Tough challenges ahead for new Data Protection Commissioner

What does Ireland need from its new Data Protection Commissioner?

We now know who has replaced former Commissioner Billy Hawkes, who retired from the role in August: civil servant Helen Dixon, who up until now has been registrar with the Companies Registration Office.

Prior to that, she was a principal officer in the Department of Enterprise, Trade and Innovation. She also worked for US technology company Citrix at its Europe, Middle East and Africa office in Ireland, as manager of Technical Support Services.

Pivotal point

She comes to the role at a pivotal and daunting point. Never have the issues of data protection and personal privacy had such high profile. Along with media coverage of repeated breaches of data in this country and internationally, the general public has had more than a year of leaks from the trove of documents obtained by former US government contractor and whistleblower

Edward Snowden

.

Those – revealing a shocking degree of large scale surreptitious digital data gathering on ordinary citizens by US and UK surveillance agencies – have rattled international relations.

In particular, the revelations have spurred the EU to push for more restrictions on access to its citizens’ data and greater national and international oversight.

On the US side, elected representatives, privacy organisations and the general public have demanded explanations and more transparency in how law enforcement agencies acquire and use personal data.

And, somewhere in the middle, with their exact involvement still a mystery, sit many multinational companies – especially in the technology and online sector – which handle teraflops of data from customers and service users around the world, every day.

Some are known to have passed data to US agencies, with many of these continuing to request they be given permission from the US government to reveal more about what they are asked for, and when and how they complied. Others state they had no idea US and UK agencies were siphoning off their users’ data.

In this tense atmosphere, the EU has signalled that it will bring in a more restrictive and clearly defined Data Protection Regulation next year. This must by transposed directly, not piecemeal as had been the case with the existing directive, which came out of legislation in a pre-internet era.

All indications are that the EU will require data misuse complaints against companies be referred to the Data Protection Commissioner in the EU state in which the company has its European headquarters.

Ireland is the European home to the vast majority of those big and small multinational technology firms likely to be the focus of many data complaints and investigations, such as the huge social network and online search and service companies.

Already, Ireland's Office of the DPC has been tasked with high-profile investigations and reports on Facebook, widely covered by the global media.

The initial investigations stretched the office of the DPC – which had lost many employees in austerity departmental cuts – to its organisational limit.

The office was expanded again, however, in recognition of the increased burden.

Meanwhile, the DPC must also keep a close eye on the domestic situation, the data breaches, illegal selling of information, hacking cases, unlawful gathering, storage and and misuse of personal data here. Its international role cannot siphon off its protective obligations at home.

Without question, to be effective in this complex situation, the most important requirement for the incoming DPC is independence. The DPC cannot be too close to government – especially given that some of the most egregious data leaks and misuse cases in recent years have come from government departments and agencies. Nor can she be best friends with the commercial sector, or, it must be said, privacy advocates.

She needs to have a deep understanding of the positions and the opinions in all those segments, but will have to find proportionality – the balancing out of demands and obligations.

But she cannot rely simply on the proportionality of one’s personal opinion. She will have to find a felicitous balancing point that considers what is legally right – meaning she must be au fait with a daunting array of legal statutes surrounding data privacy, companies law and law enforcement – and what is morally sound.

In other words, laws always leave room for interpretation, as recent European Court of Justice rulings around data privacy have shown.

A sound knowledge of the law must be her starting point in making judgements and that includes human rights law, as the ECJ has made clear in its own rulings.

Issues likely to arise

Decisions must also be able to live not just in the moment, with application to specific cases, but also look ahead at how they might be applied.

Given the sector in which so many issues are likely to arise – technology and internet businesses – this is extremely tricky and requires of the DPC, not just a working knowledge of technologies and internet developments, but also the ability to envision potential data scenarios of the future.

Decisions made now will determine whether we value and respect, or erode and undermine notions of personal privacy that have been at the heart of how nations have defined human rights for hundreds of years.

International experience

Ideally, given data protection’s complexities, a DPC should have a background in having worked in some area of data protection, and it isn’t clear if this is the case with the new DPC. And, ideally, a DPC should have international experience, as so many decisions within Ireland will have ramifications here and abroad.

And – very difficult indeed – the DPC must get it right for the economy here, too. Because of its huge number of multinationals (IDA Ireland says 40 per cent of inward investment from Silicon Valley comes here), Ireland will be the de facto legal interface between the companies that are here or which may choose to come in the future, and the European data protection environment.

Ireland must somehow both uphold the privacy and data protection rights granted to all EU citizens in data protection and human rights law, and facilitate a stable, transparent and fairly structured but not overly finicky or punitive regulatory ecosystem.

Companies may not be happy with all of the protection requirements placed upon them in Europe, which holds them to a higher standard than in the US. But the reality is that they will work within what is demanded of them, and will far prefer an oversight system that is fair and clear.

Thus the DPC needs to understand she can be resolute on protecting citizen rights, while also keeping Ireland attractive to foreign direct investment. FDI, as well as a strong startup culture, does not require lax or “light” regulation; it requires clear and well-interpreted regulation.

Given her strong government and business ties, with largely Irish experience in her background, the new Data Protection Commissioner will start from a position of having to prove that she will not prioritise one set of interests over those of citizen rights and privacy concerns.

On the other hand, she brings to bear a masters in governance and European economic and public affairs, a background in computer science and inside experience of technology multinationals.

How that mix works in practice will become apparent quickly in this extremely demanding, public, and internationally rigorous role.