Planned new procedure for data complaints a ‘mixed blessing’

Data Protection Commissioner Billy Hawkes says under planned EU regulation he could not take certain complaints from Irish citizens

Data Protection Commissioner Billy Hawkes told the IAPP Data Protection Congress in Brussels that under new proposals, he would not be able to take complaints from Irish citizens about companies with their main establishment elsewhere. Photograph: Bryan O’Brien/The Irish Times
Data Protection Commissioner Billy Hawkes told the IAPP Data Protection Congress in Brussels that under new proposals, he would not be able to take complaints from Irish citizens about companies with their main establishment elsewhere. Photograph: Bryan O’Brien/The Irish Times

The Data Protection Commissioner would no longer be able to take complaints from Irish citizens about companies such as mobile phone providers which have their main operation in another member state under a proposed new EU regulation he said.

Billy Hawkes said he would instead become the responsible regulator for major multinationals based in Ireland but which don't draw any complaints from Irish citizens.

Under the so-called ‘one-stop shop’ mechanism Mr Hawkes said he would have to refer complaints about telecommunications firms, for example, to the member state where they have their main establishment.

A series of such complaints against Vodafone, Meteor and Eircom before the Irish courts last week for unsolicited marketing offences resulted in total fines of €33,000.

READ MORE

The one-stop shop mechanism is a pillar of the proposed new European data protection regulation currently being negotiated by the Council, the European Commission and the European Parliament.

It contains several controversial provisions, including a proposal that companies processing data on more than 5,000 individuals in a consecutive 12-month period would have to appoint a data protection officer.

How the one-stop shop mechanism would operate is still unclear, but in theory it would mean major multinationals which have their headquarters in Ireland would come under the jurisdiction of the Irish Data Protection Commissioner’s office. This would make the office responsible for policing the regulation for hundreds of millions of EU citizens.

Mr Hawkes was speaking along with other European regulators at the International Association of Privacy Professionals (IAPP) Europe Data Protection Congress 2013 in Brussels.

On the question of whether local regulators were ready for the one-stop shop proposal, Mr Hawkes said it was more accurate to say his office was “getting ready” for the new situation.

He said he had been assigned extra resources to deal with the anticipated extra burden on his office.

Mr Hawkes said he thought the one-stop shop arrangement was a good idea “as a matter of principle”.

But from his point of view as Irish regulator it was “very much a mixed blessing, to put it very mildly”.

He noted he had several telecommunications companies before the courts in Ireland last week where they were fined in relation to unsolicited marketing.

He said “at least half” of those companies were subsidiaries of European multinationals.

“Under the one-stop shop arrangement, at least as I understand it, I would refer all of those complaints to the home supervisory authority of these telecommunications companies,” he said.

“That means I have to tell the Irish resident who complains to me ‘sorry, I can’t do anything for you but I will refer it to my colleague in member state ‘x’ and I’m sure she or he will do something about it’.

“On the other hand, what I do acquire responsibility for is a whole bunch of international, multinational tech companies – internet companies, which for whatever reason Irish residents don’t complain about. They seem reasonably happy with the way they are treated as individuals and that is just objectively the fact. I just don’t get complaints about them.

“So therefore, under the one-stop shop arrangement I have to further develop a huge chunk of my authority dealing with issues related to these companies which Irish residents don’t care about, but which other residents in Europe and other DPAs (data protection authorities) do care about.”

Mr Hawkes said that speaking strictly as the Irish data protection commissioner, with “what you might say (is)a blinkered view” he would not view the one-stop shop “with any great enthusiasm”.

“However, as a good European, which I try to be, I do accept the logic of the one-stop shop and I will accept the consequences and the burdens that go with it.”

The regulation, designed to harmonise data protection laws across all 28 member states, was first proposed by the European Commission in January 2012. Following difficult negotiations, a compromise text was finallay approved by the civil rights committee of the European Parliament last October.

That draft is now the subject of negotiations between the European Council, the Commission and the Parliament. Talks stalled on the one-stop shop issue at the justice council last week.

About 700 privacy professionals have gathered for the four-day event.The increase of 45 per cent in attendance compared to last year is an indication of the speed at which the privacy sphere and developments in data protection law are growing worldwide.

Earlier, Julie Brill, a commissioner of the US Federal Trade Commission, strongly defended an agreement between the US and EU governing the transfer of personal data to the US by certain companies.

The so-called Safe Harbor mechanism approved by the European Commission in 2000 was designed to ensure consumers based in the EU had an adequate level of protection for their personal data when it was transferred to the US by companies based in the union.

The framework came under pressure from advocacy groups, from European Parliamentarians and from the European Commission itself earlier this year following the revelations of widespread surveillance of personal data by the US National Security Agency.

The commission recently reviewed the arrangement and, while it decided not to suspend it, made a number of recommendations for how it might be improved.

Ms Brill said the path we chose next would have significant consequences and would define the scope of protections for important privacy rights and help determine in some small part the future of the transatlantic relationship.

Asking whether the US and EU would be able to work together to meet 21st century privacy challenges in a way that would both protect consumers and spur innovations, Ms Brill said she believed the answer was ‘yes’.

“We need to develop and preserve mechanisms that will protect existing flows of information while at the same time protecting consumer privacy,” she said.

Acknowledging that recent revelations about government surveillance had “created tensions in the transatlantic relationship”. Ms Brill said she believed the recent revelations “should spur a separate and equally long overdue conversation about how we can further enhance consumer privacy and increase transparency in the commercial sphere”.

European Commission vice president Neelie Kroes was also to address the event but cancelled due to illness.

Delivering her speech, her head of cabinet Constantijn Van Oranje-Nassau said what was needed was not to ignore the risks posed by new technologies, but to understand them.

He said we needed to ensure that new technologies were designed to respect privacy, “without the law becoming a straitjacket to innovation”.