Business Technology

Saturday 19 August 2017

Data protection boss vows she will use new powers to fine firms up to €20m

Helen Dixon tells our technology editor what companies can expect

Data Protection Commissioner Helen Dixon. Photo: Adrian Weckler
Data Protection Commissioner Helen Dixon. Photo: Adrian Weckler
Adrian Weckler

Adrian Weckler

Data Protection Commissioner Helen Dixon is at the centre of a lot of things. As well as being the country's watchdog for privacy abuses by government departments and local companies, her office is also responsible for regulating Facebook, Instagram, WhatsApp, Twitter, Linkedin and other global mass market services.

Things are about to get even busier. The new EU General Data Protection Regulation (GDPR) gives her office the power to issue fines of up to €20m or 4pc of a company's annual turnover. As she tells Adrian Weckler, they are powers she intends to use.

Adrian Weckler (AW): Are you willing to go the full distance in fining companies €20m?

Helen Dixon (HD): Yes. We have to be willing to. The legislature in Europe provided for fines up to that level because they believe in certain cases it may arise. Presumably, it would involve many users. But it's absolutely the case that we will be imposing fines against big and small entities based on the issues that come across our desk and the areas of risk we identify. There's nothing surer than this.

AW: Will there by any leeway to ease companies into the new, stricter punishment regime?

HD: No. There's not going to be any amnesty or first or second chances. On the other hand, the GDPR does set out criteria when we go to look at the quantum of fine we might impose.

We are obliged to take into account the level of co-operation between us and the regulated entity, the number of data subjects, the level of effect on the data subjects and any previous contraventions. But not an amnesty period of any description.

AW: The GDPR doesn't take full effect until May 2018, which is over a year away. But in one case highlighted by your office, Paddy Power paid a €500 charitable donation for having turned its customers' wifi usage into spam text messages. What will make companies like that worry about further data privacy violations?

HD: Well remember that in the future, under the ePrivacy regulation which is currently in draft form, the same sanctioning powers and administrative fines powers as exist under the GDPR will be given to regulators.

So in the case of Paddy Power, rather than us bringing a prosecution to court and having a judge impose that charitable donation, we will be levying the administrative fine in that case. And we will be able to take into account any previous breaches by Paddy Power and all the other criteria that we're obliged to take into account. We will then be able to levy a fine that is proportionate, effective and dissuasive in that case. So actually the game is changing. The powers we'll have under the GDPR, both to fine and to promote the fact of the fine and the reasons for it, are going to change behaviours.

AW: You have been very critical of some government bodies over lax standards of data-privacy implementation. If these bodies are exempt from fines, is naming and shaming them really enough?

HD: Actually, there's a huge fear of being named and shamed. Many public sector organisations ask us fearfully toward the end of every year 'Are you going to mention that in your annual report'?

They certainly don't want to be named and shamed. There are repercussions in terms of public trust. There may also be repercussions in terms of the political system leaning on departments that are poor in implementing data protection law in terms of the responsibility that ministers have for those departments. No minister wants to see poor implementation that's not in compliance with the law. So, actually, I think naming and shaming is enormously effective.

It looks likely that the Irish State will legislate for a position where pure public sector bodies that don't have competitors in the private sector will not have administrative fines levied against them. Rather, they would be subject to the equivalent sanctions, including the ability for us as a regulator to highlight any deficiencies that we find and to investigate and to set out why we're naming and shaming them effectively.

AW: What is the problem with State bodies when it comes to data protection anyway? Do you think you need a bigger regulatory stick in relation to public sector non-compliance?

HD: It's a number of things. There has been a lack of awareness of the centrality of data protection law.

But we do see some evidence of positive moves on the part of certain government departments. For example, one big department we deal with a lot is the Department of Social Protection. It has now appointed a full-time data protection officer. That's a statement of intent and an appointment of substance in terms of improving the situation. In general, we can see evidence that awareness is growing, particularly since the Court of Justice of the EU began to issue important rulings over the last six or seven years on data protection issues. So, to be fair to public sector bodies, this is a relatively new area of law. Technology has impacted it massively and is doing so every day.

AW: But you have criticised attempts by the Government to make your office responsible for functions that individual departments should be across.

HD: I think you're referring to the Health Information and Patient Safety Bill. That related to provisions where if health researchers were unable to obtain consent they would make a reference to our office and pay us a fee for us in some way to override that consent.

We took the view that legislation for a role like that impugns the independence of the office. The obligations of data protection under the legislation falls on the office themselves, so we can't be inserted to render those organisations accountable.

But the point I was making in terms of an attitude among public-sector bodies is broader than that one case. It relates to a general lack of analysis when legislation is being proposed around the necessity and proportionality of personal data processing. It's a lack of analysis at the policy proposal stage that we're seeing again and again.

AW: You announced that your office will expand from 70 people this year to 130 in the next two years. How do you assess the level of resources that you have? Is it enough, given the expansion of services like Facebook and the imminent arrival of the GDPR?

HD: As data protection regulators, we're unique in the regulatory landscape in that we supervise almost every type of entity. So there's always going to be a limitation, no matter how big a data protection authority you are in terms of the quantity of entities you can supervise at any one time.

That's why prioritisation and identification of the risks that are emerging are important. So when you ask do we have the correct quantity of staff now, I believe we are building the correct profile of skills in terms of the organisation that we have. The 65 to 70 staff that we have in situ today is better than the 26 that we had in 2014 when I came on board. We could do with more, we're going to get more and we're going to build more. What's going to be important when we have up to 130 staff is to pinpoint those high risks more carefully and prioritising resources.

AW: But you could still use more staff?

HD: Our nearest counterpart [UK ICO office] has about 450 staff. All of them are busily occupied every day. If we had more resources, we could do more supervision, more simultaneous audits and more inspections. We could also issue more guidance more rapidly.

But we all live in some form of political reality where choices are made about resource allocation. So what's evident to us in the conversations we're having with other regulators in Europe is that the Irish government is rather uniquely committed to building up a strong independent data protection authority and has committed the resources to us over the last few years, making public noises around the commitment of further funding. Other regulators in Europe are having a lot more trouble in terms of persuading their governments that this is an area worth making the investment in. The GDPR law is strong now and we need to make sure that regulators are well resourced.

AW: What's your view of how Privacy Shield, the successor agreement to Safe Harbour, is panning out?

HD: It's generally accepted that it's a big improvement on Safe Harbour. There are clear and demonstrable improvements.

If you look at the website of the US Department of Commerce, there are now over 1,900 companies that are self-certified under Privacy Shield. So there's much better transparency. But an important facet is that it's not going to be a static report. It's going to be reviewed. This year, the European Commission will lead the review, with input from the Article 29 Party.

That review is critical given the lukewarm reception given to Privacy Shield when it was agreed by the Commissioners last July. That review is going to be very vigorous.

AW: But every month we hear of questionable new developments in the US, including security agencies sharing information or the rolling back of laws that stopped internet service providers from selling customer data without consent. Doesn't that jeopardise Privacy Shield?

HD: Those things you reference in the US will create some doubts. They will feed the types of questions that we're asking US authorities.

AW: It feels that US authorities still don't in any way take data privacy as seriously as European authorities. What's going to happen with this process?

HD: I don't think the comments you've just made wouldn't be shared by the Commission. [EU Justice Commissioner] Vera Jourova was over in Washington recently pushing the US authorities on the very issues you raise and questioning how seriously they're taking Privacy Shield and its implementation.

All of those issues are going to give rise to very careful analysis. There are assertions we want to put to them about how seriously they're taking it and this will then feed into the outcome of the review.

The DataSec 2017 conference takes place on 3rd of May in the RDS in Dublin.

The event will provide expert speakers, information and insight to help your business comply with GDPR and get the most out of the new legislation.  Click here to book your place now.

Indo Business

Also in Business