Is Ireland taking its role as Europe’s data watchdog seriously?
Karlin Lillington: Data Protection Commissioner remains a barely-known quantity
Data Protection Commissioner Helen Dixon has yet to issue a single significant decision on the most high-profile issues facing the watchdog after four and a half years in office. Photograph: Cyril Byrne
Last week, this column considered fresh revelations regarding Facebook’s past efforts to lobby the Irish Government and influence policy, carried in a story in the previous Sunday’s Observer newspaper.
Documents relating to a California court case involving Facebook disclosed how its chief operating officer Sheryl Sandberg and others lobbied then-taoiseach Enda Kenny and government representatives on the General Data Protection Regulation (GDPR) regime, which Sandberg called a “critical” threat, and taxation policy.
Irish journalists had revealed a similar story two years earlier, based on Freedom of Information requests.
As I noted last week, while most corporate lobbying is, for better or worse, both legal and a business and political norm, the disclosures in the stories pose serious questions.
For example: how influential are large multinationals here? And to what extent might the Government act on behalf of such companies, and to the detriment of, say, European Union citizen protections contained in the GDPR?
Ireland is now the EU regulator for many of the world’s big data-gathering companies and the Government must be seen as a fair dealer, not the servant of multinationals.
But one part of that larger lobbying story was particularly alarming and deserves separate scrutiny. That’s the attempt by Facebook to influence the appointment of an Irish data protection commissioner (DPC), which was highlighted in the 2017 Irish coverage (though not the recent Observer piece).
According to Irish documents, Sandberg met Kenny several times over an 11-month period in 2014, with correspondence and numerous discussions focused on the pending appointment. Former DPC Billy Hawkes was due to retire in August of that year.
Numerous times, Sandberg pressed Kenny to make a Facebook-friendly appointment, in one letter noting “we are hopeful that his successor will be someone who will establish a collaborative working relationship with companies like ours”.
Facebook might be expected to express opinions on laws and policy but it was highly inappropriate to have meddled in the appointment of its own regulator. There’s no indication they backed any particular candidate but that doesn’t make the intervention less disturbing.
Need it be said that regulators are supposed to regulate? Not work in “collaboration” with the very companies they oversee. It’s unsettling, and remains revealing, that the company considered the end goal of regulation to be a sort of amiable partnership.
However, Facebook’s attempt to influence that appointment could occur only because the process at that time lent itself to improper intervention. The DPC position had been a direct, closed government appointment (even though the DPC has regulatory oversight of government departments).
Thankfully, the process has changed.
Now, as outlined in the Data Protection Act 2018, the process has shifted to the Public Appointments Service, which will consider applications made via an open process for an incoming three-person commission, which will replace the solo DPC role.
This is an important, positive move on several fronts. It increases appointment transparency, ensures the greater independence of commissioners, spreads the oversight workload to three people, and curtails attempts to lobby or influence appointment decisions.
Could we be missing the opportunity to become data governance leaders not just for Europe, but the world?
This is crucial as data protection grows internationally in visibility and importance, with Ireland cast in the role of prominent enforcer of data rights.
Independent senator Alice-Mary Higgins says data protection “is now very much an area of public governance as it cuts across so many areas of public life. That’s why it [the appointment process] needs independence and robustness”.
This is particularly important, she says, because Ireland’s role as data regulator for so many multinationals makes Ireland “the frontline for so many citizens of so many countries”.
Yet, we still do not seem quite committed to this role. For example, though current DPC Helen Dixon has opened numerous investigations and taken some cases to court, she has yet to issue a single significant decision on the most high-profile issues after 4½ years in office. From Facebook to the public services card, high-profile investigations have opened and remain open, years later.
The paucity of decisions means Ireland remains a barely known quantity as a regulator and has yet to articulate a regulatory stance, even as international expectation has grown following a litany of global data breaches. During a recent redesign, the DPC website even removed the archive of previous decisions.
Some initial decisions are promised for this summer.
With such an approach to regulating – one which continues to be seen by many international commentators as a reluctance to regulate, or regulate firmly – could we be missing the opportunity to become data governance leaders not just for Europe, but the world?
Consider the UK, the global hub for insurance regulation because it pragmatically seized that role centuries ago.
“As the insurance industry in the UK has learned over hundreds of years of trade, the best form of regulation isn’t weak, but predictable and reliable. They fund their very costly regulation through an industry levy. Companies literally pay to be well regulated because, long term, that is the best way to build trust in an industry,” says solicitor Simon McGarr, director of Dublin consultancy Data Compliance Europe.
He strongly believes Ireland is an obvious choice for a similar role in data protection. If so, Ireland needs to start adjudicating in a firm, confident, visible and timely way.