How influential is the Irish Data Protection Commissioner?
How much do Facebook and Apple defer to her office when preparing major new features? And will Europe allow the Irish office to remain at the centre of things when it comes to regulating the world’s tech companies? Adrian Weckler sat down with Helen Dixon to talk about Facebook, Linkedin, Apple and the challenges of being Europe’s ‘lead regulator’ for the companies that matter.
AW: Your office conducted ‘a substantial on-site review of audit recommendations’ on Facebook’s Irish headquarters last year as a follow-up to the original 2011 audit, the one that garnered global attention. Are there any concerns about how Facebook treats our personal information arising from this latest on-site audit?
HD: I don’t think we would say that there are concerns arising from it, but there are still questions and issues outstanding. We are still looking at issues of social plug-ins, the sharing of data and notifications around cookies that have been dropped and whether they’re cookies that fall under the necessity exemption under the privacy directive or not. There are a lot of things that remain in the mix.
AW: Are these things that you’ve identified as being problematic? Or is merely to probe further with Facebook to see if there might be a problem?
HD: That is the nature of it. We’re examining whether they’re strictly in compliance. These things aren’t simple issues like whether you were mailed the wrong bank statement or not. These issues have a level of complexity to them and so it takes us a number of months to establish a position on them, both ourselves here in the office and through interaction with Facebook.
AW: And what is your relationship with Facebook like?
HD: It’s largely productive and positive insofar as we can point to definite outcomes that have been delivered. For example, there are outcomes such as ‘download your information’ access tool they’ve provided. And we can cite other examples too. But it’s not all plain sailing. It’s not always great news to them if we say that we don’t think that a certain feature is in compliance and that we don’t think it can be introduced in Europe or as a global product in Europe. So there’s always a level of tension and discussion and difficult conversation with these big companies.
AW: In your report, you say you provided recommendations to Apple ahead of the launch of its mapping roll-out here, which currently involves a fleet of vehicles on Dublin and Cork streets photographing neighbourhoods ahead of a more accurate Apple Maps service. You also say Apple took all of your recommendations on board. What recommendations were they?
HD: Apple contacted us proactively beforehand about this. Their notification process about which neighbourhoods their vans will be travelling through was a key part of the recommendations we made. We looked at the lessons that member states learned from the Google Street View exercise. Like ensuring people were properly on notice and that individuals would be blurred out. We made sure that all of things would be tightly controlled.
AW: Your predecessor completed an audit on Linkedin last year, recommendations around which weren’t made public. Has Linkedin implemented all of those recommendations?
HD: We’re satisfied that the majority of the recommendations have been accepted and implemented by Linkedin, but there are one or two areas that are still under discussion between us where we don’t think the service meets a ‘best practice’ compliance level.
AW: What does ‘best practice’ mean? Where is the line between best practice and ‘enforceable requirement’?
HD: That’s a fair question in terms of trying to understand how we’re trying to regulate these entities. I think there is a nuanced difference between the two. We set out in discussions with what we see as best practice compliance with the [EU data privacy] 1995 directive. Depending on the level of cooperation, we may then start to shift our position to one where we will find non-compliance. At that point, we may be required to take appropriate action. In this context, we haven’t come to that point yet. But we may well do so.
There’s always a level of tension and discussion and difficult conversation with these big companies.
AW: There is growing uncertainty over who is ultimately responsible for regulating entities such as Facebook, Google, Linkedin and other global tech firms with European headquarters in Ireland. What’s your view on that?
HD: Ireland will remain the lead regulator for the entities that are controlled here in terms of their European service. That is regardless of what the final configuration is for a ‘one stop shop’ arrangement in Europe. So even if it’s the case where another data protection authority raises a reasoned reference as to why our decision on a certain case might be wrong, we’ll still be the lead authority in terms of conducting investigations and co-ordinating the view of others. So that’s the position as it’s going to remain under the final configuration of the one-stop shop.
AW: That hasn’t stopped other data protection regulators around Europe from taking cases against companies like Facebook in their own jurisdictions.
HD: The judgment of the Google Spain case has led some data protection authorities around Europe to assert that they have jurisdiction over Facebook and that their national laws are applicable on the basis that Facebook might have an advertising office in their particular state. I think that unless that’s tested in court, we ultimately don’t know if those assertions of applicable law will stand up. In terms of whether this is all right or wrong, there is an argument that it’s not desirable from a European point of view that Facebook should be facing investigations on the same subjects from five different authorities all at the same time.
But equally, there is a very strong argument that under the current directive, we are all independent and separate national data protection authorities and we must pursue what we each believe is correct in terms of vindicating the rights of data subjects over which we have responsibility. So it’s a very fluid situation. It has undesirable features from many points of view, but it’s the reality in terms of where we’re at.
AW: Do you think that an upcoming European Court of Justice ruling on whether the EU-US ‘Safe Harbour’ treaty [on standards that US entities must observe when dealing with European personal data] will affect your office’s responsibilities much?
HD: There probably won’t be a final outcome until later this year. In the meantime the [European] Commission is continuing its negotiations with the US in terms of improving any deficiencies in the Safe Harbour agreement. And on the 13 identified points, they have agreement on 11.
The two outstanding ones centre around surveillance and remain under negotiation. But I think there’s hope at Commission level that there will be a conclusion to those negotiations.
It’s also worth bearing in mind that Safe Harbour is only one, albeit maybe the most convenient, mechanism under which US companies transfer data out of the EU and the EEA. They can also avail of binding corporate rules which would, I imagine, be the case for many of the multinationals based here if Safe Harbour is struck down.
AW: You have said that the office will increase its staffing to 50 people this year. How far advanced are you in that process?
HD: We’re quite advanced. They will all be in place by the end of the year. One of the teams will be made up of security and technology auditors, specifically focused on conducting audits on organisations. This is to help speed audits up. One of the things we found when auditing big organisations such as Linkedin is that it is very detailed and can take a long time. So this is partly to help that process.
This story originally appeared in The Irish Independent. Reproduced with thanks.
Photo: Frank McGrath