Helen Dixon: Compliance on data protection needs ‘constant vigilance’

Watchdog stresses engagement over enforcement with large firms like Facebook

Helen Dixon: “Other privacy regulators in Europe now are asserting jurisdiction over Facebook in certain cases.” Photograph: Cyril Byrne / THE IRISH TIMES

Engagement with Irish-based multinationals such as Facebook and LinkedIn remains a "constant task for vigilance" and engagement on the new products and services they roll out, Data Protection Commissioner Helen Dixon has said.

Publishing her annual report for 2015 this week, Ms Dixon said her office's interaction with both companies had resulted in changes to products, either through design or how they were presented to customers.

In relation to Facebook, the report said the company announced additional functionality in September 2015, following “intense engagement” over a number of months. This allowed users opt out of online behavioural advertising through the Facebook service itself.

Asked if her office had considered any enforcement action against either company over products and services, particularly in light of actions taken by other data protection authorities in the EU, Ms Dixon said: “We are very committed to this approach of engaging with the multinationals, not simply waiting for them to arrive at a point of contravention where we have to chase after them retrospectively. We do firmly believe the way in which we work with them produces much better safeguards for data subjects.”


Facebook is currently appealing a ruling in Belgium that ordered it to stop storing data from people who don't have an account with the social network, or face a €250,000 daily fine. At issue is the consent required for the company's use of the so-called Datr cookie, which Facebook says it uses to protect its platform and users' data against "malicious attacks".

Ms Dixon said her office had seen a number of “wins” with Facebook and LinkedIn last year. “In terms of whether they’re in compliance, these multinationals are acquiring other companies at a rate of knots.”

They were constantly amending their services and their privacy policies.

“I don’t think anyone at any moment in time can ever say an organisation is in compliance.

“This is a constant task for vigilance,” Ms Dixon said.

On how frequent the office’s contact with the multinationals was, Ms Dixon said: “It’s daily, it’s weekly. They’re in and out and they are proactively seeking our engagement because their services are not static.”

"Other privacy regulators in Europe now are asserting jurisdiction over Facebook in certain cases, or in particular the Belgian regulator has been looking at that Datr cookie.

“I suppose it remains to be seen arising out of that investigation whether the Datr cookie passes the test for necessity under the e-privacy regulations and therefore doesn’t require notice in the same way or whether notice is required and it’s appropriate to what Facebook is offering. We’ll never be saying ‘they’re all in compliance – tick’.”

Deputy Data Protection Commissioner John O'Dwyer said the office did not yet know whether issues would arise from the acquisition by Microsoft of LinkedIn.

“All those are constantly discussed in our interactions with the multinationals.”

Among the companies and organisations targeted for audit by the office last year were Adobe, Aer Lingus, Allianz, Zurich Insurance, the State Claims Agency, Bank of Ireland, Axa Insurance, Aviva Insurance, Ulster Bank, AIB, Start Mortgages, Marks and Spencer, Woodies DIY and the Dublin Bikes scheme.

The office also took part in the third Global Privacy Enforcement Network privacy sweep in 2016, examining 18 apps and websites either targeted at or popular among children.

Ms Dixon said the Schrems case before the Court of Justice of the European Union had caused her office to deploy "significant" resources to a "lengthy and complex" investigation that was still ongoing.