Whether Ireland likes it or not, it is centre stage for global data privacy issues by virtue of the global internet industry based here and actions by activists like Max Schrems. Data Protection Commissioner Helen Dixon is determined to meet this challenge head-on.
It was the blasé attitude to EU privacy regulation that Austrian student Max Schrems encountered among US executives of internet giants while visiting the US that put the cat among the pigeons. And Ireland never saw it coming.
Schrems took a high-profile case to the Irish High Court concerning Facebook’s privacy procedures and Ireland’s Data Protection Commission (DPC), located above a supermarket in Laois thanks to a poorly thought-out decentralisation strategy, suddenly found itself responsible for auditing a global internet giant with more than 1.5bn users.
Other audits followed, including that of LinkedIn, and it has become clear that Ireland is now the de facto go-to location for data regulation because so many tech giants have their global headquarters here.
This is something Ireland is taking very seriously. Dixon took over from previous commissioner Billy Hawkes in September last year and the Irish Government has appointed Dara Murphy TD as Data Protection Minister.
Dixon is overseeing a near doubling of the 2015 budget from €1.8m to €3.6m, an increase in headcount from 29 to 50 by September and the opening of a new office in Dublin in 2015. And Dixon believes that she, and other regulators across Europe, will require even more resources to deal with a growing workload in a data-centric world.
“Technology audit staff are very important to us,” Dixon explains as we speak in her offices on Harcourt Street in Dublin. “As you know from your interactions with Billy Hawkes we very much believe in an approach of engaging with multinationals, auditing their baseline of compliance and it has delivered results for us.
“This is both in terms of giving best practice recommendations but also in terms of building our knowledge of how these services work and how profit is being generated from data and what the areas of risk are.”
Prior to becoming DPC, Dixon was Registrar of Companies in Ireland. She also previously worked in senior roles at the Department of Jobs, Enterprise and Innovation, and in the private sector, where she worked at two US multinationals companies with EMEA bases in Ireland.
‘The words “data protection” don’t mean much to people. But when they hear about a case where a GP sends a person’s entire 40-year medical file to an insurance company and they only should have sent details of their knee injury, then they start to understand’
– HELEN DIXON
Dixon has a degree in applied languages (French/German), and master’s degrees in European economic and public affairs and in governance, and a post-graduate diploma in computer science.
Technology is in a constant state of motion and technology companies are rolling out new services, often without contemplating the privacy and security consequences.
“We believe we have to be in there engaging with these multinationals, pointing out to them where the global service offering they want to roll out is not going to be in compliance with European legislation. The facial recognition feature in Facebook is a very real example of that.
“Our job is to point out users’ expectations in terms of transparency and help users understand what is being done with their data. The users want to trust these services and the providers need to comply with the 1995 European Data Directive. It is about deciding where the line that should not be crossed actually is.”
Are we encountering a fossil fuels moment in terms of data?
There is a perception in Europe that digital overlords back in Silicon Valley are happily and irresponsibly hoovering up all of this data for financial gain and I liken it to the world’s realisation that, after years of abuse, fossil fuels are harming our planet. A reckoning will come and it could be too late.
“That is a possibility and that’s a point that I’ve made that goes beyond my role as a regulator. We need to have more discussions involving the tech companies, sociologists, academics, society, ethics experts and members of public in terms of what will be the repercussions of all of this.
“We all know about the benefits that social network sites can bring in terms of connecting people, but there are dangers in terms of what’s being collected and what’s being done with that data and how long it is being retained, what level of control the individual has.
“That’s what we are looking at constantly with these global service providers; what’s rolling out in Europe and how can you demonstrate to us that it is compliant with the European legislation.”
By September, the DPC will have grown to 50 staff but Dixon believes more resources will be necessary.
“The 18 people that we’ve brought on board are going to be an enormous help and I think it is going to put us in a much more credible but real position in terms of demonstrating that we are doing the job. The technologists that we are shortlisting – and we are excited by the CVs that we’ve seen – are going to allow us to continue to roll out a further programme of audits.”
Having found itself thrust onto the international stage in terms of the mammoth task of auditing Facebook, Dixon believes that the baptism of fire has also made the DPC more clear on what it expects from audits.
“One of the things that we’ve learned from the audits we conducted previously of LinkedIn and Facebook is that we probably need to scope them more narrowly on a risk basis and turn them over faster.
“We don’t need to do the A to Z of Apple’s privacy arrangements, but we need to focus in on what we could identify where the areas of risk will be. I think that with the 18 resources we are adding now we can start that process. I would also be hoping that we will take on additional resources because I think as the new European regulations hit we are going to have an increased workload.
‘For all of us, whether we like it or not, our digital footprint is growing and growing every year’
– HELEN DIXON
“It is certainly going to increase the role for regulators. But one of the aspects of the regulation that is going to lead to increased workload for the Irish regulator, in particular, is around the one-stop shop for data protection that the EU is urging.
“Without a doubt Ireland is going to be the lead regulator for a lot of multinationals and there are even going to be more multinationals that will establish in Ireland once the new data regulations are enacted.
“Undoubtedly we are going to need more resources to deal with this. This is coming with one voice from all the regulators.”
I put it to her that this could make Ireland a permanent fixture on the world stage for data regulation. Dixon replies that if anything this refocuses the regulator’s role on understanding the business models of the multiantionals but also heading off issues before they arise.
“As you know, one of the primary roles we have in legislation is as a complaints ombudsman for individuals and if we were simply to wait for the issues to arise we would be flooded. So we have a lot to do.
“We need to work more closely with the other regulators in Europe, take on board their concerns and we need to start leveraging the additional resources some of the other regulators have in terms of doing our job. I think there is a willingness there to do that and I want to explore it further with them. It is going to take time to have these discussions.
“We don’t focus on the idea that we will be on the global map in that way. We focus on doing our job professionally. We really believe in performing our role in as transparent a way as possible and providing some level of visibility of what we are doing, and if that puts Ireland on the map that is a good outcome.”
50pc surge in data breaches in Ireland
One of the stark findings in the DPC’s annual report this year was that data breaches among businesses in Ireland were up 50pc.
Dixon points out that most of these breaches weren’t down to sophisticated cyberattacks but actually human error.
“In terms of that big increase in data breaches that we saw last year, in fact many were non-systemic breaches in a lot of places. You talk about the growth of the internet, but in fact a lot of the breaches that we saw last year were the wrong letter going to the wrong address, the wrong bank statement in the wrong envelope, so they were that type of low-level breach, but nonetheless very invasive in terms of any individual subject to a breach.”
Dixon says it is imperative that companies in Ireland emphasise training frontline staff about data privacy.
“Some of the breaches we are seeing are happening close to the front line where it is individual human error. You could have a very strong management structure and very strong data protection ethos in an organisation, but all it takes is one person to make a mistake.
“Train them to understand what data protection is about, that they have that awareness, that there are effects when they reveal someone else’s sometimes very sensitive financial or personal data. That’s really one of the big messages we are delivering out of the increase in breaches we saw last year.”
She also said it is about making people aware of the value of their own data.
“We certainly have a role in terms of providing guidance. I think the media have done a good job of raising the profile of these issues and you mention the Max Schrems case earlier and that has brought a big profile and understanding to people that there are consequences.
“For all of us, whether we like it or not our digital footprint is growing and growing every year. It is important to remember that in terms of data protection legislation, consent can legitimise a lot of the collection that is occurring.
“So it is also important to remember that as individuals we do have a responsibility in terms of understanding what we are putting out there, looking at the privacy policies that companies provide, how long that data will be retained, what level of control we have and if we can delete our account fully if we don’t like the game any longer.”
Dixon said that privacy and data protection doesn’t mean much to people until they have suffered a breach.
“Sometimes people I know in my private life ask me what is a Data Protection Commissioner, they have no idea what the role actually is. The words ‘data protection’ don’t mean much to people. But when they hear about a case where a GP sends a person’s entire 40-year medical file to an insurance company and they only should have sent details of their knee injury, then they start to understand.
“This year I’ve engaged a lot with the insurance sector who are huge collectors of personal data, and sometimes very personal data, and in talking to them I have set out details of the cases that we have investigated, the prosecutions we have taken and they have all given feedback that show they understood the issues in a real way.”
In the year ahead, the DPC will also be revamping its website and in September it will be appointing a new director of communications to ensure the organisation is set up to handle both the international focus on Ireland’s regulation of privacy but also educating citizens and businesses about protecting their own data.
“If we are telling people to be more transparent and clearer in how they communicate, we need to show we follow our own advice,” Dixon concluded.
Women Invent is Silicon Republic’s campaign to champion the role of women in science, technology, engineering and maths. It has been running since March 2013, and is kindly supported by Intel, Eircom, Fidelity Investments, ESB, Accenture and CoderDojo.
Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.