The man in Portarlington who protects people’s data
Differing European approaches pose challenges for data commissioner
Billy Hawkes, Data Protection Commissioner, Portarlington, Co Laois, Ireland. Photograph: James Flynn/APX
But there’s another side to Ireland’s digital hub, on a roundabout outside Portarlington opposite the humming hulk of Odlum’s flour mill.
Ireland’s Data Protection Commissioner was established in 1988 but moved 80km outside Dublin in 2006 as part of the decentralisation initiative. When other agencies failed to follow, and decentralisation was dropped, the DPC’s temporary premises above a convenience store became its permanent home.
The DPC’s premises belie its importance under EU law. For instance, Facebook’s Dublin headquarters – and the data it collects on users from Dublin to Dubrovnik – come under the oversight of Portarlington. So Ireland is not just a tech hub, it is also a data protection hub – something not everyone in Europe is happy about.
With little fanfare, DPC chief Billy Hawkes, a soft-spoken but sharp-thinking former diplomat, has become a key player in a European debate now back in the spotlight after the revelations of Edward Snowden. It’s a challenging role .
First, he has to work with rules written long before Google or Facebook began offering their revolutionary services free of charge in exchange for the right to collect and sell on user information.
Second, radically different data protection standards around the continent – coloured by different historical experiences and legal norms – mean that, for Mr Hawkes, it can be “a bit bewildering” to understand all that is expected of him around Europe.
Data protection in Germany, for instance, is a human rights issue. German citizens have a constitutional right to privacy and control over their personal data, arising from disastrous experience of where a lack of control can lead.
Ireland has no such historical baggage, so data protection is often understood in a consumer rights context such as how to stop being bombarded with junk mail.
What this means in practice is clear on the train from Heuston station to Portarlington. Irish Rail’s policy of displaying passenger names above reserved seats – viewed as a convenience in Ireland – would prompt uproar from German privacy authorities.
Given these contrasting views of the same issue, it’s clear that applying one set of European rules to such a slippery concept as data protection was always going to be a challenge.
So how is Ireland doing in its frontline data protection role? Ask around Europe and you hear varied opinions. Many are complimentary, particularly of the recent efforts during the Irish presidency to negotiate tough new European data protection rules. But there are critical voices, too: that Ireland is economically beholden to Google and Facebook and keeps them happy with light-touch and under-resourced data protection regulations.
In Portarlington, Mr Hawkes rejects all of these accusations vigorously. Ireland has learned from the banking crisis of where soft-touch regulation leads, he says. The commissioner has just been granted 10 extra staff – far from a given in this economic climate – to match its European responsibilities.
That most of the 1,000 complaints the DPC receives annually are resolved amicably is, he says, a success story. Choosing an amicable resolution of problems rather than a legal stand-off mean, he says, that his core staff of 30 – with the option of hiring in technical or legal expertise as required – is more than adequate, even when grappling with Dublin-based tech giants.