Planned new procedure for data complaints a ‘mixed blessing’

Data Protection Commissioner Billy Hawkes says under planned EU regulation he could not take certain complaints from Irish citizens

Data Protection Commissioner Billy Hawkes told the IAPP Data Protection Congress in Brussels that under new proposals, he would not be able to take complaints from Irish citizens about companies with their main establishment elsewhere. Photograph: Bryan O’Brien/The Irish Times

Data Protection Commissioner Billy Hawkes told the IAPP Data Protection Congress in Brussels that under new proposals, he would not be able to take complaints from Irish citizens about companies with their main establishment elsewhere. Photograph: Bryan O’Brien/The Irish Times

Wed, Dec 11, 2013, 19:19

The Data Protection Commissioner would no longer be able to take complaints from Irish citizens about companies such as mobile phone providers which have their main operation in another member state under a proposed new EU regulation he said.

Billy Hawkes said he would instead become the responsible regulator for major multinationals based in Ireland but which don’t draw any complaints from Irish citizens.

Under the so-called ‘one-stop shop’ mechanism Mr Hawkes said he would have to refer complaints about telecommunications firms, for example, to the member state where they have their main establishment.

A series of such complaints against Vodafone, Meteor and Eircom before the Irish courts last week for unsolicited marketing offences resulted in total fines of €33,000.

The one-stop shop mechanism is a pillar of the proposed new European data protection regulation currently being negotiated by the Council, the European Commission and the European Parliament.

It contains several controversial provisions, including a proposal that companies processing data on more than 5,000 individuals in a consecutive 12-month period would have to appoint a data protection officer.

How the one-stop shop mechanism would operate is still unclear, but in theory it would mean major multinationals which have their headquarters in Ireland would come under the jurisdiction of the Irish Data Protection Commissioner’s office. This would make the office responsible for policing the regulation for hundreds of millions of EU citizens.

Mr Hawkes was speaking along with other European regulators at the International Association of Privacy Professionals (IAPP) Europe Data Protection Congress 2013 in Brussels.

On the question of whether local regulators were ready for the one-stop shop proposal, Mr Hawkes said it was more accurate to say his office was “getting ready” for the new situation.

He said he had been assigned extra resources to deal with the anticipated extra burden on his office.

Mr Hawkes said he thought the one-stop shop arrangement was a good idea “as a matter of principle”.

But from his point of view as Irish regulator it was “very much a mixed blessing, to put it very mildly”.

He noted he had several telecommunications companies before the courts in Ireland last week where they were fined in relation to unsolicited marketing.

He said “at least half” of those companies were subsidiaries of European multinationals.

“Under the one-stop shop arrangement, at least as I understand it, I would refer all of those complaints to the home supervisory authority of these telecommunications companies,” he said.

“That means I have to tell the Irish resident who complains to me ‘sorry, I can’t do anything for you but I will refer it to my colleague in member state ‘x’ and I’m sure she or he will do something about it’.

“On the other hand, what I do acquire responsibility for is a whole bunch of international, multinational tech companies – internet companies, which for whatever reason Irish residents don’t complain about. They seem reasonably happy with the way they are treated as individuals and that is just objectively the fact. I just don’t get complaints about them.

“So therefore, under the one-stop shop arrangement I have to further develop a huge chunk of my authority dealing with issues related to these companies which Irish residents don’t care about, but which other residents in Europe and other DPAs (data protection authorities) do care about.”

News - direct to your inbox

Which Daily Digest would you like?

Irish Times News