Privacy setting: Irish watchdog ready to step up the global battle to keep data safe
With two months until the EU's GDPR privacy law comes into force, Data Protection Commissioner Helen Dixon faces her busiest year yet. Adrian Weckler asks her about dealings with Facebook, fines, national identity cards and US spies
Adrian Weckler [AW]: A criticism your office - and that of your predecessor Billy Hawke - has faced over the years is that it adopts a collaborative or consultative role with the biggest tech companies in Ireland like Facebook and Google compared with other data protection regimes.
Helen Dixon [HD]: I'd go further by saying that I don't think there's anything wrong with a consultative approach. I would go so far as to say it's absolutely necessary. And this is well-documented in terms of theory of regulation, and particularly in relation to regulation that's based on a principles-based framework law.
The academic Julia Black, from the London School of Economics, talks about something called regulatory conversations. And regulatory conversations are absolutely essential, in terms of allowing organisations to set out their understanding of the principles, define the very specific circumstances in which they need to apply those principles of data protection law and seek guidance from the regulator in relation to how they're applying the principles. So, even Article 29, which is the grouping of European data protection authorities, has moved now in this direction of consultation.
In fact, the general data protection regulation obliges the successor to Article 29, the new European Data Protection Board, to consult. So consultation is absolutely necessary because otherwise you have just got very generic and laudable principles ,but you've no means of applying them to the real world.
AW: But what about specific services or specific new features that a company like Facebook will want to introduce? They may want to see whether it will pass muster with their lead European regulator. Does this happen and how often does it happen?
HD: It does happen and it happens very regularly with the big companies that we supervise. As I said to you before, they're going through so many mergers and acquisitions, they're adding new, big and significant products at the rate of knots in some cases. So we have very frequent contacts with these companies over the last year, especially in the roll up to GDPR. There are all sorts of examples.
So they may consult us, and our consulting is currently in relation to their new transparency notices, their privacy notices, how they're going to display them on different devices. And they will take all sorts of guidance and feedback from us in relation to whether we think it hits the mark that the GDPR intended, whether the notice is too inaccessible at any point as an individual navigates the service, whether there is insufficient information provided up-front and too much being left for in context notices to the user. So, we're providing that sort of feedback on an ongoing basis.
AW: Last year, you spoke of increased resources and an eventual doubling of your office's headcount. Since then, though, we've had massive expansion in the tech companies already here and dozens more big tech firms arrive. And then there's the GDPR coming in May. Do you have what you require?
HD: We should have about 140 people by the end of this year. Our budget has more than quadrupled, up to €11.7m this year. So we have been building and building, not just in terms of numbers of staff but with some specialist recruitment. We've recruited very key new members to our legal team, our technology team and in skills that we didn't have - such as business analytics.
AW: So is that enough?
HD: Well it's important to point out that we're now among the top tier of highly-resourced data protection authorities in the EU in terms of resourcing, the annual budget that we have to deploy and in terms of the number of staff that we have. So we're behind the UK, France and Germany in terms of numbers, but we're up there just in the tier right below them. The UK Data Protection Authority is the biggest data protection authority in the world.
AW: Surely with the companies located here, that's the way it should be?
HD: Yes. As for data protection authorities in Europe, in the last survey that I saw, they averaged about 68 staff so they're not huge. And the question of whether they're resourced adequately is a question really for the member states in Europe. Is this the importance that a member state attaches to the regulatory and supervision role under the GDPR? And are we all adequately resourced?
I would say no and I would say no data protection authority has enough resources in terms of the importance we would attach to the issues that fall out of personal data processing and the types of risks and harms that can occur for individuals in terms of discrimination, identity theft, loss of reputation and unfair decision-making.
So we will be making the case to add further resources and particularly in the circumstances, as you say, that in Ireland we're supervising the biggest internet companies in the world. And equally, I would think there's a case for elevating the resources of data protection authorities across the EU.
AW: One of the biggest global data breaches in recent years was Yahoo, where three billion email accounts were compromised. As that company has its international office here, you had said your office would investigate. What is the status of that investigation?
HD: Yes, we did conduct an investigation in relation to that very large-scale Yahoo breach, or two breaches in fact. The controller for European users is located in Ireland. Under the Irish Data Protection Acts, the obligations on that controller based in Ireland where it was transferring the data back to Yahoo Inc in the US, was to ensure that the processor, being Yahoo Inc in the US, had appropriate safeguards in place to safeguard and secure the data.
The breaches in this case occurred from Yahoo Inc in the US rather from the Dublin-based controller. And so we have conducted a lengthy investigation over the last year in relation to the measures that were in place, the active oversight that was taken by the controller in Ireland over what safeguards were put in place by the processor. And we're just at the concluding stages of the report and the findings and we're serving that on Yahoo EMEA in Ireland.
AW: So that's imminent?
HD: That's imminent.
AW: In the US, courts are clearing the way for individual citizens to sue Yahoo over the data breach. In a post-GDPR environment, is that the kind of thing that might happen here? If another Yahoo were to happen, or indeed if people are only discovering now about their Yahoo accounts being hacked, could we see individual citizens taking legal action on that basis here?
HD: I think we certainly could see individuals taking legal action on that basis. It would, of course, be a matter entirely for the courts in Ireland then to assess what quantum would be put on compensation or whether the breach was merely technical. In other words, whether there was a threat of access to the accounts but the loss was mitigated substantially by the company once the breach was discovered, or whether there has been actual loss and consequences suffered by the individuals.
So, that will be for the courts to assess the nature and the gravity of the loss for individuals and then to put a quantum in terms of compensation, if any, they would award.
AW: But in Ireland we don't really have a history of class-action suits.
HD: No, and there won't be class actions in Ireland under the GDPR either.
AW: Yahoo argued that it could be an attack by a nation state. Other big companies in the same situation try to plead the same reason as a get-out-of jail card, arguing that they can't be expected to compete with the cyberwarfare resources of rogue states. Will the GDPR do anything to change the basis of arguing that excuse?
HD: You're right, we hear a lot about these state-sponsored actors that are alleged to be behind some of these larger-scale breaches, particularly as concerns internet and infrastructure companies. It won't, per se, be a get-out-of-jail card. So, where a breach has occurred and it's not contested that it has occurred, they'll likely be a presumption of an infringement of the GDPR in those circumstances.
But when we come to look under Article 83 of the GDPR at what sanction we would apply, it sets out a number of mitigation criteria which we would be obliged to take into account. One of the other things we would have to take into account is whether the controller had applied every last safeguard, state-of-the-art security measures and taken every conceivable action possible.
We haven't, I suppose, come across a company to date in the course of our investigations where we could say 'Well, they've had state-of-the-art processes and systems and taken every last action that was possible', but the theoretical possibility is there.
AW: Even with all those billion-dollar multinational companies with all the resources they have?
HD: As I said, it's a theoretical possibility that if they have applied objectively demonstrable state-of-the-art security and there really appears to have been nothing further they could have done, that would certainly be a mitigation criteria. But, we haven't come across it.
You'll have seen in the annual report that we published recently for 2017 that, particularly in relation to medium-sized organisations, we're still seeing basic cybersecurity hygiene that's very poor in a lot of cases. This is the failure to keep systems and patches updated, poor password-setting, failure to use all of the layered authentication options that are available and leaving systems set at their default settings.
AW: The public services card has proven to be controversial, with some charging that it's a national identity card by stealth. It seems that public bodies are starting to ask for it when we apply for state documents, such as passports. What's your view?
HD: We have an investigation under way in relation to the public services card which we launched late last year. What triggered us to launch the investigation was that it suddenly became prevalent for it to be mandatory to produce the public services card to the exclusion of any other form of identity for a whole range of government services, including the driver theory test now incoming, the driver's licence, the passport and so on. And so we sought to open an investigation to look at what the legal basis for the public services card is and to look at the legal basis for compelling it to the exclusion of any other form of identity in relation to the procuring of services from the State.
We also want to look at what its transparency to the public is in relation to what's being collected, what type of data is on the card, what precisely it's being used for and with what type of government agencies it's being shared with. It seemed to us, from queries that we were receiving to our office, that there wasn't sufficient transparency and so we opened an investigation to look at the range of these issues. The first principles of data protection are lawful and fair processing and we're really going back to first principles with this investigation.
When Irish Water was established there were a number of Irish Water Services acts and it was immediately obvious if you read those acts how the database for Irish Water was being formed, by collecting data from a number of different government databases. But with this particular implementation and rollout by government, it's not immediately apparent for a member of the public where you'd go to look if you were curious and wanted to understand the law underpinning it.
The law is spread over a number of pieces of primary legislation, social welfare legislation and a number of pieces of secondary legislation in some cases. But it's not enough to have a legal basis, you have to be very transparent and clear with the public as to why the data is being collected. And it would also be necessarily to justify why a certain form of identity, to the exclusion of any other form of identity, is necessary in the circumstances.
AW: We are talking about the public sector in government services. If Ryanair or Aer Lingus or other big private organisations start accepting it as a means of identification, or pubs or nightclubs start accepting it, it kind of becomes a runaway thing on its own doesn't it? And whether or not it's required for public sector use, if every single big organisation accepts it as an alternative to a driver's licence or a passport, eventually the public sector will probably accept it as well, right?
HD: I suppose you're getting into speculation that's beyond the scope of the investigation we're conducting. But what I would say is that you talked about alternatives. One of the points we're looking at is the fact that alternatives are not being recognised, it's mandatory to the exclusion of any currently known alternatives. That becomes the point that is significant.
AW: Isn't there a basic issue of taste here, too? In continental Europe, many countries don't have any problem with a national identity card. It's regarded as a fact of life that makes administration more efficient. Is it our common law heritage that makes us more suspicious of the notion of a national identity card? Is it a dislike of being stopped in the street and being asked to produce papers?
HD: You're right, there are national identity cards in the vast majority of EU member states. And, in many cases, they have that characteristic that they have to be carried at all times. And so in common law countries like New Zealand, the UK and Ireland there has, as you said, always been a view that's opposed to national identity cards. That's not the aim of our investigation. It's not the role of the Data Protection Authority to dictate what government policy should or shouldn't be, but to the extent that a card of this nature, and the SAFE 2 registration system itself, involves the collection and processing and sharing of significant amounts of personal data, it must be lawfully collected and there must be transparency about it.
AW: There has also been a lot of commentary about Privacy Shield, the successor EU-US agreement to Safe Harbour, which was struck down by the European Court of Justice for not adequately protecting our European personal data rights. The European group of data protection authorities that you're a member of has been critical of Privacy Shield and has sought clarification on the US side with regard to an ombudsman and other matters. Hasn't it gone so far as to suggest that this treaty might follow Safe Harbour in being referred again to the European Court if nothing happens?
HD: Yes, the appointment of a permanent person in that position is one of the issues. We're still in discussions and waiting to hear updates in relation to progress from the US authorities. That will happen and we'll get something of an update in the next couple of weeks and then it will be a matter for reviewing. I think, incidentally, what that statement from Article 29 said, in relation to a referral to the CJEU was that a national data-protection authority would bring a matter before its national courts.
AW: So that could be you, bringing it before the High Court here?
HD: It could, I suppose.
AW: Will it be you?
HD: It's probably not useful to speculate at this point until we get an update from the US authorities and look at where the various deficiencies that were identified are at.
AW: One of the underlying issues, surely, is US authorities continuing to harvest European citizens' personal data though, isn't it? Do we really believe that's going to stop? And assuming it isn't, doesn't Privacy Shield and any successor face difficult odds?
HD: As you know, we took a case in the Irish High Court in relation to another mechanism for transfers, the standard contractual clauses case which is used not just to transfer to the US but to other third countries. Justice Caroline Costello agreed with the position we took when she issued her judgement on the 3rd of October last year and agreed to make a reference to the Court of Justice of the European Union in relation to the validity of those clauses. And she conducted a hearing in January of this year with the various parties to the case including Max Schrems, Facebook, our office and other participants in terms of formulating the questions.
I think some of those questions around surveillance access and then the appropriate safeguards that have to be in place when data is being transferred will fall out of that case once the reference is made. We anticipate it is likely to be this month when Justice Costello will make the reference.
AW: But are we being a little naive in thinking that the CIA and NSA are going to stop tapping into our data streams?
HD: I suppose I have to be careful because we conduct investigations into these types of issues and we have to follow fair procedures and due process and adduce the facts as they exist. So I don't really want to comment along the lines that you're suggesting. But I suppose what I would say, which probably concurs really with the point you are making, is that there's likely to be a need not just for litigation in these cases, bringing the matters to the CJEU, but also a need for political solutions as well as legal solutions to make transfers sustainable and balanced against rights of individuals in the longer term.
AW: Is there an issue with privacy law keeping up with technology?
HD: I think the GDPR is going to go a long way in that direction. One key thing for us in terms of these companies that monetise personal data is the issue of transparency.
There has always been the complaint that users aren't entirely clear that that is the deal. We're talking to the big companies about layered privacy notices, better visualisation capability for users in terms of data that's being collected and how it's going to be used.
But there are a huge amount of players. Whatever about the big companies like Google and Facebook, who write blogs and discuss their processes, there are other players in ad tech where we just don't have that visibility. There are more nefarious operators, individuals we aren't aware of. So there's a whole issue around surfacing up what is going on in that space and trying to rationalise it in some way, so that ultimately the individual service user has some transparency and control which undoubtedly they don't at the moment. If we visit one website we may discover we've been connected with 24 other websites based on cookies that are dropped.
We expect to see a marked change in how transparency is done by these internet companies under GDPR and we're waiting for the big reveal from a lot of them.
Editor's note: this interview was conducted before the Facebook-Cambridge Analytica data controversy.
To hear more of Helen Dixon, download 'The Big Tech Show' podcast on Soundcloud, iTunes or independent.ie/podcasts