is misusing your data. On its official website, the European Commission sets out guidelines for how and when private individuals and organizations can claim for compensation in cases where they think their data rights have been breached. Briefly summarized here, these usually entail pursuing a complaint either directly with the company concerned or via national courts.
"The GDPR does not determine what happens to administrative fines. This is determined by national law and differs between member states."European Data Protection Supervisor
In 2022, German media reported that individual persons could receive up to €1,000 for pursuing a valid claim in court for data-related risk incurred as a result of a cyberattack on Facebook in 2019 that saw 500 million user records compromised. The report cited the GDPR as binding in this case, suggesting that in some cases at least, private individuals are able to use the EU law to secure financial reparations when tech giants are found wanting in their data custodianship.
But even if you do successfully claim, any money you receive will not be taken from the GDPR slush fund. In other words, if, as a resident of Lithuania holding a French passport, I were to apply for restitution, say, from Meta for illicitly using my data without my express consent, it wouldn’t cost Ireland a penny.
Another way of putting it still is this: having enticed Meta to set up shop on its shores with tax breaks, Ireland now gets to retain the privilege of profiting from the tech giant’s abuse of any and every EU citizen’s data. Good for Ireland, no doubt, but what about the 26 other countries who may have fallen foul of social media giants’ data misuse?
Always follow the money
Let’s backtrack a bit to see how I arrived at this conclusion. Naturally, I started by following the money. My first port of call was the European Data Protection Supervisor (EDPS), tasked with supervising the GDPR. In the European Commission’s own words, it is mandated to “monitor and ensure the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals.”
So I asked the EDPS: just where exactly does the money from fines levied against Meta by Ireland — or Amazon, which was fined €765 million by Luxembourg in 2021 — go to, and what is it spent on?
The response I received on May 30th read as follows: “While the GDPR determines which infringements can lead to the imposition of a fine and which DPA [data protection administration] in the EU/EEA has the power to impose a fine for infringements, the GDPR does not determine what happens to administrative fines [my emphasis]. This is determined by national law and differs between member states. For all aspects of enforcement not governed by the GDPR, national law applies.”
"The DPC engages with the Department of Public Expenditure and Reform in the Irish government, for the purpose of remitting the money to the Exchequer. It is then a matter for the Irish government to determine any expenditure."Data Protection Commission (DPC) of Ireland
Intrigued, I took my query to Ireland’s DPA, aka the Data Protection Commission (DPC). On June 6th, I received the following response: “Regarding your query, as set out under Irish law, once the fines are confirmed in the court, the DPC will issue a notice requiring payment to each of the various entities.”
Fined entities then have 28 days to pay up, after which point “the DPC engages with the Department of Public Expenditure and Reform in the Irish Government, for the purpose of remitting the money to the Exchequer. It is then a matter for the Irish government to determine any expenditure.”
Hmm. By now, I was getting a distinct whiff of national interest in the air, while remaining in little doubt that Meta and Amazon’s abuse of private data was a pan-European — if not a global — issue.
Still on the trail
Unfazed, I followed the DPC’s directions and sought out the Department of Public Expenditure and Reform. While awaiting their response, I also reached out to NOYB, an EU-affiliated data regulator.
NOYB describes itself as “a stable European platform [...] designed to join forces with existing organizations, resources and structures to maximize the impact of GDPR.” Its honorary chariman is Max Schrems, among the first to go public with big tech data infringements when he filed a case against Facebook in 2013 with the DPC in Ireland.
I didn’t hear back from Schrems directly, but his colleague replied to me on June 15th. “In short: the money is going to the countries, in the case of Meta, Ireland, in the case of Amazon, to Luxembourg,” she told me.
But I wanted to hear it directly from the Irish government — and, assuming it confirmed the matter, I also wanted to know precisely where that GDPR money was being spent. On June 20th, I received a response from the Department of Public Expenditure and Reform in Ireland. “The Department of Justice would be best placed to help answer this query as it falls under data protection,” was all it said.
"In short: the money is going to the countries, in the case of Meta, Ireland, in the case of Amazon, to Luxembourg."NOYB, EU-affiliated data abuse watchdog
Doggedly, I hit up said department and repeated my query. On June 26th, I received a more detailed reply.
“Section 141 of the Data Protection Act 2018 [on the Irish statute] deals with administrative fines,” it said. “Subsection (7) provides that all fines payments received by the Data Protection Commission shall be paid into or disposed of for the benefit of the Exchequer in such manner as the Minister for Finance may direct.”
It went on: “Fines levied in accordance with EU laws (such as the GDPR) by the relevant authority of a member state are normally paid in the member state where the fine is levied, in accordance with EU and national law.”
Now here’s where it gets interesting. While any person “who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor responsible for the damage suffered” this restitution is not sourced from fines money.
As the Department of Justice puts it: “Hypothecation — the ring-fencing of taxes for specific and related purposes — is not a feature of the Irish tax system in general. The Department of Finance is opposed to the hypothecation of Exchequer receipts as it reduces the flexibility of government to prioritise and allocate funds as necessary at a particular time.”
What the Justice Department appears to be arguing here is that revenue from GDPR fines technically falls under taxation, which it is the policy of the Irish government not to “ring-fence,” that is to say allocate for a specific purpose: for instance, paying individuals compensation for data infringements against them.
But more to the point, the Irish government appears also to be implying that the GDPR money stays in Ireland — regardless of who in the EU may have fallen foul of Meta’s data liberties.
At last, an answer — of sorts
Just to be sure, I replied with the following question: could somebody who has “suffered material or non-material damage” as the Irish government puts it, as a result of a GDPR infringement who resides in an EU state other than Ireland claim for compensation from the monies obtained from a GDPR fine?
On June 29th, the department replied, and I believe its response is worth quoting in full:
“In accordance with GDPR, a person who has suffered damage has the right to receive compensation from the data controller or processor responsible for the damage. This means the affected person can make a claim directly to the company/organisation concerned or before the national courts, either of the EU member state where the controller or processor is established, or alternatively, before the courts of the EU member state of the affected person’s habitual residence.
“The fines issued by EU Data Protection authorities and subsequently collected from organizations/businesses in breach of GDPR regulations are not used for the purposes of paying compensation to individual claims, nor is there a requirement that a fine has been applied for a right to compensation to exist.”
What this means is that the money obtained from GDPR fines is essentially uncoupled from any compensation that might be due to someone whose data rights have been infringed: indeed, an individual’s right to be paid such does not even depend on any fine having been levied in the first place.
"The fines issued by EU Data Protection authorities and subsequently collected from organizations/businesses in breach are not used for the purposes of paying compensation to individual claims, nor is there a requirement that a fine has been applied for a right to compensation to exist."Justice Department of Ireland
Back in Brussels, the EDPS seemed to confirm as much. “Please note that an administrative fine is not intended to serve as a means to compensate data subjects, but is intended as a deterrent,” it told me, citing its Binding Decision 1/2023 as saying “the fine must be set at a level that discourages both the controller or processor concerned as well as other controllers or processors carrying out similar processing operations from repeating the same or a similar unlawful conduct.”
So: the GDPR fining mechanism is a deterrent that also conveniently allows countries like Ireland and Luxembourg to be rewarded twice for headquartering tech giants on their soil in return for juicy tax breaks. Hardly seems in keeping with the spirit of fairness that the EU — and all its directives — was intended to enshrine.
There do appear to be some caveats to this, however.
For instance, in 2019, the French regulator CNIL fined Google Ireland €50 million for failing to comply with the French Data Protection Act.
According to the BBC at the time: “Although Google's European headquarters is in Ireland, it was decided among the authorities that the case would be handled by the French data regulator, since the Irish watchdog did not have ‘decision-making power’ over its Android operating system and its services.”
Two years later, CNIL followed this up with another €60 million fine against Google Ireland, and the same thing appears to have happened with yet another CNIL fine for the same amount in 2022, this time levied against Facebook Ireland, that is to say, Meta.
So in these cases, it would appear that the money went from one country to another.
But, again, it isn’t clear that all the victims of these particular data infractions were exclusively French citizens or residents, which again begs the question: laudable though the GDPR may be in its intentions, are the proceeds from it being fairly distributed?
"Ireland is a popular spot for tech companies to establish their EU operations because of favorable tax treatment, so it seems like this is happening because Ireland has jurisdiction over Meta's operations in all of the EU due to their Irish HQ"Arka Ray, Data Economics Company
Is it just me, or is this slightly off?
Keen to get a second opinion, I reached out to Arka Ray at the Data Economics Company, which is campaigning for the public to receive payment from tech companies making money off their data.
“Ireland is a popular spot for tech companies to establish their EU operations because of favorable tax treatment, so it seems like this is happening because Ireland has jurisdiction over Meta's operations in all of the EU due to their Irish HQ,” he said. “I am sure that some EU citizens would like to see the proceeds of this penalty be more widespread, either across member states or even to impacted citizens themselves, in the case where their individual data has been improperly shared. I could see member states that have a high number of impacted citizens, but no tech company headquarters, making an argument for a different distribution of funds.”
Describing the GDPR as a “work in progress” in terms of its implementation, he added: “Despite its fairly widespread protections, consumers themselves in the EU still don't have easily accessible, transparent information about how their data is being utilized, or a clear way to be compensated for their data when it is used by others, let alone when it is improperly shared.
“This also demonstrates that having protection for data privacy and usage rights, such as what GDPR offers, is not sufficient to also ensure that data owners receive ‘fair value’ for the usage of their data (with their consent). It will be really interesting to see whether this comes up in discussions at the EU level, whether in the Parliament or the Commission.”
It will indeed.
More from Cybernews:
Subscribe to our newsletter