Ireland's part in ensuring tougher standards on data privacy

NET RESULTS:THANKS TO an Irish report issued last week, Europe gave its clearest indication yet that companies whose business revolves around handling data about individuals – in this case, Facebook – will have to adjust operations to fit Europe's tougher standards on data privacy.

Facebook came under the scrutiny of the Irish office of the data protection commissioner (DPC) last year after numerous complaints across Europe about its handling of personal data. Ireland got the job of handling the complaints because Facebook has its European headquarters here.

Significantly, the company agreed to turn off or change some features, such as automatic face detection and tag suggestions, in Europe. It also appears that many changes Facebook has made to allow all users greater control over their data developed out of adjustments made to meet European requirements specified by Ireland.

While the DPC made clear that Facebook had at all times worked positively with its office, the report last week indicated there were ongoing issues needing oversight.

The case will have been closely watched by companies doing business in Europe, but especially by other social media and online companies that routinely manage user data and are trying to build business models around marketing information about users.

The case was also watched by European justice commissioner and vice-president Viviane Reding, who in January proposed a major overhaul to Europe’s outdated 1995 data protection legislation which, as she pointed out during a visit to Dublin this week, was created when Facebook’s founder, Mark Zuckerberg, was just eight years old.

Her regulations would create a “one stop shop” of consistent data regulation across all 27 European member states, allow citizens a “right to forget”, where they can ask companies to delete their data if they are no longer using a service such as a social media site, let citizens port their data to a new site, and impose significant fines on companies guilty of data breaches.

At a seminar this week with Ms Reding, Ireland’s data protection commissioner, Billy Hawkes, said his office approached the Facebook investigation as “a prototype” of best practice for how the new regulations might work.

“I am looking at what the regulators do with this case, and other cases,” the Commissioner told me after a speech in Dublin to the Institute of International and European Affairs. She is still concerned about Facebook and additional privacy concerns that have arisen recently, such as possible leakage of private messages onto users’ public profiles, advertising profiling and further plans for face recognition.

Earlier, at another meeting, she had noted that she was not sure that companies such as Facebook realised how important data protection was, and that she felt the European Commission and national data protection authorities “were going to have to remind them time and time again”.

“What does this show to me? This shows that our companies – those that operate on European territory – have to make data protection an inbuilt system. So the message is, don’t think you can do whatever you want. There are rules, and these rules are going to be even more precise,” she says.

But she is adamant that data protection rules – which she repeatedly has said must balance citizen rights against a supportive business environment and security concerns – are good business, too. “I believe it is a very good business model, to go out and say, hey, give your data to me because with me, they are going to be protected. I think businesses should take the business model of ‘I care for your data’. Respecting your property could be the business model of the future.”

Some details of the proposed regulations still need to be determined. Reding said the commission would publish a “clarification” next week on how the regulations should apply to cloud computing.

Given our poor past record in the area of data protection – such as the sneaky way in which our governments have pushed through onerous, anti-privacy and anti-business legislation on the storing of private citizen data, and in potentially allowing surveillance by businesses of internet users – facilitating agreement on the proposed regulations would be a gift for Irish citizens too, and perhaps signal a more enlightened approach to data protection here in future.