The Irish Backdoor

It’s not a gay bar in Dublin, the Irish Backdoor, sorry if that’s why you clicked on this blog.  It’s how non-EU companies, like tech companies from the US and China, use the “one stop shop” mechanism to evade the privacy regulations of 26 countries to be regulated instead by the Irish regulator, the gentle golden retriever of privacy enforcement.  

I am expanding on my blogpost below.  But now I’m revealing something new.  How most of the non-EU companies, like tech companies from the US and China, have no legal right to assert a claim to be regulated by the one stop shop.  Fiction or fraud?  Let me explain.

Legally, a non-EU company can only claim the benefits of the one stop shop if the decisions regarding data processing in Europe are made there.  

Let me suggest a reality test.  Most companies from outside the EU claim to benefit from the one stop shop in Ireland if they do the following:  1) create a corporate entity in Ireland, 2)  write a privacy policy (or ask ChatGPT to write one) that tells users that the Irish corporate entity is the “controller” of their data in Europe, and 3) has some minimal presence in Ireland, like appointing some employee as a “data protection officer” for the entity.  All this can be done in a day, and with a tiny local Irish staff. But…does this meet the legal test?… that the data processing operations in Europe are being decided by this Irish entity?

Most tech companies build products in their homes, Silicon Valley, China, etc.  They then roll out these products globally.  Usually these products are identical worldwide, except for language interface translations.  In those cases, does anyone really believe that their Irish subsidiaries are really the decision-makers for how the data will be processed for their services for their (millions) of European users?  Perhaps that is the case for a few large non-EU companies with large operations in Ireland.  For all the others, it’s hard to believe.  

Maybe it’s an innocent fiction for a company from China or the US to claim it is “established” in Ireland to evade the privacy laws of 26 EU countries with millions of users.  Or maybe it’s a fraud…?

(Final note, as a former employee of Google, I must point out that nothing in this blogpost is meant to suggest anything regarding that particular company.  Google has a huge workforce in Ireland).

Meanwhile, non-EU companies are getting an easy ride in Europe, while their EU company competitors aren’t.  I just don’t think that’s fair to EU companies or to EU users. 

Why does every US and Chinese company want to go to Ireland?

Ireland is one of the biggest winners of the EU 27 construct.  It has established itself as a tax and regulatory haven for foreign (non-EU) companies.  Virtually all Chinese and American companies, in particular in tech, rush to “establish” themselves in Ireland.  In exchange, they get to pay a low corporate tax rate (even if their users and their money is made in the other 26 EU countries) and they get to benefit from the light-touch privacy regulation of Ireland.  

You’ll recall that Europe’s tough (on paper) General Data Protection Regulation of 2018 created the concept of a one-stop shop for foreign companies.  So, any Chinese or American company could pick one of the EU countries as its “establishment”.  Of course, they all picked Ireland, given its universal reputation for light-touch tax and regulation.  It is entirely a different debate about why/how Europe made this blunder:  in effect, it gave a massive advantage to foreign companies over domestic European companies.  A French/Italian/Spanish company would be regulated by their domestic French/Italian/Spanish regulators, who take privacy seriously, and would sanction non-compliance.  But a Chinese or American tech company would do business in all those countries, while benefiting from the Irish regulatory culture, as gentle as an Irish mist.  

Occasionally, a European regulator would try to take on an American or Chinese company in the field of privacy.  https://www.cnil.fr/en/cookies-placed-without-consent-shein-fined-150-million-euros-cnil

But this action wasn’t based on the core European privacy law, the GDPR, but on a rather obscure law about other things.  

The Trump administration has defended American companies in Europe against what it claims are discriminatory regulatory actions.  https://www.lemonde.fr/en/international/article/2025/09/06/eu-commission-reluctantly-fines-google-nearly-3-billion-despite-trump-threat_6745092_4.html#  It was therefore not a surprise to see the French regulator announce fines at the same time against one American and one Chinese company.  But it is surprising to see the Trump administration rushing to defend one of the most Democratic-leaning companies in the US.

Indeed, Europe does discriminate, in the field of privacy, in favor of non-EU Chinese and American companies, due to the one-stop-shop Irish backdoor.  One can only assume European dysfunctional politics led to this absurd result, from a European perspective.  Hundreds of millions Europeans depend on a small Irish privacy regulator to ensure that the gigantic American and Chinese tech companies respect European privacy laws.  Hilarious.  

All of this might seem like trivial corporate politics, but the consensus is growing that humanity is allowing the tech industry to put us (I mean, our entire home sapiens species) on a path to doom.  https://www.theguardian.com/books/2025/sep/22/if-anyone-builds-it-everyone-dies-review-how-ai-could-kill-us-all  Even if we’re doomed, can we at least put up a fight?