ast May, Europe imposed new data privacy guidelines that carry the hopes of hundreds of millions of people around the world — including in the United States — to rein in abuses by big tech companies.

Almost a year later, it’s apparent that the new rules have a significant loophole: The designated lead regulator — the tiny nation of Ireland — has yet to bring an enforcement action against a big tech firm.

That’s not entirely surprising. Despite its vows to beef up its threadbare regulatory apparatus, Ireland has a long history of catering to the very companies it is supposed to oversee, having wooed top Silicon Valley firms to the Emerald Isle with promises of low taxes, open access to top officials, and help securing funds to build glittering new headquarters.

Now, data privacy experts and regulators in other countries are questioning Ireland’s commitment to policing imminent privacy concerns like Facebook’s reintroduction of facial recognition software and data-sharing with its recently purchased subsidiary WhatsApp, and Google’s sharing of information across its burgeoning number of platforms.

Interviews with scores of privacy experts, data watchdogs, academics and regulators in other countries over the past 10 months reveal increasing concern that the landmark General Data Protection Regulation, the product of years of wrangling with data companies, is vulnerable because of the one provision on which the tech companies prevailed: That the lead regulator be in the country in which the tech firms have their “data controller” – in most cases, Ireland.

“We need to be careful and ensure that the margin for maneuver given by the GDPR doesn’t lead to an attractiveness competition between EU countries, as is already the case for taxation,” Marie-Laure Denis, France’s new chief privacy regulator, warned the French parliament in January, in a clear reference to Ireland. “I don’t want to see a race [between EU countries] to attract or keep the headquarters of the big tech actors.”

Ireland’s willingness to crack down on the companies that dominate its economy has long been questionable, even when its regulatory officials spot a potential violation. Such a situation developed with Facebook in 2011, in events detailed here for the first time.

Years before the social media giant unwittingly released the personal data of 87 million users that made its way to Cambridge Analytica and the 2016 Trump campaign, Ireland’s data privacy regulator found that it was failing to screen applications in a way that could have prevented the breach.

The then-head of Ireland’s Data Protection Commission recorded his complaint in a 2011 audit report that zeroed in on how Facebook was allowing outside app developers to gain access to oceans of “friend” data. Facebook pushed back on the finding, according to the agency, and the Irish regulator backed off, issuing an almost perfect score for Facebook’s privacy practices in a follow-up report a year later. The rampant exposure of data wasn’t corrected until years later — too late to prevent the Cambridge Analytica breach.

Ireland’s failure to safeguard huge stores of personal information looms larger now that the country is the primary regulator responsible for protecting the health information, email addresses, financial records, relationship statuses, search histories and friend lists of hundreds of millions of Americans, Europeans and other users around the globe.

Already, regulators in other countries are expressing concern over Ireland’s failure this year to crack down on Facebook’s sharing of data with the messaging tool WhatsApp, which it purchased in 2014.

According to the EU, Facebook misled European officials into believing the two networks would not exchange information, thereby allaying concerns at the time of the merger that WhatsApp users could be drawn into Facebook’s web. In 2016, a German court found that the two networks were indeed sharing data, and barred Facebook and WhatsApp from exchanging information about German users. The ban became unenforceable when the GDPR took effect and Ireland became the lead supervisory authority. Now, German authorities say the sharing has resumed and Ireland must crack down. For their part, Irish officials said in a statement they’re satisfied that Facebook and WhatsApp aren’t sharing information for the purposes of “friend suggestion or enhanced advertising.”

Meanwhile, Facebook took advantage of Ireland’s assumption of the lead regulator role last May to reintroduce its facial recognition tool, which had been banned in the EU out of fear that photos would be used to track people without their permission. Facebook says it will not utilize the photo data until it receives consent from individuals. But other EU regulators and privacy lawyers contend that merely storing the photographs amounts to an unauthorized collection of data under GDPR rules. Although Irish authorities have suggested they share many of the lawyers’ concerns and have begun a preliminary “examination,” they have yet to launch a formal probe.

Google, meanwhile, aroused the ire of regulators in other countries last year by failing to obtain consent before sharing data among its fast-growing line of networks and products — from YouTube to Google Photos to Gmail and more. Irish regulators declined to open a probe against Google, which had consolidated most of its operations for Europe, Middle East and Africa in Ireland, arguing that the company had not yet finished the paperwork that would give Irish regulators “lead supervisory authority.” The paperwork was finished in January, but Ireland has yet to announce an investigation.

Critics, including German authorities, insist that the Irish Data Protection Commission had the authority to launch a probe without Google’s consent, and should have done so. Meanwhile, France stepped in to issue its first-ever fine under GDPR against the company for €50 million.

The head of the Irish Data Protection Commission, Helen Dixon, declined requests for interviews. Her spokesman, Graham Doyle, wrote in an emailed response to POLITICO’s questions that the commission takes its regulatory responsibilities seriously and has 16 investigations underway, probing complaints against companies including Twitter, WhatsApp, Instagram, LinkedIn and Apple, along with seven probes involving Facebook.

The Irish Data Protection Commission is “one of the most strongly resourced data protection authorities in Europe” and stands ready to impose “fines and firm remedies when appropriate,” he wrote.

Doyle said the commission, which earlier this decade was so obscure it was headquartered in a small office above a convenience store in the tiny village of Portarlington, is recruiting state-of-the-art industry experts to join its staff of approximately 140 people currently working out of temporary offices in Dublin, with a goal of eventually employing 180 people.

He noted the agency’s tough new enforcement powers include fines of up to 4 percent of a company’s annual worldwide revenues and cited the agency’s willingness to enforce privacy rules by pointing to a pre-GDPR case in which Irish regulators ordered LinkedIn to delete data on nonmembers.

He rejected any suggestion that the agency is being overly to deferential companies under its purview, but added: “Those with an interest in data protection don’t always agree on every point, and we respect that.”

Nonetheless, regulators in other EU countries, particularly Germany, remain skeptical, maintaining that Ireland is letting major complaints slide and creating the risk of a regulatory safe zone in Europe. So, too, are independent experts who are familiar with the actions of the Irish Data Protection Commission.

“It’s the appearance of an investigation rather than the substance of one,” said the independent Dublin-based data management consultant Daragh O’Brien, referring to the Ireland's data enforcement culture, which he scrutinizes closely.

Max Schrems, an Austrian privacy advocate behind some of the most successful legal challenges against major technology companies, said he believes Ireland’s approach to regulation is more or less unchanged since 2012.

“They’ve basically gotten smarter about not doing things,” said Schrems, whose initial complaint about transatlantic sharing of data was thrown out by the Irish regulator in 2013, only to succeed in European courts, bringing down the transatlantic data-flow agreement known as Safe Harbor.

Ireland continues to take a more corporate-friendly approach to regulation than many of its EU counterparts, openly favoring negotiation over sanctions, and lists of questions over on-site inspections.

For example, as of last October, the Data Protection Commission had yet to dispatch any regulatory agents to Facebook’s Dublin headquarters, despite its multiple investigations, according to a person close to the matter who spoke under the condition of anonymity. Rather than seek answers more aggressively, the regulator has been satisfied by “updates” from Facebook’s headquarters that often reveal little more than what’s been said in public statements. Both Facebook and the DPC declined to say whether any on-site visits have taken place since 2011.

Around the same time, France posted its own regulatory officers inside Facebook’s offices to monitor the network’s efforts to police hate speech and terrorist content, a core concern in many countries where terrorists have connected via social media and hate speech has encouraged racist or sectarian violence. But France has no authority to enforce standards beyond its borders.

Privacy watchdogs also voice concerns about the 2014 appointment of Helen Dixon, an Irish civil servant with no prior experience in regulatory enforcement, to replace Billy Hawkes, the regulator who initially presided over the finding of Facebook’s over-sharing of data with researchers and developers of third-party apps.

If Ireland were serious about cracking down on privacy violations, some legal professionals said, it would have followed the lead of the United Kingdom and appointed an outside specialist with a history in law enforcement or regulatory investigation. Moreover, they said, Dixon’s budget is overseen by the Irish justice ministry, while other data regulators, like the U.K.’s, are financed through fees on the companies they oversee. That could make her, or any future chief regulator, more susceptible to interference by government officials, who have long cultivated close relationships with tech executives.

In 2014, Facebook’s chief operating officer, Sheryl Sandberg, personally lobbied Enda Kenny, then Ireland’s prime minister, over the selection of a data protection chief, according to emails revealed by the Irish Independent.

Now, just as some of its investigations should be wrapping up — with Dixon telling Bloomberg News in January that her office would announce decisions by midyear — the Data Protection Commission is launching an “international consultation on regulation strategy” that some critics fear will be an invitation for corporations to critique its practices.

Doyle said the agency will reach out to a broad range of as-yet unnamed parties to weigh in on how Ireland should apply regulation. Doyle declined to say whether those consultants would come from the tech industry, only specifying that the panel would be “international.”

The call for advice is symptomatic of what Dixon’s critics among privacy advocates, lawyers and other EU data protection authorities argue is a preference for resolving issues amicably over public enforcement actions, which Dixon, in speeches, has suggested might expose the regulator to extremely costly legal battles. It’s a reasonable fear in a place where the tech companies’ resources far outstrip the government’s. Google’s market capitalization, by itself, is twice the size of Ireland’s gross domestic product. Facebook’s is larger by about a third.

“Regulation is a particularly fraught area for a country like Ireland because they have less leverage [over companies] than a bigger country,” said Josephine Wolff, a professor of public policy at the Rochester Institute of Technology. “If Facebook announced tomorrow: ‘We’ve had it with Ireland, we are closing down our office,’ that would be a huge deal with political and economic consequences for the whole country.”

BRINGING SILICON VALLEY TO EUROPE

The story of how a country known for poetry and dark ale ended up in the unlikely role of global tech policeman stretches back to the aftermath of World War II.

As a neutral power, Ireland had emerged physically undamaged from the war but with a sputtering economy and bleak prospects. It had limited access to U.S. reconstruction funds from the European Recovery Program, or Marshall Plan, due to its neutral position, and no industrial base to speak of, thanks largely to Britain's long-held interest in keeping Roman Catholic southern Ireland in a firmly agrarian state. (Ireland won independence from Britain in 1919.) There was little chance of jumpstarting domestic manufacturing 250 years after the rest of Europe, so Irish leaders turned to the next best thing: nurturing ties with countries that had flourishing industries of their own.

Spurred on by an economist and central banker named Thomas Kenneth Whitaker, Ireland’s leaders oversaw an economic transformation starting in the late 1950s — away from protectionism, toward free trade and encouraging foreign investment. The most obvious partner was the United States, to which generations of Irish people had emigrated and whose Irish-origin population already far surpassed the population at home.

So began Ireland’s epic and enduring courtship of U.S. corporations. Via the Irish Development Agency, a powerful entity that acts as a sales office for the country, the Emerald Isle established missions across the United States, dispatching dozens of agents to start preaching the good word about Ireland to U.S. companies from New York to San Francisco.

One of these investment missionaries was Larry Mone, a former accountant who joined the IDA in the late 1970s because he was, in his own words, “really bad at” accounting.

After a brief stint in Chicago, Mone was sent out to join the IDA’s office in what was already known as Silicon Valley. In an office that overlooked a golf course, Mone and his colleagues spent their days trying to coax emerging digital giants — Microsoft chief among them — over to Ireland. Working from an alphabetical list of the important companies in the region, they spent their days cold-calling executives in an atmosphere he describes as “boiler room-like.”

Many positive voices for Ireland over the last few days including Sheryl Sandberg who I met on Thursday morning. pic.twitter.com/C6V1tUdgQs — Enda Kenny (@EndaKennyTD) January 21, 2017

“We had an almost messianic zeal to bring jobs to Ireland,” Mone, who’s now retired and lives in Palo Alto, said in a telephone conversation.

Mone’s section of the list covered companies with names from the letter G to the letter O and included giants like Microsoft and Intel, which would both go on to establish major footholds in Ireland. Apple set up its first manufacturing plant in Cork in 1980, setting off a wave of tech companies coming to the country.

The pitch, as Mone recalled, was “very simple.” Any product exported from Ireland would be totally exempt from taxation. That was later updated, under EU pressure, to a 10-percent flat rate that could be offset in other ways. When added to the promise of cheap labor, cheap land and an English-speaking workforce, this amounted to an almost unbeatable argument for locating sales operations in Ireland, because it would allow U.S. firms to reach hundreds of millions of European consumers without facing the heavy corporate taxes in France, Germany or even the Netherlands.

The IDA’s approach had other refinements, like inviting top tech executives over to Ireland for country tours during which they would be entertained, fed whiskey and “sent home punch-drunk, in love with the country,” according to Mone. It didn’t hurt that Ireland shares a common-law legal system with the United States.

But the basic argument — which remains Ireland’s unique selling point today, despite intensifying scrutiny of its tax practices by the European Commission — never varied: not having to hand over a significant portion of income to the Irish taxman.

“At the end of the day, these are profit-driven companies, and they go where the offer is the most profitable,” Mone said.

Data regulation wasn’t an issue at the time when most of the companies were recruited, but Ireland did everything in its power to create an industry-friendly landscape.

“Back in those days there really was not much thought given to regulation of the technology industry, more what could be done to foster its development and bring it on shore,” he said.

The pitch was so seductive that, over the next 30 years, Ireland morphed into what Mone calls “the 51st state of the United States.”

Google and Facebook both landed in Ireland during the first decade of the new century. While the highly advantageous tax arrangements they enjoyed came under pressure from the European Commission (Apple was forced to pay the Irish government $13 billion in back taxes that Ireland had neglected to collect), regulation was just starting to become a concern.

Ireland's 1995 Data Protection Act lacked significant enforcement mechanisms — so much so that Billy Hawkes, then the head of the Irish Data Protection Commission, had no legal power to apply any sanctions or penalties against the companies he was regulating in the years leading up to the Cambridge Analytica scandal. His successor, Dixon, herself acknowledged the lax culture in 2015, one year into her job, mentioning the problem of “forum-shopping” and perceptions that companies locate where “soft, incompetent or under-resourced regulators are.”

In the event that any regulatory issue should arise, as it did in the 2011 audit involving Facebook’s sharing of data with app developers, U.S. companies had a powerful insurance policy: access to top Irish politicians via direct contacts or through the American Chamber of Commerce Ireland in Dublin, which continues to play an outsized role in shaping the direction of Irish policy. Top tech executives had Hawkes’ cellphone number and could access him directly whenever they had a need, according to two people with knowledge of such calls.

This welcoming atmosphere explains why Facebook, in particular, kept doubling down on its Irish presence throughout the 2000s, according to Sandy Parakilas, former operations manager for Facebook who left the company in 2012.

“It was simply the country with the least regulatory scrutiny,” he explained in a phone conversation from Los Angeles, where he is now senior product marketing manager, privacy, for Apple.

That statement was put to the test during Ireland’s 2011 audit of the company. Prompted by a groundswell of complaints against Facebook, Hawkes’ deputy, Gary Davis, undertook what is likely to have been the most in-depth review of Facebook’s privacy practices ever. In his capacity as lead regulator not just for Europeans but Facebook users worldwide, Davis’ staff spent three months scouring the company’s machinery, including sending officers to its Dublin headquarters to investigate first hand.

His first report, published in December 2011, called for dozens of changes and upgrades to Facebook’s privacy practices, including its practices for screening third-party apps.

“We do not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data,” the report stated. “This is not considered sufficient by this Office to assure users of the security of their data once they have third party apps enabled. We expect FB-I [Facebook Ireland] to take additional steps to prevent applications from accessing user information other than where the user has granted an appropriate permission.”

Parakilas, who was Facebook's “point person” on privacy matters at the time, said the criticism did not rile the company. Facebook responded to the audit in a “professional manner” but did not feel pressure to make fundamental changes, he said. When Parakilas tried to escalate concerns about the key critical findings in the original audit report, he was brushed off by senior executives.

At the time, Facebook expressed its concern about the audit to Irish officials, according to later testimony by Dixon before a government committee. Afterward, the Data Protection Commission appeared to go out of its way to give Facebook a clean bill of health.

In a 74-page follow-up report published in 2012, the commission declared that “most of the recommendations [have] been fully implemented to our full satisfaction.” On its call to improve screening of third-party apps, where major problems later emerged, the report stated: “Satisfactory response from FB-I.” A year later, Davis left the commission to join Apple as its chief privacy officer.

"They didn't go anywhere near as far as you would have hoped," Parakilas said, referring to the Irish commission. Parakilas, who left Facebook in 2012, added that he doubts Ireland’s approach to regulation has changed substantially.

“Facebook is certainly the one that has the leverage in that relationship,” he said.

Asked whether Ireland had done enough to stop the Cambridge Analytica scandal, Doyle said the commission had gone as far as it could, within its legal limitations, in simply flagging the problem with app developers and seeking changes to Facebook’s privacy practices. He pointed to comments Davis had made outside the report saying there are “still a number of items on which progress has not been as ‘fully forward’ as hoped,” although the issues flagged did not have to do with third-party apps. In 2017, Helen Dixon told an Irish parliamentary committee that Facebook “did not agree with the recommendation” for significant changes to its privacy rules in 2011, and that the changes were made only through an “iterative process” 18 months later.

Facebook disputes that account.

In comments to POLITICO, a spokesperson said that the company has “complied fully” with all requested changes, and claimed that the Irish regulator has never requested any changes that would have prevented the Cambridge Analytica scandal.

Hawkes, who at the time was the top Irish regulator, declined to comment on the matter, according to a spokeswoman at the International Association of Privacy Professionals, a nonprofit association that brings together people working on data protection. Gary Davis did not respond to repeated requests for comment and a spokesperson for Apple, where Davis now works, did not respond.

FACEBOOK FLEXES ITS MUSCLES

The years that followed Davis’ audit brought Facebook’s relationship with Ireland to new levels of closeness.

In 2013, the commission dismissed Schrems’ claim against the company over data transfers to the United States, calling the suit frivolous. The company then won an award of funds from Ireland’s national asset management agency — the so-called bad bank that took over assets on troubled lenders during the financial crisis — to build its Frank Gehry-designed headquarters in Dublin.

When the Cambridge Analytica scandal broke in 2018, the U.K. launched an investigation and fined the company, while Ireland merely issued recommendations. A few months after Facebook CEO Mark Zuckerberg appeared before the U.S. Congress and European Parliament to answer questions from lawmakers, the company announced the construction of a new 14-acre campus in Dublin and the opening of several new data centers in County Meath, north of Dublin.

As far back as 2014, the question of how Ireland would handle the new privacy rules under the GDPR was on the minds of Facebook’s leaders. As it happened, Ireland was in the process of choosing a new chief data regulator to replace Hawkes. Sandberg took it on herself to investigate the matter, lobbying then-Irish Prime Minister Kenny on the sidelines of the World Economic Forum in Davos and also at her offices in Menlo Park, California.

According to emails obtained by the Irish Independent via Freedom of Information requests, Sandberg wanted to know that Hawkes’ successor would be “as strong as” he had been in the role. But if the wrong choice was made, Sandberg suggested, there would be consequences for Ireland’s attractiveness as a destination for tech investment.

“The risk is that companies will revisit their investment strategies for the EU market,” she wrote in a June 2014 email to Kenny, adding that Ireland’s regulator should be a person who would “establish a strong collaborative working relationship with companies like ours.”

The choice of Dixon, a former Irish civil servant with a law degree but no background in law enforcement or regulatory investigation, was in line with Sandberg’s wishes. Before she became one of the most important privacy regulators in the world, Dixon had spent four years working for U.S. software company Citrix, followed by a stint at the business-friendly Irish Department of Enterprise, Trade and Innovation.

While the regulator’s statutes call for the appointment of three co-equal directors in order to properly separate the agency’s enforcement and adjudication roles, the other two were never named.

TJ McIntyre, a law professor at University College Dublin who sued the government over the process under which Dixon was chosen, complained that she’s “not coming from that investigatory and enforcement perspective.”

Instead, he said, Dixon was chosen to supervise the DPC’s development into a more substantial regulator than the one housed above a convenience store in Portarlington, building a bureaucratic structure rather than targeting specific issues.

In speeches and interviews, Dixon has emphasized the need to engage with tech companies to help them understand the law, rather than cultivate adversarial relationships.

“We are very committed to this approach of engaging with the multinationals,” she told the Irish Times in 2016. “We do firmly believe the way in which we work with them produces much better safeguards for data subjects.”

That approach yields good results in terms of compliance, said Bojana Bellamy, who runs the Centre for Information Policy Leadership, an industry-backed privacy think tank whose members include Facebook and Apple.

“I do believe that constructive engagement is incredibly important to build that trust,” she said. “Sticks and enforcement — that doesn’t create the best behavior in the marketplace.”

Ireland’s more conciliatory approach is now fueling tension with other EU regulators. After France’s data watchdog fined Google €50 million in January for failing to comply with GDPR, Germany’s prominent Hamburg data regulator told the regulatory analysis publication MLex that Ireland should be investigating the company. In a separate statement to POLITICO, the German watchdog underscored “differences” in the way Irish and German authorities interpret and enforce EU rules, singling out “face recognition techniques by Facebook” and the “exchange of data between WhatsApp and Facebook.”

“Unfortunately, it has not yet been possible to set up the data protection we have enforced in national court proceedings against Facebook at the EU level,” wrote professor Johannes Caspar, head of the Hamburg regulator. “After the transmission of user data between WhatsApp and Facebook was stopped, they [Facebook] took the entry into force of the GDPR as an opportunity to return to their former practice.”

Zuckerberg’s announcement of plans to merge WhatsApp, Facebook Messenger and Instagram messaging were also “reason for concern,” added Caspar, echoing the German justice ministry’s warning that such a merger would create a “monopoly” and call for enforcement of European antitrust rules.

While the Irish regulator said it would examine the implications of such a merger, France echoed the German concerns.

“In general, in relation to Facebook, you have a pattern where other regulatory authorities have been much more active and found themselves thwarted by the fact that Facebook was headquartered in Ireland,” said McIntyre, adding that “enforcement has been lax.”

Jimmy Stewart, an adjunct professor of finance at Trinity Business School at Trinity College Dublin, said less rigorous regulation is part of Ireland’s strategy.

Google, Facebook, Twitter and other companies like them make their money by harvesting vast amounts of data on users that is used to target them more precisely with advertising. Thanks to the data collected on Facebook, an advertiser can pinpoint categories of users down to hyper-minute criteria including their age, sexual orientation, health issues or political beliefs. This technology has allowed tech platforms to corner the global market for online advertising, turning them into juggernauts worth hundreds of billions of dollars.

But those dollars could disappear if regulators interfere with the tech giants’ ability to collect and hold that information.

“Regulatory arbitrage is an important part of the country’s arsenal” to attract tech companies “along with tax incentives,” Stewart said.

FEUDING OVER FACIAL RECOGNITION

Ireland’s handling of new technologies such as Facebook’s facial recognition tool will go a long way toward determining how seriously it intends to scrutinize tech companies.

Last spring, just as the GDPR was about to take effect, Facebook prepared to reintroduce its banned facial recognition tool, this time promising to ask users if they want the tool switched on, so that the platform could match their names to photographs of them posted by friends online. But when senior executives, including Chief Data Protection Officer Stephen Deadman, disclosed the plans to a small group of privacy specialists and journalists in Dublin, the meeting did not go exactly as planned, according to multiple participants who asked not to be named out of respect for the meeting's private nature.

The journalists and privacy watchdogs peppered the executives with questions about whether the tool violates GDPR principles, suggesting that Facebook may be unlawfully “processing” biometric data on users even if they chose to opt out of the tool, because the data is being gathered and stored anyway — a process that would go against GDPR rules.

"They are analyzing every photograph, even those where they don’t have permission, and their argument is this is not processing biometric data because they don’t take the final step of identifying the person,” said Dublin-based privacy lawyer Simon McGarr. “From a privacy standpoint, this is cloud cuckoo land.”

After a brief exchange, Facebook executives ended the meeting stating that they needed to catch planes, the participants said.

Facebook representatives told POLITICO last year that the meeting had gone as planned. They also said they had discussed the facial recognition tool with the Irish Data Protection Commission and not been informed of any concerns. Yet Doyle contradicted that account, saying that while no initiative was taken to halt the rollout, an “examination” — as distinct from a statutory investigation — was launched.

“It is standard practice to conduct an examination on this basis to determine whether a statutory investigation is warranted,” Doyle said in his email. “In the case of FB’s facial recognition facility, that determination has not yet been made.”

In the following months, Facebook was rocked by a series of scandals, data breaches and PR disasters that included Zuckerberg being grilled by lawmakers on both sides of the Atlantic, and the New York Times revealing the company had hired a public relations firm to attack critics, including by such dubious tactics as linking them to Hungarian-born investor George Soros.

Yet in Ireland, the going was relatively quiet. In early October, the commission announced the launch of its first official investigation of Facebook, over a data breach that compromised the private messages and data of an estimated 50 million users. The commission has since disclosed it is carrying out a total of seven investigations into Facebook, which Dixon told Bloomberg are all “substantially advanced,” and should lead to the first decisions being taken in “June or July.”

However, as of late October, it had yet to send any officers to visit Facebook’s Irish headquarters and was receiving its information mainly via “updates” from the company, which often coincided with the social network's disclosures to the public, a person close to the matter said. Asked whether any visits had taken place, both Facebook and the commission said such visits have taken place “in the past” but did not specify whether any had taken place in the past year. The last publicly disclosed site visits took place in 2011, under Billy Hawkes.

“We visit companies being audited or investigated when we need to, and regular meetings often take place in the normal course of our supervised engagement with companies at their premises,” Doyle said. “Such visits have taken place to Facebook Ireland’s offices in the past but we won’t be disclosing any details on these for operational reasons.”

For Daragh O’Brien, whose Castlebridge consultancy routinely carries out privacy audits on companies, not sending an officer to Facebook is the equivalent of “police investigating a crime from the donut shop.”

“You miss the opportunity for someone to grab you and tell you something they can’t do in writing ... It happens all the time, especially in the context of complex investigations,” he said.

Asked whether it intends to launch any probes into data-sharing by the various networks controlled by Google, the commission said that it gained jurisdiction over the search giant only on January 22 and still is not the lead supervisory authority for Google’s search engine and indexing service.

But Caspar, the German regulatory chief, said that Ireland has a responsibility to investigate any privacy complaint lodged in the European Union. (Google is appealing the French fine. In previous comments to POLITICO, a spokesperson for Google said the company had been under no legal obligation in 2018 to finalize the steps for its “main establishment” in the European Union.)

As for the scandals that rocked Facebook over the past year, Doyle pointed to the commission’s limited mandate as a regulator of data security as a reason to defer action or public communications. The spread of hate speech and the use of micro-targeting for online political advertising — both of which have been identified as major areas of concern by the European Commission — are outside its purview as a data regulator, Doyle said.

Yet such an interpretation of the regulator’s role and responsibility does not sit well with privacy professionals. In addition to being responsible for compliance with data protection statutes, Dixon and her staff have an “ethical duty” to lead debates on where and how regulation should be applied in response to emerging issues, O’Brien said.

“It’s not just about the letter of the law, but also anticipating where problems may be coming from,” he said, adding that the next big problems would crop up if and when facial recognition technology is combined with targeted ads to beam commercial messages at people in public spaces. “The sort of scandals and breaches we’ve seen over the past few years are just a prelude to what may be coming as 5G [next generation] networks come online.”

I’m continuing to report on data privacy issues with Big Tech. If you have a tip for me, you can reach me at nvinocur@politico.eu.

Ask us anything about this investigation

We’re hosting a Q&A with reporter Nicholas Vinocur this Friday, April 26 at 5 p.m. CET. Join us on Reddit over in r/IAmA.