Data protection chief must not distance herself from complainants
Disengaging from individuals could open Ireland to a sanction by European courts
In a recent speech, Data Protection Commissioner Helen Dixon referred to some solicitors as “digital ambulance chasers”. Photograph: Cyril Byrne/The Irish Times
In a recent speech, Irish Data Protection Commissioner Helen Dixon set out her perspectives on data protection supervision – putting her on a collision course with the European Commission and the Court of Justice of the European Union.
At the Irish Centre for European Law annual Data Protection Conference, Commissioner Dixon expressed frustration at the lack of clear objectives for data protection and a failure to detail the harms it is designed to mitigate.
The commissioner went on to criticise the large number of complaints received by her office which, she said, were really proxies for disputes between different parties and had only a marginal connection with data protection issues.
Solicitors were singled out as “digital ambulance chasers” for bringing volumes of complaints of little apparent merit and using subject access requests for fishing expeditions in litigation.
Ms Dixon made it clear that she doesn’t think she should be obliged to consider every complaint received by her office and that she thinks the resources currently committed to investigating individual complaints would be better used examining systemic data protection issues.
So, should – or indeed can – the commissioner distance herself from individual complainants?
In my view, she cannot and should not.
To do so would not only require an amendment to European law, which guarantees such a right, it would also be a missed opportunity to engage with individuals in order to close the apparent gap between the general nature of data protection rules and the public’s understanding of the protections that it offers.
In disengaging from individuals, the commissioner would miss an essential aspect of data protection supervision, inevitably resulting in a standard of data protection supervision in Ireland below that set by European law.
Consequently, such a move could open Ireland to a sanction by the European courts.
To see why, it must be understood that data protection touches on every aspect of our lives – as consumers buying goods and services, citizens participating in a democratic society and as neighbours in our communities.
Data protection owes a lot to the experience of many millions of Europeans who lived in authoritarian communist regimes.
It values individual protection over pure self-interest, by setting moral boundaries to how our personal data may be used.
However, these boundaries are always specific to individual circumstances and can change over time. Crucially, data protection law doesn’t lend itself to absolute rules or codified, measurable objectives.
As such, the progressive nature of data protection law brings it into conflict with the conservative free market view that personal data is just another commodity that can be traded for profit.
There are similar conflicts with state bureaucracies looking for easy ways to exert control or deliver privatised public services.
The obligations on data protection supervisors, when hearing individual complaints, were spelled out by the Court of Justice of the European Union in the well-known Google Spain case, which concerned the so-called right to be forgotten, (i.e. the right of individuals to have certain links removed from internet searches on their names).
The court first noted that everyone has a right to make a complaint to an independent supervisor, such as our Data Protection Commissioner.
It then went on to find that interference with data protection rights, if sufficiently serious, cannot be justified on purely economic grounds but only with reference to other fundamental rights such as the right to freedom of expression.
Law is vague
Critically, in making a complaint, an individual is not required to demonstrate that they have been prejudiced.
Finally, the court stressed the importance of context. It noted publication by a search engine of personal data already legally published on the internet may nevertheless interfere with an individual’s rights.
Similarly, publication of personal data may cease to be justified with the passage of time.
So, if the law is vague and context dependent, how can the use of personal data be regulated and why are individual complaints so important?
Data protection places a high value on individual protection balanced only against other fundamental rights.
To regulate at the standards demanded of European law, a data protection supervisor must embrace the progressive ideals of this moral framework and engage in empathic dialogue with individuals to build a common shared understanding of data protection norms.
It is only through stepping into the shoes of individual data subjects that data protection supervisors can really give effect to the individual balancing of interests that is demanded.
Trivialising complainants and attacking their advisors is not the way forward.
If resources are truly an issue then Ms Dixon needs to press the State to fullfil its obligation to provide them.
Dialogue with individuals rather than distance is what is required.
It would be a serious mistake to remove the individual right to complain to the commissioner’s office.
Fred Logue is a partner in FP Logue Solicitors