State’s data privacy watchdog finds bite after first year of handing out fines

As if there was not enough on her regulatory plate, mass remote-working during the pandemic has thrown up yet another area for Data Protection Commissioner Helen Dixon to monitor.

But there are even limits to how much the State’s already over-burdened and under-resourced privacy watchdog can oversee.

“There is no doubt that beyond data protection, all of this is an invasion of our privacy,” Dixon says of the societal change that has relocated many employees from offices to their homes.

“There is not an awful lot we can say on that front. It is really beyond the remit of the office.”

Irish Aviation Authority wins global safety award

---

Bord Gáis Energy owner eyes transformation as Irish revenue declines

---

EU to force multinationals to reveal tax filings as Ireland loses debate

---

Dixon is on the end of a video call, speaking about the DPC’s annual report for 2020, a year when, for the first time, the regulator was able to exercise its sweeping fine-imposing powers. These are aimed at protecting citizens in the State and across the EU as Dixon is the Big Tech privacy watchdog for tech multinationals serving European customers out of Dublin HQs.

The range of what she has to regulate is vast: from issues arising with shared computers and even what appears in people’s backgrounds on Zoom video calls during home-working to canvassing fellow EU regulators on the fines she thinks should be imposed on internet giants.

New technologies and fast, rapid changes in how we work, such as those thrown up by the pandemic, show how a regulator like the DPC will always, by its nature, be behind what needs to be regulated. As Dixon acknowledges, the regulator will always be “chasing” and “trundling” along” as an “ex-post enforcer” after whatever new technologies emerge.

The commission's 2020 annual report, published this week, covers everything from the 4,660 complaints the DPC handled under the EU's 2018 data protection law, the General Data Protection Regulation (GDPR), to the fine imposed on the Health Service Executive for patient hospital records being found in a Cork public recycling area or the garden of a Drogheda housing estate.

And then there is the ground-breaking €450,000 fine imposed on social media group Twitter, the first imposed under GDPR by the watchdog against a tech multinational from a cross-Border investigation, in December.

Witness testimonies

Pointing to the range of areas in the DPC’s 96-page report, Dixon says: “There is no aspect of Irish society and the affairs of EU persons, as they relate to EU platforms, that we are not involved in. The processing of personal data, including by automated means, is simply ubiquitous now.”

The handling of witness testimonies and taped audio interviews with the mother and baby homes commission and the standardised grades option in this year’s Leaving Cert exams are just two of the latest complex subjects the DPC has been asked for its opinion on.

“There is no end of things that society wants us to be involved in and so you need a strong and a large and appropriately structured data protection authority,” she says.

The fine imposed against Twitter shows the protracted and complex workload that Dixon and her staff must wade through to bring Big Tech to book for data breaches. However, there is an element of trying to herd cats to find consensus among 27 EU data protection regulators.

The one-stop-shop mechanism under GDPR, designed to make life easier for Big Tech companies in the EU, was set up to allow a multinational deal with one regulator in one country.

In many cases, because their EU operations are based in Dublin, this means the DPC.

Dixon’s draft decision in the Twitter case and her proposed lower range for a fine of €135,000-€275,000 was circulated among her fellow regulators through the “article 60” consultation process for objections to be heard. Various regulators objected with the German watchdog even proposing a fine of between €7 million and €22 million. Ultimately, the lack of consensus triggered an “article 65” decision, with the European Data Protection Board stepping in to settle the dispute.

Dixon says she has a 'pipeline' of investigation decisions or reports en route from inquiries into Facebook, Instagram, WhatsApp, Google and Verizon

In December, Dixon complained publicly that the round-the-houses process to reach a unified agreement had taken too long and been over-complicated.

Twitter case

Reflecting on the DPC’s landmark 2020 fine against Twitter this week, she says the case shows how the Irish regulator is not simply dealing with objections to a decision that it has imposed but it is dealing with objections that data protection authorities have among themselves.

"The reality of its operation is extremely challenging because you have 17 data protection authorities in Germany that don't all agree with one another. You have 27 EU data protection authorities that take different approaches to different issues," she says.

“While the idea of the one-stop shop is to spare the multinationals having to deal with all of these differences of approach in meeting the requirements of EU law, it really places a very significant burden on an authority like the Irish DPC.”

There is the addition complication of national data regulators “having the corners knocked off us” in legal challenges in their own courts and having their decision-making tested domestically.

Dixon concedes that the one-stop-shop mechanism that lands so much work at her door and those of her 145 staff is “a tough process” and a “challenging proposition”.

“It is a work in progress. It is something that takes up considerable resources,” she says.

But she is still a believer in the one-stop-shop mechanism and points to a view held by colleagues that it is “the pinnacle of a process that reflects all that is good about the EU project”.

She notes an European Commission review of GDPR last summer that calls for better co-operation around joint enforcement action and for member states to resource their data regulators properly.

Time and energy

There were some “logistical issues” in the article 65 process that could have been dealt with more simply, she says, such as the European board’s decision not to set aside “relevant and reasoned” objections of national regulators that ultimately “fell by the wayside”.

“That sucked up a lot of time and energy that was unnecessary,” she says.

She hopes the process will be faster now that EU regulators have responded with objections to the DPC’s second preliminary decision from a Big Tech investigation, against Facebook’s messaging app WhatsApp.

Among the other 27 cross-border inquiries into tech multinationals under GDPR, Dixon says she has a "pipeline" of six or seven more investigation decisions or reports on her desk or about to land on it from inquiries into Facebook, Instagram, WhatsApp, Google and Verizon.

Despite “downbeat challenges” she says that the DPC is “excited” following the long-awaited breakthrough fine in the Twitter case. This was “creating excitement for us now at the DPC that we have got our process, we are moving, we are going to be delivering outcomes,” she says.

Asked if this new phase of action might halt the criticism from her fellow EU regulators, who have questioned the effectiveness of the DPC, Dixon responds categorically: “Absolutely not.”

“When would the number of cases ever be enough that the Irish DPC would bring? If we bring six or seven more, they will want 12 or 13,” she says.

“We are always open to constructive feedback but some of the criticism comes from those that don’t deliver themselves. Some of the criticism is based on really superficial analysis of issues and really misses the point.”

All eyes remain on the DPC and how it takes on Big Tech. Solicitor Simon McGarr, a director of Data Compliance Europe, said the Twitter decision was "amuse-bouche" for what is coming; it was "a very good first test" but there are more substantive policy-driven decisions ahead.

‘Rubber hits road’

He believes blaming the Irish DPC for a lack of regulation of social media firms and Big Tech is “an excellent complaint” for another regulator under pressure from a domestic government or media for failing to take action against a social media or internet behemoth.

“This is the year that the rubber hits the road for the one-stop-shop mechanism,” he says.

Daragh O'Brien, managing director of data company Castlebridge, hopes the Twitter ruling leads to the "Pringles effect where once you pop, you just can't stop" and quicker enforcement.

But then there is the issue of resourcing.

Dixon's office has been transformed in her time since becoming commissioner in 2014. The DPC has grown from an annual budget of €3 million and fewer than 30 staff in offices above a Centra shop in Portarlington, Co Laois, to a regulatory body with a budget of €19 million and a workforce expected to surpass 200 by the end of this year in multiple offices.

O’Brien highlights the poor “optics” around the fact that the Government funds the greyhound industry with a larger budget than a major cross-border regulatory enforcer such as the DPC.

"David did take out Goliath with a slingshot so it is possible for a regulator with appropriate resourcing and skills – and is using resources as effectively and as efficiently as they can – to have a significant effect," he says.

McGarr suggests the State will ultimately have to look at funding its regulator better with an industry-wide levy.

As far as Dixon is concerned, the DPC is “fit for purpose” though she puts it back on organisations, in the public and private sectors, to encourage compliance and avoid enforcement by employing more data protection officers and by introducing risk measures around personal data so breaches cannot be blamed on “human error” as many of the unauthorised disclosures are.

Human error

The State’s child and family agency, Tusla, had the ignominious honour of being the first organisation to be hit with a fine under GDPR, with a €75,000 penalty in May followed by a further €175,000 in three fines over the remainder of the year. There were 75 breaches in all. One involved the agency unintentionally providing a person accused of child sex abuse with the address of the child who made the complaint and her mother’s telephone number.

Human error occurs and mistakes happen, she admits, but organisations must assess high-risk processes and design systems to prevent this, even if it is as low-tech as having two people instead of one checking what is being put in an envelope to be sent out to someone.

She describes the recent data privacy law infringements her office found against Independent News & Media over a 2014 data breach where data in emails belonging to journalists and executives, then current and former, was taken outside the country and trawled by a third party as "another classic case" of risk and security issues emerging around data processing.

In general, organisations will ultimately be held accountable either by the DPC – “the public enforcer” – or by individuals taking a legal route to protect their rights, she says.

In the second year of her second five-year term as regulator, Dixon is upbeat after a milestone year of fines, despite the increasing workload and complex challenges ahead.

“We have mountains to climb in front of us but that doesn’t take away from the fact that we are, step by step, moving forward, and taking the actions that we need to take in order to give effect to the GDPR, which is a project that is not going implemented overnight,” she says.