Saturday 18 November 2017

Who will save us from the internet?

The search has begun for Ireland's new Data Protection Commissioner. It could just be one of the most significant jobs in the world - which is why the giants of the internet are watching

data protection
data protection
Sarah McCabe

Sarah McCabe

IT is one of the most powerful jobs on earth. The successful candidate will, however, have to put up with an office above a Centra in Portarlington. Whoever takes on the mantle of Ireland's new Data Protection Commissioner from retiring incumbent Billy Hawkes will have Facebook and the world's technology media hanging on their every word - but lunch will be no more glamorous than hot chicken rolls.

Despite the fact that it calls a poky space above a convenience store home, the importance of this operation cannot be overstated. The giants of the internet all answer to the Irish DPC.

"Thanks to the success of IDA Ireland, the Irish Data Protection Office has ended up with all of the biggest data processors and controllers in the world on its doorstep," explains digital privacy expert Daragh O'Brien.

Whoever is chosen will have Mark Zuckerberg on speed dial. Facebook is just one of the many internet giants which answer to this office. The world's largest social network is in constant contact with the DPC, one source said. Founder Zuckerberg sits down with Billy Hawkes to discuss plans still in their infancy.

The recruitment process is well under way. Just 31 candidates applied, and five made it to interview stage. This small number of applicants comes down to the very niche job description, which requires expertise in both data protection law and human rights law.

The pool of Irish candidates who fit that bill is very small, so foreign applicants are being considered. Interviews take place later this month. Time is of the essence given that Mr Hawkes leaves in September.

Rumours abound as to who is in the running. Barrister Fergal Crehan, one of the few with expertise in data protection law, has been suggested. Long-time deputy Data Protection Commissioner Gary Davis would have had a good shot too, but he left that post in January to join Apple as its head of European privacy.

A new EU law, the European General Data Protection Regulation, is partly to blame for the heavy burden the chosen one will carry. It was designed to unify online privacy rules across Europe.

Currently, data protection in the EU is regulated in a patchwork manner by a variety of European authorities. There are often several different bodies, in different countries, available to consumers with online privacy complaints.

But the new directive demands that there should only ever be one regulating body for a European company that stores data - and that regulator will be determined based on where the firm is located.

Since many tech giants have their European headquarters in Dublin or Cork, Ireland will in one swoop become one of the most powerful protectors of internet privacy on earth.

"The three most important data protection regulators on the planet will be the FCC chairman in the US, the Chinese authority and the Irish office above a Centra in Portarlington," says O'Brien wryly. "Let's hope the person they select to succeed Hawkes is world-class."

The decision should in theory be entirely separate from Government. The DPC was established by EU treaty law, which demands that it is entirely independent. In reality, there is likely to be at least some degree of input from Government or the civil service, given that the PAC is overseeing the process.

Privacy campaigners and the industry's top people will be watching closely. The key question is whether the successful candidate will have an academic or commercial background. A person with commercial experience will presumably be more pro-business. Their decisions could in theory lean towards companies rather than consumers.

But their empathy (or otherwise) with industry doesn't really matter unless the DPC has sufficient resources, which is unlikely. The unit has a staff of around 30 and a budget of about €1.5m a year. Facebook makes more than that in an hour.

"The Commission is incredibly constrained by a lack of resources," says O'Brien. "Billy Hawkes has done a great job with what he had, using constructive dialogue with companies rather than expensive lawsuits to achieve results, but they need much more."

UCD lecturer and digital privacy expert TJ McIntyre agrees. "The outgoing commissioner has been hampered during his term with relocation, the disruption and staff turnover which went with that, and a lack of resources - in particular, legal and technical experts. This has been only partially remedied with the hiring of one lawyer and one technologist. This is still inadequate for a role which involves protecting the data of hundreds of millions of users. If the new DPC is not given adequate resources, then we can expect more complaints that Ireland is failing to provide protections."

This lack of resources is probably to blame for a massive lawsuit that sparked a frenzy in the world's technology media this week. It was lodged against Facebook's European subsidiary, which is based in Ireland, by Austrian privacy activist Max Schrems. He filed the case in Vienna's Commercial Court, on the basis that the Irish regulator failed to take what Schrems argues was sufficient action against a host of alleged privacy breaches.

The case is being pursued in the form of a class action, open to all Facebook users outside of the US and Canada. At the time of writing, more than 17,000 people had joined as plaintiffs.

Even for a company as rich as Facebook, the consequences could prove costly. It is also embarrassing for Ireland, presenting our commission as light-touch regulators. But, "why would someone armed with a pea shooter take on someone with a tank?" says O'Brien.

Ireland has come to a crucial turning point in terms of our reputation as a country that treats data protection seriously, he says. "We have all these internet companies here, and now European legislation is giving us total regulatory control over them.

"We have an incredible opportunity here to present ourselves as doing data protection right."

If we fail, he says, if it appears we do not take this subject seriously, IT companies will leave. They will move to countries that are addressing the issue properly and giving it sufficient resources, like the Scandinavian nations.


Four big tests for the new data commissioner

Increased workload

While we all like to see more tech companies come to Ireland, every major announcement brings more potential work for the office of the Data Protection Commissioner.

The office has a backlog of cases it is slowly working through, with more coming on stream every day. For example, its audit of LinkedIn has still not been finalised, over a year after it first began.

Meanwhile, a promised audit of Apple has still not happened.

All of this is happening above a Centra store in Portarlington. And it's not just casework: new legislation from Europe will mean some new powers, which need to be incorporated into the office's daily grind.

Europe's Mr Big

The last Data Protection Commissioner was taken very seriously indeed by the biggest online companies in the world. When Facebook wanted to launch major new tweaks to its service, it checked with Billy Hawkes well in advance. (This extended to at least one face-to-face meeting with Mark Zuckerberg.)

With a new EU privacy directive set to make Ireland's data commissioner the most powerful in Europe, the new person will need to be comfortable with making decisions that affect hundreds of millions of people.

Keep an eye on the State

It's not all about Facebook and NSA spying. There's more. A key challenge for the new commissioner will be to keep pressure on state agencies that flout citizens' privacy.

Both the Department of Social Protection and An Garda Siochana have come in for sharp criticism from the outgoing commissioner for abuses of sensitive personal information.

Handling expectations

Ireland's position as a European home to the world's top technology and social media firms puts the data protection commissioner here in a sensitive position.

While protecting citizens' interests, there is an unspoken pressure not to become too zealous in interpreting data privacy law too onerously in regards to big firms. And there is an awful lot that remains open to interpretation.

- Adrian Weckler

Sunday Indo Business

Promoted Links

Business Newsletter

Read the leading stories from the world of Business.

Promoted Links

Also in Business