At the IAPP’s Data Protection Intensive in London in April, the IAPP sat down with Irish Data Protection Commissioner Billy Hawkes to discuss the ins and outs of a regulator’s daily life on the job, the impending regulation, do-not-track and how he relaxes when he’s not regulating multinational giants headquartered in Ireland.
Hawkes’ office has been busy in the last year preparing for the revised EU data protection regulation, which would see his office take on broader oversight responsibilities as a large number of multinational companies are headquartered there, including Facebook Ireland, among others. Hawkes has asked the Irish government for additional resources in light of this, and says the government has assured him his wish will be granted.
Hawkes is a family man, with three children: two sons, 18 and 17, and a daughter, 21.
What did you do before you were a DPA?
I was for many years a civil servant. I spent many years working in the Irish government service. My longest stint was in the Irish Foreign Service, I was there for 20 years. I did stints in the Department of Commerce and Finance as well. And then I applied for a competition for data protection commissioner, and much to my surprise got through and was appointed by the government in 2005.
Did you sort of have to learn as you went along when it came to privacy?
Absolutely, when I was trying to figure out ‘why did they possibly choose me over other people,’ I suppose there were aspects of my background that were relevant: my 20 years in the foreign service, including some periods dealing with human rights, and I also spent a period as an insurance regulator. If you look at those two aspects of my past career, I suppose they were of some relevance to the job I’m doing.
What’s a regulator’s day actually like? Are you busy writing fines? Doing audits on site?
The day can be quite varied. We’ve got very good colleagues working in our office and they do a variety of things. They deal with people complaining their data protection rights are being interfered with, and we try and resolve those complaints by contacting the organizations concerned. Usually we resolve them amicably without using enforcement powers, but, if we have to, we use enforcement powers. We also have an active audit function, which goes out to companies and state entities and sees how they are actually complying in practice with data protection law. Then we do outreach activities in terms of talking to organizations about data protection issues they are facing.
We have an active help desk, we also go out and give a lot of presentations; we talk at the IAPP. We also provide various published guidance materials and try and keep our website up to date. We also work with the media. It’s a mixed bag. But the whole objective is to increase the degree of compliance and best practice in data protection in organizations based in Ireland, which also include some U.S. multinationals that have set up their European base in Ireland.
As privacy is increasingly in the news, are complaints on the rise?
Yes, we do see a significant increase in complaints and people asserting their rights more perhaps than in the past, and that’s partly due to knowledge of their rights and – particularly under European law – the right to access all of your information if you want to. That can be particularly helpful in all sorts of circumstances, including when people might be fearful about their jobs, they might want to know would they have a case for unfair dismissal, so they can use the right of access in different contexts. So we do see that.
We also see greater media focus on privacy and more discussion on privacy in terms of our concepts of privacy changing: Are there intergenerational gaps about the Facebook generation versus the older generation, how should we view people who reveal an awful lot about themselves on social networks? What’s the role of data protection authorities when they choose to reveal the information? There’s obviously a huge educational thing, but is that something that’s best done through the schools in terms of getting across to people? You need to be mindful of what you’re saying, because once something’s on the Internet it’s very very hard to get rid of it.
What’s the fastest way a company can negatively attract your attention?
First of all, we learn about it oftentimes when there’s an avalanche of complaints about them. That means there’s something going wrong at that company and we’ll be on the job pretty quickly. We’re also very alive to other sources of potential concern, like the media reports on companies doing certain things; we obviously track those.
Also, in our audit program, we try to get a balance between entities in the public sector and the private sector, and we have a particular focus on companies that hold a lot of information that could matter to people, like the States’ social security administration and tax administration; in the private sector you have businesses like banks and insurance companies. We also try and draw lessons for those sectors. For example, we have a code of practice for the insurance industry, which basically takes the data protection principles and says in practice, in your industry, that’s how we expect you to behave. It’s a process of drawing on different information we have coming to us from different sources we have and trying to always reach for a situation where across the board in orgs in Ireland there is a consciousness of people’s rights to protection of their data and there’s a good level of compliance with that right.
There’s lots of talk about this One-Stop-Shop aspect of the proposed regulation. How might that impact your office? Especially with so many companies headquartered there? Can your office take on that type of burden and responsibility if that is handed down to you?
First of all, we expect it will be handed down to us in one form or another. We already have that responsibility in relation to some U.S. multinationals, which have clearly established their European headquarters in Ireland and clearly stated that the relationship with users is with the Irish entity rather than the U.S. entity. I suppose Facebook-Ireland is the best example; its user relationship for all users outside North America is with the Irish entity. It has its European headquarter in Ireland and a strong compliance function in Ireland. It clearly stated it wished to comply with European law, as transposed into Irish law, and therefore we prioritized them for audit because we were conscious of having a much broader responsibility to a much broader user base than, for example, if we’re auditing a school or something which is solely local. It also reminded us of the challenge involved in auditing and overseeing an information-rich company like that; it did absorb a good deal of resources.
Thankfully, the government recognized that there is a resource requirement, they have given us more resources to deal with the responsibilities that go with having these companies here setting up their one-stop shop and we’ve got a public commitment from the government that we’ll be given such resources as we need to adequately do the job. I think there’s a consciousness in the government that there’s a duty to properly regulate these companies to European standards, and to do that, the data protection authority needs to be properly resourced.
Let’s talk about differences in enforcement approaches between Europe and the U.S. Many feel the EU takes a stricter approach, but the FTC has been ramping up investigations and fines lately. Is the U.S. in fact weaker in terms of regulatory efforts?
Obviously the big difference is in Europe we have a comprehensive system of privacy protection with dedicated authorities for enforcement of that right. And in the U.S. you have a sectoral approach, with, in many cases, stronger and more effective enforcement in those sectors. I mean the FTC has leveraged its authority in relation to consumer protection to take very effective action in the area of privacy towards many companies big and small. It has also used its authority in relation to Safe Harbor. In other words, U.S. companies that have signed up to Safe Harbor and haven’t lived up to their obligations, they have had enforcement action taken against them.
I think what’s very encouraging are the efforts being made by the current administration to achieve a federal umbrella law on privacy. This certainly would be very helpful in terms of the goal of having as much interoperability as possible among EU and U.S. models, because we fundamentally accept we have the same values. We value privacy. But we perhaps give more priority to some things than others. In the U.S. there’s a very strong emphasis on freedom of expression; in Europe, there’s a strong emphasis on protecting personal data because of sad historical misuse of data.
I think there are many things that are encouraging in terms of improving the degree of that interoperability. There are the publications by FTC and DoC, which seek stronger roles for privacy, calls for federal privacy law if that can be achieved. There’s also now a big push for a free trade agreement between the EU and the U.S. and one can imagine the issue of any potential trade barriers arising from differences in privacy regulation might come up there. So there are different drivers, which might encourage, I think, both parties to look at their laws. There’s the new EU regulation, there’s, on the U.S. side, the push for some form of umbrella federal legislation. A lot of drivers, which if they worked out well would greatly improve interoperability, taking account of the fact that the flow of data is now global and there’s a need for global solutions.
What about Do Not Track? Is it doomed to fail?
I certainly wouldn’t assume it’s set up to fail. I think it’s fascinating to watch the process, particularly in the U.S., with companies using privacy as a competitive advantage tool. Certain companies have said we’re going to implement solutions, which basically mean putting do not track into browser settings. There’s been support from the FTC and pushback from the advertising industry. What’s interesting is the concern is the same on both sides of the Atlantic: It’s to give people a sense of control over what’s happening on the Internet, to avoid the sort of creepiness that can be involved in thinking someone’s tracking you and making assumptions, profiling you based on your behavior on the Internet.
Again I think it comes back to the idea of giving the individual more control over their data and I think it will be fascinating to watch it play out. But in the U.S. it’s an issue of competition on privacy. As a regulator, the more you can align commercial objectives with regulatory objectives the more success is likely.
What’s the hardest part of your job? Who do you call when you don’t know the answer?
In some respects, it’s the need to ultimately make decisions based on a principles-based law, which isn’t, as it were, black and white. That can be very difficult because the whole area of privacy is so intertwined with people’s concepts of privacy, their priorities and then with a very general set of principles. That’s certainly a very difficult part.
Who do I ask? The problem about being a commissioner is it’s supposed to be the reverse, people ask you. Who do I ask? I consult with my colleagues in the office as my first priority and rely very much on their advice; they’re my first port of call and I do that extensively. I’m far from knowing everything or getting things right, so the more you can make sure that, when you have to make a decision, you take into account different points of view, the more likely you are to get it right.
The common positions produced at the EU level by the Article 29 Working Party can be helpful in terms of clarifying how the law should be applied in different contexts and this role of the central Euro body will be strengthened under the Regulation. Their recommendations are helpful because we’re all working under common European law and a common set of principles, so it can be helpful when we get together grappling with new issues and new technologies to figure out how we should apply data protection principles
What do you do to relax?
It’s usually to be with family, we’ve got three young people in our family and my wife. So it’s I suppose learning what their issues are, talking them through, sitting down having a glass of wine. Generally relaxing. Bringing them to various sports activities and so on. It’s very much family oriented.