Extra data protection staff needed

Thu, Feb 9, 2012, 00:00

Data Protection Commissioner Billy Hawkes has said his office cannot take on an expanded role that would oversee the activities of the many major multinational companies headquartered here without additional resources.

His office would become the 'hub', or designated supervisory authority for the activities of such companies, under a new EU regulation likely to come into force within the next three years.

Speaking at the annual data protection conference of the Irish Computer Society in Dublin today, Mr Hawkes noted the audit his office carried out on Facebook last year.

The European headquarters of the social networking company is in Dublin and the audit drew substantially on the commissioner's resources last year, he said.

The office currently runs on a budget of less than €1.5 million a year, with 22 staff.

"Our experience of auditing Facebook's European activities has brought home to us the heavy responsibility that will be placed on us if, as can be expected, we end up as the designated supervisory authority for the European activities of many multinational companies," Mr Hawkes said.

"We obviously could not discharge that responsibility with our existing level of resources."

The draft EU regulation proposed by EU commissioner Viviane Reding last month provides for the concept of a 'one-stop shop', whereby a multinational company that has offices in a number of countries would be regulated by the one in which it has its headquarters.

Facebook has already formally opted to be under the jurisdiction of the Irish Data Protection Commissioner. Other multinationals with their European headquarters here include Google.

Speaking to The Irish Times, Mr Hawkes said the Facebook audit last year had "brought home to us that we would require significantly more resources" if his office were to become formally responsible to the rest of Europe for the data protection practices of other multinational companies that have established their headquarters here.

"It's essentially part of the 'Ireland Inc' agenda. The IDA has been very successful in attracting these companies - including some very information-rich companies - to Ireland."

He said the quid pro quo, as for the financial services area, was that the State had to demonstrate it was in a position to regulate them to European standards.

"These standards are going to be made more stringent under the European law."

Mr Hawkes estimated that up to a quarter of his office's resources were devoted full-time to the Facebook audit for its three-month duration last year.

"That's obviously not something we could sustain going into the future. We are also responsible for the things that Irish people are more usually concerned about, such as what employers are doing with their data, what schools are doing and so on.

“So to discharge the domestic responsibility which our office is currently geared to, as well as discharging European responsibilities, is clearly going to require more resources."

This would particularly include specialist resources.

UCD's Centre for Cybercrime provided the commissioner's office with a full-time staff member to help with the Facebook audit.

But Mr Hawkes said his office could not rely on the benevolence of outside organisations in the future.

Today's conference at Croke Park is the 4th annual Data Protection Conference hosted by the Irish Computer Society.

Speakers include specialists in IT and data protection law, as well as representatives of the telecommunications sector and Government departments.

The society today launched the Association of Data Protection Officers to represent people working in this field. Its website is dpo.ie.