Irish Times 7th January 2014
Data
Protection Commissioner Billy Hawkes: “One thing we certainly don’t have is a
light touch. We have a very rigorous approach to oversight of organisations.”
While the revelations of whistleblower Edward Snowden
about the surveillance activities of the United States
National
Security Agency (NSA) extended tentacles into the related area of
data protection in 2013, regulators in the European Union spent most of the
year wrestling with proposals to harmonise the law across 28 member states.
A new EU regulation, first tabled in a proposal
by the European
Commission in 2012, would place new responsibilities on the
regulators and also on businesses throughout the union.
Negotiations have stalled and the regulation is
now unlikely to scrape through before the European
Parliament elections in May. But the proposals still on the table
would, in theory, place an extra burden on Ireland’s Data Protection
Commissioner, Billy Hawkes.
The so-called one-stop shop mechanism would
likely see him become the lead regulator in Europe
for major multinationals with head offices in Ireland,
including such companies as Facebook,
Google
and Apple.
In comments at a privacy conference in Brussels
last month, Mr Hawkes indicated he did not relish the prospect of taking on the
responsibility for regulating such multinationals for all citizens of the EU.
One-stop shop
Saying he would not view the one-stop shop “with any great enthusiasm”, he suggested it would draw resources from dealing with complaints about the likes of telecommunications firms and others, which are a greater source of complaints to his office by Irish citizens.
“However, as a good European, which I try to be,
I do accept the logic of the one-stop shop and I will accept the consequences
and the burdens that go with it,” he said.
Speaking at his office in Portarlington before
that conference, Mr Hawkes said he was already prioritising for attention those
companies operating across the EU for which processing of personal data was
core to their activities.
“Depending on, obviously, the number of the
companies involved – and certainly if many more companies were to declare to be
established in Ireland for data protection purposes – we would require more
resources to be able to discharge our oversight responsibilities.”
He welcomed what he said was a clear commitment
by Minister for Justice Alan Shatter
to ensure he was adequately resourced for any new responsibilities – though
again it remains to be seen what will emerge.
Privacy campaigners such as the Austrian-based
Europe v Facebook group believe his office has not been sufficiently robust in
its enforcement actions.
The group, led by Max Schrems,
is seeking judicial review of Mr Hawkes’s decision not to pursue complaints
made to his office about the gathering of personal data under the NSA’s Prism
programme from US firms based here. Mr Hawkes is also in the process of making
formal decisions on 22 earlier complaints by the group relating to the privacy
policies of Facebook, which underwent a major audit by his office two years
ago.
Light-touch regulation
Mr Hawkes cautiously describes the approach taken by the complainants as “forceful” and, not for the first time, rejects the suggestion of “light touch” regulation by his office.
“One thing we certainly don’t have is a light
touch,” he said. “We have a very rigorous approach to oversight of
organisations but we do try to use the resources that are given to us in an
intelligent way. It does not necessarily involve always hiring more people on
our staff. It can also involve using outside expertise to help us in particular
areas.”
