One of the most important offices in controlling global privacy is located in a small building in the tiny town of Portarlington in County Laois, 50 miles from Dublin.
A headline in Quartz magazine in the U.S. tells all. It reads: “How a bureaucrat in a struggling country at the edge of Europe found himself safeguarding the world’s data.”
The story unfolds the incredible tale of how Billy Hawkes, Ireland’s Data Protection Commissioner finds himself in charge of the privacy issues of one billion people.
Quartz reports: “Every morning, the lone man in charge of overseeing how these companies use their data cycles to Heuston station, takes a 50-minute train ride out of Dublin, and walks the last five minutes to his office next to a convenience store in Portarlington, a town of some 7,500 people in the Irish midlands.”
And from this office in this small town in the Irish midlands Billy Hawkes safeguards the data and privacy of one billion internet users around the world.
As Quartz reporter Leo Mirani points out, “Facebook was the first to declare that users outside North America have a legal relationship with its Irish subsidiary not the American mothership.
According to the company’s third-quarter report for 2013 that is a total of 990 million people. LinkedIn did the same for its 175 million users, including Canadians, who live outside the United States.
Adobe followed suit. Dropbox is expected to do so soon. (Google retains California as the sole jurisdiction for any issues, data-protection-related or otherwise.)"
As the head of the tiny office of the Data Protection Commissioner (DPC) of Ireland, Hawkes is in charge of overseeing how the world's leading tech companies use the data they have.
The DPC was established in 1989 to “protect the individual’s right to privacy by enabling people to know and to exercise control over how their personal information is used." Hawkes was appointed to be the head of the organization in July 2005, near the end of the Celtic Tiger boom.
At the time, Ireland was just establishing itself as the European capital for multinational tech companies after passing legislation in 1997 to cut corporate tax rates from 36%, in line with the OECD average, to just 12.5% by 2003. Google was the first to arrive that year, when taxes hit their low. Today big tech firms such as Facebook, Apple, LinkedIn, Twitter, eBay and PayPal have their European headquarters in Ireland, and the technology sector now employs 105,000 people in Ireland and accounts for €72 billion ($98 billion), or 40%, of all exports annually.
Despite this tech boom and all the additional responsibilities that have come the DPC's way, Hawkes's office has barely changed. The staff has grown from 22 to 30 in the last year and its budget from €1.5 to €2 million ($2.7m).
Joe McNamee of the civil rights group European Digital Rights (EDRi) says the Irish commissioner’s office has “little credibility” and privacy advocates criticize its light-touch regulation. Ireland's DPC lets companies to “do whatever they want with personal data,” plays down the threat of sanctions, and rarely uses enforcement powers, says EDRi.
In 2011, Max Schrems, a 24-year-old law student at the time, initiated a campaign calling for Hawkes to address several complaints against Facebook. He requested his personal data from the company under EU data-access laws and was shocked when he received a 500MB pdf file that ran to 1,222 pages when printed out, with information maintained under 57 data categories, including deleted information and a list of computers he'd used to log into his account. Accusing Facebook of being in violation of Irish and European data-protection laws, he filed 22 separate complaints with the Irish DPC.
Hawkes incorporated Schrems’s complaints in an ongoing audit of Facebook, at the end of which the commission published its report and made a series of recommendations. One of the recommendations asked Facebook to make improvements to its automatic download tool, which allows users to gain access to their data. However the number of categories included in the tool fell from the 57 received by Schrems to just 20, with other bits of information scattered among a user’s profile and “activity log.”
Hawkes's critics believed this further indicated that the DPC was compromised and was pandering to tech companies.
At the time Schrems said the DPC was “miles away from other European data protection authorities in its understanding of the law, and failed to investigate many things.”
A 2012 re-audit found that “most of the recommendations have been fully implemented to our full satisfaction,” except in “a small number of cases [where] full implementation has not yet been achieved but is planned to be achieved by a specified deadline.”
Hawkes, 62, says he does not relish being the "regulatory face of the privacy debate."