One of the most important offices in controlling global privacy is located in a small building in the tiny town of Portarlington in County Laois, 50 miles from Dublin.
A headline in Quartz magazine in the U.S. tells all. It reads: “How a bureaucrat in a struggling country at the edge of Europe found himself safeguarding the world’s data.”
The story unfolds the incredible tale of how Billy Hawkes, Ireland’s Data Protection Commissioner finds himself in charge of the privacy issues of one billion people.
Quartz reports: “Every morning, the lone man in charge of overseeing how these companies use their data cycles to Heuston station, takes a 50-minute train ride out of Dublin, and walks the last five minutes to his office next to a convenience store in Portarlington, a town of some 7,500 people in the Irish midlands.”
And from this office in this small town in the Irish midlands Billy Hawkes safeguards the data and privacy of one billion internet users around the world.
As Quartz reporter Leo Mirani points out, “Facebook was the first to declare that users outside North America have a legal relationship with its Irish subsidiary not the American mothership.
According to the company’s third-quarter report for 2013 that is a total of 990 million people. LinkedIn did the same for its 175 million users, including Canadians, who live outside the United States.
Adobe followed suit. Dropbox is expected to do so soon. (Google retains California as the sole jurisdiction for any issues, data-protection-related or otherwise.)"
As the head of the tiny office of the Data Protection Commissioner (DPC) of Ireland, Hawkes is in charge of overseeing how the world's leading tech companies use the data they have.
The DPC was established in 1989 to “protect the individual’s right to privacy by enabling people to know and to exercise control over how their personal information is used." Hawkes was appointed to be the head of the organization in July 2005, near the end of the Celtic Tiger boom.
At the time, Ireland was just establishing itself as the European capital for multinational tech companies after passing legislation in 1997 to cut corporate tax rates from 36%, in line with the OECD average, to just 12.5% by 2003. Google was the first to arrive that year, when taxes hit their low. Today big tech firms such as Facebook, Apple, LinkedIn, Twitter, eBay and PayPal have their European headquarters in Ireland, and the technology sector now employs 105,000 people in Ireland and accounts for €72 billion ($98 billion), or 40%, of all exports annually.
Despite this tech boom and all the additional responsibilities that have come the DPC's way, Hawkes's office has barely changed. The staff has grown from 22 to 30 in the last year and its budget from €1.5 to €2 million ($2.7m).
Joe McNamee of the civil rights group European Digital Rights (EDRi) says the Irish commissioner’s office has “little credibility” and privacy advocates criticize its light-touch regulation. Ireland's DPC lets companies to “do whatever they want with personal data,” plays down the threat of sanctions, and rarely uses enforcement powers, says EDRi.
In 2011, Max Schrems, a 24-year-old law student at the time, initiated a campaign calling for Hawkes to address several complaints against Facebook. He requested his personal data from the company under EU data-access laws and was shocked when he received a 500MB pdf file that ran to 1,222 pages when printed out, with information maintained under 57 data categories, including deleted information and a list of computers he'd used to log into his account. Accusing Facebook of being in violation of Irish and European data-protection laws, he filed 22 separate complaints with the Irish DPC.
Hawkes incorporated Schrems’s complaints in an ongoing audit of Facebook, at the end of which the commission published its report and made a series of recommendations. One of the recommendations asked Facebook to make improvements to its automatic download tool, which allows users to gain access to their data. However the number of categories included in the tool fell from the 57 received by Schrems to just 20, with other bits of information scattered among a user’s profile and “activity log.”
Hawkes's critics believed this further indicated that the DPC was compromised and was pandering to tech companies.
At the time Schrems said the DPC was “miles away from other European data protection authorities in its understanding of the law, and failed to investigate many things.”
A 2012 re-audit found that “most of the recommendations have been fully implemented to our full satisfaction,” except in “a small number of cases [where] full implementation has not yet been achieved but is planned to be achieved by a specified deadline.”
Hawkes, 62, says he does not relish being the "regulatory face of the privacy debate."
He told Quartz, “When I started off in this job, the focus would primarily have been domestic. You wouldn’t be talking to me if I was only concerned with schools and supermarkets. It’s become a far more complex job. I used to have a quiet life [but] that is no longer the case."
"This idea that we’re a light-touch regulator is based on a misunderstanding of how we do things. I would absolutely reject that,” he said Hawkes, who has served 43 years in civil service.
“Our approach is to talk to companies, explain exactly what we expect of them [and] expect they will follow that. But if they don’t, we have some of the strongest enforcement powers of any European data protection authority.”
Hawkes says gentle pressure and the threat of enforcement is a greater incentive for compliance than punitive fines that huge companies can easily afford.
Regarding the Schrems case, he said, “A company like Facebook is always going to be controversial. Irrespective of what we do there was always going to be criticism of what we did.”
He adds that it is in the companies' best interests to comply with the DPC. “Companies recognize that challenging the data protection authority is not a good idea. It’s terrible PR.”
According to Quartz, Ireland is more relaxed about data protection than continental Europe but "closer to the European model, which sees data privacy as a fundamental right than to the American approach, which sees privacy as a consumer right to be regulated by the Federal Trade Commission, not mandated by Congress. Hawkes must somehow find common ground between these two extremes."
The debate about the Irish Data Protection Commission is set to become more heated with the EU close to passing new data-protection regulation. One result of the law will be that companies will have to answer only to the the data protection authority of the country in which they are based. The regulation could become law before European Parliament elections this May, after which member states will have until 2016 to bring national legislation in line with the regulation.