DUBLIN—The world’s tech companies are coming to Dublin, as the Irish prime minister and his various trade representatives will tell you. Yet every morning, the man in charge of overseeing how these companies use our data cycles to Heuston station, takes a 50-minute train ride out of Dublin, and walks the last five minutes to his office next to a convenience store in Portarlington, a town of some 7,500 people in the Irish midlands.
It is an unlikely place for what has grown to become one of the most important offices in global privacy. But little about this story is likely.
The Office of the Data Protection Commissioner (DPC) of Ireland was established in 1989 to “protect the individual’s right to privacy by enabling people to know and to exercise control over how their personal information is used.” Billy Hawkes was appointed as its head in July 2005, in what were to be the last days of Ireland’s housing-spurred boom.
The world was a different place then. Dublin’s skyline was cluttered with construction cranes as the business press hailed the rise of the “Celtic Tiger.” Facebook was still a niche service restricted to US college students. And the DPC dealt primarily with local issues, such as the case of the Dublin man who complained that a CCTV camera operated by the local tram service looked directly into his back garden.
Pluck of the Irish
It was also a time when Ireland was only just establishing itself as the European capital for multinational tech companies. That story starts in 1997, when Ireland passed legislation to cut its corporate tax rates from 36%, in line with the OECD average, to just 12.5% by 2003. As Silicon Valley picked itself up after the dotcom bust and looked abroad in the early 2000s, English-speaking Ireland became a natural choice. As an EU member state, it allowed access to European markets. A large Irish diaspora in the US made the country seem familiar and friendly. And the tax rates were irresistible. Google, among the first to arrive, set up shop in Ireland in 2003, the same year taxes hit their low.
The technology sector now employs 105,000 people in Ireland and accounts for €72 billion ($98 billion) worth of exports annually, or 40% of all exports, according to a recent report (pdf) from the Irish Software Association. Big tech firms with their European headquarters in Ireland include Facebook, Apple, LinkedIn, Twitter, eBay and PayPal. Every month brings news of a new company establishing its European offices in Dublin.
Hawkes’s office has concurrently grown in importance. Despite deep cuts to the Irish public sector, the commission retained its staff of 22 and its budget of €1.5 million. In the last year, the staff has grown to 30 and the budget to €2 million, and the government has promised more if necessary.
Today, the Irish economy stands ravaged by a spectacular crash and five years of austerity. Facebook has grown to become the biggest social network in the world. And Hawkes is directly responsible for safeguarding the data and the privacy of not just Irish citizens or Europeans, but of nearly a billion internet users around the world.
The world’s regulator
Companies came to Ireland for the tax benefits, but stayed for the regulation. Facebook was the first to declare that users outside North America have a legal relationship with its Irish subsidiary (see section 19), not the American mothership. According to the company’s third-quarter report for 2013 (pdf), that is a total of 990 million people. LinkedIn did the same for its 175 million users, including Canadians, who live outside the United States. Adobe followed suit. Dropbox is expected to do so soon. (Google retains California as the sole jurisdiction for any issues, data-protection-related or otherwise.)
Critics think this is dangerous. Joe McNamee of European Digital Rights (EDRi), a civil rights group, says the Irish commissioner’s office has “little credibility.” Privacy advocates accuse it of practising light-touch regulation. The Irish DPC allows companies to “do whatever they want with personal data,” plays down the threat of sanctions, and rarely uses enforcement powers, says EDRi.
To many, the case that exemplifies these criticisms is that of Max Schrems. In 2011 Schrems, an Austrian who was then a 24-year-old law student, initiated a noisy campaign calling for Hawkes to address a raft of complaints against Facebook. Having requested his personal data from the company under EU data-access laws, Schrems had been astonished to receive a 496MB pdf file that ran to 1,222 pages when printed out, with information under 57 data categories. These included “pokes” that Schrems had removed, people he had “unfriended”, and a list of computers he used to log in to his account. Schrems contended that Facebook had yet more information on him that it hadn’t disclosed, including data about everything he has ever “liked”. He concluded that Facebook was in violation of Irish and European data-protection laws and filed 22 separate complaints with the Irish DPC. As a result of Schrems’s campaign, Facebook received more than 40,000 data-access requests within a few weeks.
Hawkes duly incorporated Schrems’s complaints in an ongoing audit of Facebook, at the end of which the commission published its report (pdf) and made a series of recommendations. Among those was one that asked Facebook to make improvements to its automatic download tool, which allows users to gain access to their data. But the number of categories included in the tool fell from the 57 received by Schrems to just 20, with other bits of information scattered among a user’s profile and “activity log.”
To Hawkes’s critics, this was further proof that the DPC was fatally compromised. Agreeing to let Facebook serve data through such convoluted means reeked of pandering. Schrems said at the time that the Irish authority was “miles away from other European data protection authorities in its understanding of the law, and failed to investigate many things.” Still, a re-audit (pdf) conducted by the DPC in 2012 found that “most of the recommendations have been fully implemented to our full satisfaction,” except in “a small number of cases [where] full implementation has not yet been achieved but is planned to be achieved by a specified deadline.”
The regulatory face of the privacy debate
Like Mark Zuckerberg, who represents the corporate face of privacy infractions, and Edward Snowden, who exposed government overreach, Billy Hawkes is, at least among wonkier circles, the regulatory face of the privacy debate.
It is not a role he relishes. “When I started off in this job, the focus would primarily have been domestic. You wouldn’t be talking to me if I was only concerned with schools and supermarkets. It’s become a far more complex job. I used to have a quiet life [but] that is no longer the case,” Hawkes said in a recent interview with Quartz in Dublin.
In person, Hawkes is very much the picture of a mild-mannered bureaucrat. He rarely gets worked up, even when dealing with harsh accusations. He has had plenty of practice. Now 62, Hawkes is a 43-year veteran of the civil service, with positions in the department of finance, the department of tourism and trade, and more than two decades in the foreign service, including as a diplomat.
“This idea that we’re a light-touch regulator is based on a misunderstanding of how we do things. I would absolutely reject that,” Hawkes said. “Our approach is to talk to companies, explain exactly what we expect of them [and] expect they will follow that. But if they don’t, we have some of the strongest enforcement powers of any European data protection authority.”
Hawkes likens his approach to that of Ireland’s unarmed police force, “which means they automatically have to talk to people.” Gentle pressure and the threat of enforcement, which could include ordering a company to delete a database or stop certain practices, is a greater incentive for compliance than punitive fines that large companies can easily afford to pay without having to change their behavior, he argues.
On the Schrems case, Hawkes says, “A company like Facebook is always going to be controversial. Irrespective of what we do there was always going to be criticism of what we did.” He says that it is in Facebook’s—and other companies’—best interests to comply with the DPC. “Companies recognize that challenging the data protection authority is not a good idea. It’s terrible PR.”
Hawkes also thinks too much is made of Facebook. The majority of the DPC’s work involves Irish companies, European multinationals and the state sector, and the most complaints from Irish citizens are about these entities, not Facebook. “One of the paradoxes of our office is we have had to devote very significant resources to international companies even though Irish residents hardly ever complain about them,” Hawkes says. Irish citizens tend to be more concerned with direct marketing emails and calls than the nefarious use of data.
Not American enough
At the heart of the controversy over Ireland’s approach to data protection lie two very different frictions. On the one hand, Ireland is more relaxed about these matters than continental Europe, which, led by Germany, is unflinching when it comes to personal privacy. On the other hand, Ireland is still closer to the European model, which sees data privacy as a fundamental right, than to the American approach, which sees privacy as a consumer right to be regulated by the Federal Trade Commission, not mandated by Congress. Hawkes must somehow find common ground between these two extremes.
An example of how this plays out can be found in his office’s handling of Edward Snowden’s PRISM revelations. Hawkes’s office refused to investigate the transfers of European citizens’ data to the US by Apple and Facebook, where it could be exploited by the National Security Agency’s snooping apparatus. The DPC cited the Safe Harbor agreement, a voluntary mechanism—widely considered to be broken—for American companies to say they adhere to European standards. (You can see Quartz’s Safe Harbor certification here.) Such decisions enrage Europeans. The DPC is presently party to a court case which will decide whether it made the right call.
Hawkes says he is powerless to do anything: “Both companies have signed up to the Safe Harbor agreement. The European Commission states that data is adequately protected if the company is signed up to Safe Harbor. Irish law is crystal clear and says I am bound by such a decision by the Commission.” The data protection authority in Luxembourg, where Skype is headquartered, similarly declined to investigate. (The European Commission recently recommended improvements to the mechanism.)
Nor European enough
The debate about the Irish data protection commission will soon become noisier. The EU is close to passing a new data-protection regulation (paywall) that will force all member states to implement it to the letter and which contains onerous fining powers. Once it becomes law, the scattered nature of enforcement across the continent, where a single company can be pursued by multiple authorities for the same thing in several countries, will become more streamlined under a “one-stop shop” model.
That means companies will have to answer only to the data protection authority of the country in which they are based. Hawkes’s office will lose jurisdiction over companies that annoy some of his Irish constituents, such as British mobile operators or European banks. But it also means other, more strident European countries will lose the power to investigate American tech firms, since they are largely based in Ireland. For privacy advocates, that is a worrying thought.
Hawkes argues that companies like Facebook “rarely do things that actually harm anybody,” while banks with inaccurate data could scupper their clients’ chances of getting loans. That may be an unfortunate comparison. Viviane Reding, the senior European bureaucrat responsible for the new data protection legislation, refers to personal data as the currency of the digital market. At a time when personal data has become a serious business (paywall), she has a point.
European officials hope the regulation will become law before European Parliament elections this May. Member states will then have two years, or until 2016, to bring national legislation in line with the regulation. Hawkes will by then have finished his second term as data protection commissioner. “Hopefully I would have taken the brunt of the transition from being a primarily domestic-focused agency to one with a significant international” responsibility, he says. As for his successor, he says, “I certainly don’t see it being any easier.”