Irish Times 7th January 2014
Data Protection Commissioner Billy Hawkes: “One thing we certainly don’t have is a light touch. We have a very rigorous approach to oversight of organisations.”
While the revelations of whistleblower Edward Snowden about the surveillance activities of the United States National Security Agency (NSA) extended tentacles into the related area of data protection in 2013, regulators in the European Union spent most of the year wrestling with proposals to harmonise the law across 28 member states.
A new EU regulation, first tabled in a proposal by the European Commission in 2012, would place new responsibilities on the regulators and also on businesses throughout the union.
Negotiations have stalled and the regulation is now unlikely to scrape through before the European Parliament elections in May. But the proposals still on the table would, in theory, place an extra burden on Ireland’s Data Protection Commissioner, Billy Hawkes.
The so-called one-stop shop mechanism would likely see him become the lead regulator in Europe for major multinationals with head offices in Ireland, including such companies as Facebook, Google and Apple.
In comments at a privacy conference in Brussels last month, Mr Hawkes indicated he did not relish the prospect of taking on the responsibility for regulating such multinationals for all citizens of the EU.
Saying he would not view the one-stop shop “with any great enthusiasm”, he suggested it would draw resources from dealing with complaints about the likes of telecommunications firms and others, which are a greater source of complaints to his office by Irish citizens.
“However, as a good European, which I try to be, I do accept the logic of the one-stop shop and I will accept the consequences and the burdens that go with it,” he said.
Speaking at his office in Portarlington before that conference, Mr Hawkes said he was already prioritising for attention those companies operating across the EU for which processing of personal data was core to their activities.
“Depending on, obviously, the number of the companies involved – and certainly if many more companies were to declare to be established in Ireland for data protection purposes – we would require more resources to be able to discharge our oversight responsibilities.”
He welcomed what he said was a clear commitment by Minister for Justice Alan Shatter to ensure he was adequately resourced for any new responsibilities – though again it remains to be seen what will emerge.
Privacy campaigners such as the Austrian-based Europe v Facebook group believe his office has not been sufficiently robust in its enforcement actions.
The group, led by Max Schrems, is seeking judicial review of Mr Hawkes’s decision not to pursue complaints made to his office about the gathering of personal data under the NSA’s Prism programme from US firms based here. Mr Hawkes is also in the process of making formal decisions on 22 earlier complaints by the group relating to the privacy policies of Facebook, which underwent a major audit by his office two years ago.
Mr Hawkes cautiously describes the approach taken by the complainants as “forceful” and, not for the first time, rejects the suggestion of “light touch” regulation by his office.
“One thing we certainly don’t have is a light touch,” he said. “We have a very rigorous approach to oversight of organisations but we do try to use the resources that are given to us in an intelligent way. It does not necessarily involve always hiring more people on our staff. It can also involve using outside expertise to help us in particular areas.”