Apple and beyond: Irish data chief prepares for serious business ahead
As it gears up for an audit into Apple, Ireland's Data Protection Commissioner says her office has been strengthened in the last 12 months. And with tough new fines on data protection to commence soon, Helen Dixon tells our Technology Editor that we will shortly stop treating data privacy as an afterthought
Adrian Weckler (AW): Your office has been saying for a while that it was considering an audit into Apple's data transfer activities. Is that imminent?
Helen Dixon (HD): Yes, we're now gearing up to undertake this. We've identified a very specific risk recently that came in through a complaint from another data protection authority and we've decided to scope an audit specifically around what's at issue in these complaints. That will commence in the next couple of months, by the Autumn time.
AW: What will the audit focus on?
HD: I don't want to get into it in too much detail until we've spoken more to Apple about it. But this is something substantive that we want to look into. It's an area that will affect lots of data subjects, probably anyone who uses an Apple device.
AW: You also announced that you have commenced an audit into the software company Adobe, which has an international base in Dublin. What is this about?
HD: This is specifically focused on the way that data is being collected and passed back through Adobe's Digital Editions. [Ed's note: Digital Editions is an ebook reader application.]
AW: In your annual report, you said your office has dealt with "misapprehensions" abroad about Ireland's commitment to holding tech multinationals to account. What did you mean?
HD: There have been several misapprehensions. One is that the Irish government was deliberately not investing in data protection and was more interested in multinationals and jobs. I think we have very much countered that by demonstrating the commitment of government to funding the office and the opening of a Dublin premises.
AW: How many people does the office have now?
HD: We have 54 now, which is almost double our previous number, and we'll be at 60 when the current recruitment round is complete.
We're looking at doubling that again, to around 120 staff, as we start implementation of the [EU] General Data Protection Regulation in 2018. And we think we will continue to build from there. As the 2015 annual report shows, there's an enormous about of very important work to do.
AW: Do you think that will put to rest other criticisms levelled at the Irish office?
HD: I think that these challenges of misapprehension are largely behind us, partly because of a campaign of information we undertook.
For example, there were also accusations that Ireland's data protection authorities transposed the [original EU] 1995 directive in a way that was entirely different to how Germany might have transposed it. We've been able to explain that this is factually incorrect.
Differences in privacy law and legislation are differences that don't fall under the EU framework.
For instance, German regulators were bitter that we wouldn't force Facebook to allow anonymous users register on their social network platform. And they talk about how we sided with Facebook in terms of the need to operate under a real name policy. And they say this in breach of data protection legislation.
But that was only German law. It's not law that derives from the European framework. So I think that we had misapprehensions which had taken hold that somehow there was something lesser here, that we took data privacy less seriously, that we weren't professional as an office or that we didn't have the resources or the skills in the office. We're going out now and representing the counterview to that.
AW: Nevertheless, multinational tech companies like this office. They regularly cite a favourable data protection climate as a reason they like settling in Ireland.
HD: Well we would take that as a positive. We're extremely committed to an engaged approach of regulating multinationals. There's no point in shooting fish in a barrel by letting these companies contravene European data protection law and then go after them, slapping a formal notice to say they've contravened the data protection acts. That approach serves no-one's interests, least of all the data subjects of Europe.
Other regulators in Europe do have a different view. They believe in regulating from behind a wall. They believe that there's automatic capture if you have a conversation with industry. But we simply don't think that that type of approach stands up to any type of scrutiny. We have principles-based, high level legislation that needs translation.
And in order to do that translation and to protect privacy rights in these novel and innovative scenarios, you have to understand what these companies are doing. You have to have technical people who come from a coding background and that understand exactly what is happening to deliver the outcomes.
These internet companies value a view from the Irish data protection authority as to what is compliant and what is not. They know that we're not going to agree with them where the evidence shows a lack of compliance. But I think they value the interaction. And I think it encourages them to more proactively engage with this office. Because contrary to the views expressed in some quarters, they are actually trying to be compliant. Yes, of course they don't want to have to modify their global services when rolled out in Europe. But at the end of the day, they also know that there's no choice about compliance. So we believe, and we're demonstrating, that our approach delivers.
AW: How often do you advise multinationals in this way?
HD: It's constant. It's week-in, week-out. We had Facebook in here last week at a face-to-face meeting. Their service is adjusting itself at a very, very rapid pace. They're introducing new elements to their service, such as Facebook Moments for photos and new privacy policies. They're acquiring companies. They're implementing banners for cookie notifications.
AW: Facebook is one of the companies the Irish Data Protection Office took most heat for in relation to a 2012 audit of the company. Are you satisfied now that it is fully in compliance?
HD: We can never say that we're fully happy a company like Facebook is in compliance. On any given day the target is moving and we're working on keeping pace with that target.
AW: Facebook is also at the heart of a court case - the Max Schrems data privacy case - that is gathering huge momentum, with many civil liberties groups, industrial lobbyists and even foreign governments seeking to become involved. What do you think will happen in this case and why do you think so many groups are interested?
HD: I think one of the reasons that so many groups and organisations want to join the proceedings is that there's a real desire on all sides that the High Court in Ireland is in possession of all the relevant facts when it looks at this. That means that there needs to be more than just the Snowden revelations from 2013 in front of the court. It needs to hear the facts fully so that if a reference is made to the European Court Of Justice, the High Court is getting a more complete picture.
AW: Is the proposed new 'Privacy Shield' data transfer treaty between the US and EU a lame duck? It has many critics, including the European Data Protection Supervisor, Giovanni Butarelli, and your own Article 29 Working Party of European data regulators. It seems to fall short of the standards set by the European Court of Justice when it struck down the 'Safe Harbour' agreement.
HD: It is a mess. There's an effort to try and square the circle of whether data flows can go between the EU and the US and we're not yet sure if that circle can be squared. We've studied the ruling in the Schrems case very carefully. The essence of a fundamental right is that bulk collection cannot ever be justified. Privacy Shield leaves a doubt that in some cases, there will be bulk collection. And that needs to be clarified which is what we've called for.
There's also an issue around whether the US ombudsman will truly be independent if she's sitting in the US State Department and the President can fire her. But the solutions will have to be political because the frameworks [between EU and US] are never going to be the same as one another. So there will be trade-offs.
AW: What trade-offs?
HD: I think Europeans have a fundamental right to have their data privacy protected. They also rights to freedom of expression and consequent rights to access digital services. And we won't be thanked if, ultimately, the result is a degradation of services in Europe or the pulling out of certain services in Europe. But it's not something we're in control of. This needs a political and legal solution.
AW: But what does that mean for companies who want to know right now where they stand with regard to the legality of data transfers? What are they supposed to do?
HD: I think, for the most part, that companies will continue to rely on standard contractual clauses. Until the court takes any action on them, they remain a lawful mechanism for transfer. Companies really have no other choice at the moment. Safe Harbour is gone, Privacy Shield hasn't yet been enacted. Legal certainty will only come as these matters play out in court. As for comments that we hear about building data centres in Ireland, that is not an option for many of these internet multinationals. So there is no choice but to transfer if they want to keep the service going.
AW: So companies are on their own with no guidance? Doesn't an advisory role fall back onto your office?
HD: No, that isn't our role. We would see the European Commission in that role and the member states in terms of being the legislators of Europe along with the Parliament. We might get asked as a data protection authority but we can not propose solutions to this either politically or legally. It's not our role.
AW: A prominent privacy organisation, Digital Rights Ireland, says that it is challenging the independence of the Irish Data Protection Office because it operates too closely to the government. How do you respond to this?
HD: I'm aware that they announced that they were taking a High Court case but they certainly have never filed any court papers about it. My understanding is that it's a challenge to the state rather than the Data Protection Authority itself, that the state has failed to provide for the office's independence. But we would see no evidence to support any such assertion.
We operate independently of government and under a legal framework. We also operate independently of industry and of people who jump up and down and trumpet loudly on social media.
We don't take the path of least resistance on any issue. We think and act independently and we'd simply be running ourselves around in circles if we were second-guessing what industry, government or anyone else wanted us to think about any issue.
There did seem to be a suggestion that staff at the office of the Data Protection Commissioner are civil servants. But in every other European country the data protection authority is a public authority and in many other European countries it operates under the ministry of Justice. There's nothing unusual about the Irish setup.
It's also worth noting that in over 20 years of European data protection legislation, there have never been any question marks raised about the Irish Data Protection Authority despite the European Commission taking enforcement action against Hungary, Austria and Germany. So I think it would be rather surprising if question marks were to be raised about the Irish office now.
AW: In two years, the new General Data Protection Regulation (GDPR) will put much bigger duties on companies and other organisations in relation to handling data privacy. And your office will also get new powers to fine offenders without bringing them to court. Do you think Irish organisations have copped on to this yet?
HD: I think Irish companies are in for a bit of a shock. Mouths are hanging open when we present the headlines of what GDPR comprises. I certainly think it's going to change Irish attitudes toward data privacy. Companies will now have to implement new accountability requirements. This means they will have to inventory all of the data processing that their organisation does, which itself is going to be a big task for some of them.
Under the GDPR, we're going to have a lot more powers and there are going to be a lot more enumerated offences. We're also going to acquire this administrative fining capability. So all of that is going to add up to a step change in the data protection landscape, and in the compliance that organisations are going to have to deliver.
AW: Will it be a big additional cost for companies to bear?
HD: I think there will be additional costs for them, even to do that inventory and meet the accountability requirements. All public sector bodies will have to have an appointed data protection officer. While many have this already, this will be a new concept for a lot public sector bodies and government departments. And there will be a cost. But it's going to mean we'll be able to audit much faster. Because instead of going and pulling teeth trying to establish what they have and what they're collecting, they will have had to have implemented the accountability requirements and we'll be able to do much swifter desk-based audits. We'll be able to identify the risks much quicker.
AW: Will you continue to stop Dublin City Council publishing 'name and shame' posters of people it says are illegally dumping rubbish because of data privacy concerns?
HD: We're not saying they can't [publish the posters] but it wasn't clear to us that a proper analysis had been done before this solution was proposed. Our aim is not to stop Dublin City Council cutting out what is a horrible problem in the north inner city of illegal dumping.
Our aim is ensure that they do it in a way that protects people's individual privacy rights. We'd like them to demonstrate to us that they've met a high bar to justify this type of interference. We want to make sure that no innocent third parties are being caught in CCTV footage.