Ireland's new data chief: forget about the light touch
Last year, Helen Dixon was appointed to one of the most influential internet regulatory jobs in Europe. As Ireland's data protection commissioner, she oversees much of the continent's active regulation of giants such as Facebook, Linkedin, Twitter and Google. But Ireland's reputation as Europe's data sheriff has taken a battering from some European quarters in recent years. So what are her priorities for her five-year term? Adrian Weckler talked to her about some of the big issues
Adrian Weckler (AW): In recent months, critics such as the German interior minister and Austrian privacy campaigner Max Schrems have been very critical of Ireland as a data protection environment. There appears to be a view in some European quarters that we can't be trusted as a one-stop shop. What is your response?
Helen Dixon (HD): This commentary and narrative comes from very specific sources. It has somehow gained traction and it is reiterated again and again. But if you analyse it, you've cited the two very specific sources from which it comes.
You say there's a view. But it's a view articulated from very specific quarters. I don't even know if it really is their view. Frankly, some of what I've read in respect of Ireland on this issue really beggars belief. It also doesn't stand up to any analysis and there's no evidence for what's asserted in most cases.
AW: So you'd refute the assertion that Ireland is a light touch when it comes to data protection regulation?
HD: Yes. I mean if you ask for evidence upon which that's based, you'll be cited very specific examples. And if you take the time to critically analyse those examples, it's my view that it doesn't really stand up to scrutiny. And I think there hasn't been an awful lot of scrutiny of these comments that have been thrown out. Now to be fair, I think there have been challenges with resourcing for the data protection commissioner in Ireland. If somebody wanted to criticise us for insufficient resourcing, my own view is that I think there has been insufficient resourcing.
But I don't think that's been deliberate or that it's been left under-resourced for a reason, which has been one of the allegations. I think the government has now reacted to that resourcing challenge. Some might argue that it's later than it should have been. But nonetheless, the Government is now increasing the resources, it's increasing the staffing sanction levels and I believe we've a very good chance now of truly getting on top of the workload which is very significant. That includes technical audits of companies.
AW: Do you think that concerns over Ireland being a 'one-stop shop' for Europe's data protection issues had anything to do with the advancement of a new European Data Protection Board, which will now be the ultimate arbiter for data protection decisions on appeal from individual data protection authorities?
HD: My personal view on it is no. The concept of the European Data Protection Board was in an original 2012 proposal of the EU Commission before some of this stuff began to gain traction. I haven't heard before that the European Data Protection Board was invented as a counterbalance to Ireland. The idea of bringing in a pan-European regulation is not just about Ireland. Remember there are massive data controllers, including big banks, in other European countries.
AW: If there is little substance, why do you think Ireland is tagged with this brush?
AW: How is your relationship with other European data protection commissioners?
HD: I've a very positive relationship with them. When I speak I'm listened to. We have good cooperation with them. They may disagree with us, they view certain things differently to us. From a cultural perspective they view things very differently to us.
AW: What about the IT giants in Ireland? Could Facebook be audited again? Or because it was audited recently does that rule it out being audited again?
HD: No, of course it doesn't. That audit gave us a baseline but, depending on the speed at which a company like Facebook is evolving with its services, another audit may be advantageous. The amount of changes to Facebook's service in the background are enormous, as are the amount of mergers and acquisitions they're dealing in all the time. In fact, we could fill a couple of more audit reports from the work we've done since the published [Facebook] audit. Companies like this one are evolving at such a rate that is very hard for us to give the public visibility of everything.
AW: Isn't Facebook almost like a utility now? Most metrics show that between 60pc and 70pc of Irish people now have a Facebook account, with half using it every single day. Does that give it extra importance for an office like yours?
HD: I'm not sure we are at the point where it could be regarded as a utility. Regardless, the quantity of personal data that they're processing and the ways in which they're doing it mean that they're constantly in our scope. And I don't see that changing.
We have weekly, if not daily, contact with Facebook in terms of its service and in terms of queries that we ourselves have. We are permanently looking at issues such as whether notifications of cookies on opening pages are sufficient to cover everything that happens downstream. Or what the quality of consents, and where they've been obtained, cover and whether they are sufficient. At any given moment in time, we have many, many open queries with Facebook. And they engage with us on them.
AW: What about other big firms? Twitter has just changed its terms and conditions to legally make Ireland its international home for its data activities. Does that move automatically put Twitter in line for a potential data audit? And if so, when?
HD: Well, we would always have seen ourselves as responsible insofar as Twitter has a large headquarters here in Ireland. So there's no major change in terms of being responsible for complaints.
Indeed, I have already had engagement with Twitter in my first couple of months in the role and have made queries to them in terms of the types of controls users have over their data in Twitter. But in terms of who we decide to audit, I can't necessarily say that any given organisation automatically, procedurally goes onto our list.
Over the last number of years we've audited about 40 organisations. The ways in which we decide to audit companies are based on whether we're seeing a significant volume of complaints in respect of a sector or a particular organisation. Or sometimes we may read media reports that trigger a risk in our mind and we decide to look at an organisation.
We might decide to audit them on the basis of the data volumes that they hold, or we may come into possession of other information, perhaps through our contacts with other EU regulators. As for Twitter itself, there hasn't been any significant volume of queries or complaints in respect of their service.
AW: What's happening to a previously planned audit of Apple?
HD: It is still the intention of this office to audit Apple as well as Yahoo and Adobe. This is a continuation of the schedule of audits of tech multinationals here. The delay is down to this question of resourcing.
Audits are incredibly labour intensive, both for us and the organisations we're auditing. Nevertheless, we learned from auditing Facebook and LinkedIn that the process pays huge dividends.
These are complex companies in how they process large quantities of personal data. We found that the only way to really understand them and to get a baseline of what they're doing is to go in, get in under the bonnet and work with their engineers and their legal people. And that's how you find out in a very detailed way how their services operate and how they're processing data.
AW: This office has had harsh things to say about a lack of data protection care in some government departments, particularly the Department of Social Protection. Are you happy that such departments are improving their standards?
HD: I wouldn't be speaking about happiness at this point. There remain very big challenges in terms of public sector handling of data. It's a big focus of my five-year term to work with the public sector to try and start delivering better outcomes. Because there have been significant issues and there will continue to be.
AW: Can you give me an idea of what kind of issues you're talking about?
HD: I think you've seen some of them played out already. If you take Irish Water and PPSNs, the issue wasn't about a legal basis for collecting the PPSNs. The issue there related to how they communicated it to members of the public. And how their fair processing notice or their privacy notice set out what it was they were doing in plain English.
In other words, what they were using the PPSN for, what they weren't using it for, how long they were going to retain it and so on.
So in some cases the issues can be around communication.
AW: What about the primary online database? What's your view on that?
HD: There have been some issues there and that continues to be worked on by the office.
AW: But is it in compliance now? Or is it heading for compliance?
HD: I can't really give you much detail on it because we're in the middle of a process on it. But we have identified issues with the initial rollout of it and we're continuing to work with the Department of Education on those.
AW: When might that be resolved?
HD: I think we've made very good progress. They've announced changes in respect of features like retention. They've reduced the retention period from 30 years to 19. I think we'll have culminated the work we're doing there very shortly.
AW: So we should see some sort of resolution one way or the other to it soon?
HD: Yeah. I'm deliberately being cagey with you in terms of what I discuss in terms of the primary online database because I don't want to prejudice anything we do and I don't want to jeopardise any of the outcomes that we're on the verge of delivering but I appreciate it's difficult for you to understand what I'm talking about if I don't give more detail.
AW: What about the physical office? Much fun has been poked at photos of a Centra in Portarlington. How is the expansion going?
HD: The Government has announced a doubling of the budget of the Data Protection Office for 2015 so we have a budget of €3.6m this year and we also have sanction to immediately bring on board 18 new staff. That process is well under way at this stage. There are 30 staff at the moment, including me. We'll be up to 49 by the time we complete this current phase of recruitment. It would then be our intention to seek sanction for further recruitment once we've absorbed and brought in the cohort of 18 and established the Dublin premises. I anticipate that we will require additional staff and I would anticipate the Government will listen to us when we set out a business case for recruiting additionally.
AW: How has the introduction of the 'right to be forgotten' from search engines been from your office's point of view?
HD: If you look at the European Court judgement from last year in the Google Spain case on the so-called right to be forgotten, that's resulted in its own separate stream of complaints now into our office where individuals have made an application to Google to have search results delisted; Google has refused based on the criteria they've published and a complaint then comes into our office, so we're going to have more of those separate streams of complaints.
AW: Have you received many complaints?
HD: We've had about 30 complaints of refusal to delist. These are people who have gone to Google, gone through a very comprehensive process and Google has refused. We then take up the complaint on the person's behalf.
AW: And have any of them been resolved yet?
HD: Quite a number of them have been resolved. In a number of cases, having analysed the complaint, we have concurred with Google and have understood the reasons why they refused the delisting request. In a number of other cases, we have disagreed with Google and have set out our views before liaising with Google and then seeing the issues resolved to the data subject's satisfaction. We've had several face-to-face meetings with the team at Google that's dealing with these issues. They would pay great deference to any analysis we've done where we don't think the right decision has been made.
AW: But it has not yet reached the point of disagreement leading to enforcement on Google?
HD: No, the engagement has been positive. We could ultimately be in a position where we would have to serve an enforcement order on Google to comply with our decision. But we haven't reached that point yet. It's not my impression that Google is trying to die in any ditches over cases ... They don't roll over just because somebody objects to a delisting. So they are resolving them based on transparent and published criteria, as we are also.
“Another audit may be advantageous.”
“[Most criticism] doesn’t stand up to scrutiny.”
“I think there has been insufficient resourcing, but he government has now reacted and is increasing the resources.”
“The issue wasn’t about a legal basis for collecting the PPSNs. It related to how they communicated it.”
Primary Online Database
“We have identified issues with the initial rollout of it… we’ll have culminated the work we’re doing there very shortly.”