Data and privacy will be Brexit battlegrounds, by Tony Connelly
In September 2018, the Marriott hotel chain discovered that the private details of up to 339 million people had been stolen from the company’s guest reservation database in a massive hacking operation going back years.
Names and addresses, phone numbers, email addresses, passport numbers, credit card numbers and expiry dates, loyalty card information, dates of birth, gender, arrival and departure information, reservation dates were all hacked.
The British data protection authority announced a fine of £92m (€108m) under the EU’s privacy regime, the General Data Protection Regulation (GDPR). Some 30 million of the affected guests were from EU or EFTA member states.
Thanks to GDPR, privacy regulators in other member states did not need to take action on behalf of their citizens – the British regulator, the Information Commissioner’s Office (ICO), was in the driving seat to investigate and punish the breach.
Now with Brexit, the UK will be out of the GDPR.
“With the ICO outside the tent,” says Helen Dixon, Ireland’s Data Protection Commissioner (DPC), “if [Marriott] suffered a breach those member states would have to take their own enforcement action. We can’t turn to the UK any longer and say you’re the lead authority. It increases the workloads on all of us.”
However, Brexit will have much more far-reaching consequences for Ireland’s place in the deepening matrix of consumer privacy, big data, organised crime and state surveillance.
Data generated by online consumer activity is now an extraordinarily valuable commodity which flits instantaneously around the globe.
Consumers and governments struggle to balance privacy with the fight against crime and terrorism; multinationals want to limit its regulation; authoritarian states want to use data to control citizens.
“For the US,” Pascal Lamy, the former Director-General of the World Trade Organisation (WTO) told a conference in Brussels this week, “data is there to buy and sell. For Europe data is private property. For China data belongs to the state and the Party.”
Within that three-way struggle, Ireland has been under an unusually harsh spotlight because it hosts a disproportionately large number of global multinationals uniquely powered by, and associated with, the harvesting of consumer data.