Tough challenges ahead for new Data Protection Commissioner

Helen Dixon takes on new role at a pivotal time for data protection and personal privacy

Never have the issues of data protection and personal privacy had such high profile

Never have the issues of data protection and personal privacy had such high profile


What does Ireland need from its new Data Protection Commissioner?

We now know who has replaced former Commissioner Billy Hawkes, who retired from the role in August: civil servant Helen Dixon, who up until now has been registrar with the Companies Registration Office.

Prior to that, she was a principal officer in the Department of Enterprise, Trade and Innovation. She also worked for US technology company Citrix at its Europe, Middle East and Africa office in Ireland, as manager of Technical Support Services.

Pivotal point

Edward Snowden

Those – revealing a shocking degree of large scale surreptitious digital data gathering on ordinary citizens by US and UK surveillance agencies – have rattled international relations.

In particular, the revelations have spurred the EU to push for more restrictions on access to its citizens’ data and greater national and international oversight.

On the US side, elected representatives, privacy organisations and the general public have demanded explanations and more transparency in how law enforcement agencies acquire and use personal data.

And, somewhere in the middle, with their exact involvement still a mystery, sit many multinational companies – especially in the technology and online sector – which handle teraflops of data from customers and service users around the world, every day.

Some are known to have passed data to US agencies, with many of these continuing to request they be given permission from the US government to reveal more about what they are asked for, and when and how they complied. Others state they had no idea US and UK agencies were siphoning off their users’ data.

In this tense atmosphere, the EU has signalled that it will bring in a more restrictive and clearly defined Data Protection Regulation next year. This must by transposed directly, not piecemeal as had been the case with the existing directive, which came out of legislation in a pre-internet era.

All indications are that the EU will require data misuse complaints against companies be referred to the Data Protection Commissioner in the EU state in which the company has its European headquarters.

Ireland is the European home to the vast majority of those big and small multinational technology firms likely to be the focus of many data complaints and investigations, such as the huge social network and online search and service companies.

Already, Ireland’s Office of the DPC has been tasked with high-profile investigations and reports on Facebook, widely covered by the global media.

The initial investigations stretched the office of the DPC – which had lost many employees in austerity departmental cuts – to its organisational limit.

The office was expanded again, however, in recognition of the increased burden.

Meanwhile, the DPC must also keep a close eye on the domestic situation, the data breaches, illegal selling of information, hacking cases, unlawful gathering, storage and and misuse of personal data here. Its international role cannot siphon off its protective obligations at home.

Without question, to be effective in this complex situation, the most important requirement for the incoming DPC is independence. The DPC cannot be too close to government – especially given that some of the most egregious data leaks and misuse cases in recent years have come from government departments and agencies. Nor can she be best friends with the commercial sector, or, it must be said, privacy advocates.

She needs to have a deep understanding of the positions and the opinions in all those segments, but will have to find proportionality – the balancing out of demands and obligations.

But she cannot rely simply on the proportionality of one’s personal opinion. She will have to find a felicitous balancing point that considers what is legally right – meaning she must be au fait with a daunting array of legal statutes surrounding data privacy, companies law and law enforcement – and what is morally sound.

In other words, laws always leave room for interpretation, as recent European Court of Justice rulings around data privacy have shown.

A sound knowledge of the law must be her starting point in making judgements and that includes human rights law, as the ECJ has made clear in its own rulings.

Issues likely to arise

Given the sector in which so many issues are likely to arise – technology and internet businesses – this is extremely tricky and requires of the DPC, not just a working knowledge of technologies and internet developments, but also the ability to envision potential data scenarios of the future.

Decisions made now will determine whether we value and respect, or erode and undermine notions of personal privacy that have been at the heart of how nations have defined human rights for hundreds of years.

International experience

And – very difficult indeed – the DPC must get it right for the economy here, too. Because of its huge number of multinationals (IDA Ireland says 40 per cent of inward investment from Silicon Valley comes here), Ireland will be the de facto legal interface between the companies that are here or which may choose to come in the future, and the European data protection environment.

Ireland must somehow both uphold the privacy and data protection rights granted to all EU citizens in data protection and human rights law, and facilitate a stable, transparent and fairly structured but not overly finicky or punitive regulatory ecosystem.

Companies may not be happy with all of the protection requirements placed upon them in Europe, which holds them to a higher standard than in the US. But the reality is that they will work within what is demanded of them, and will far prefer an oversight system that is fair and clear.

Thus the DPC needs to understand she can be resolute on protecting citizen rights, while also keeping Ireland attractive to foreign direct investment. FDI, as well as a strong startup culture, does not require lax or “light” regulation; it requires clear and well-interpreted regulation.

Given her strong government and business ties, with largely Irish experience in her background, the new Data Protection Commissioner will start from a position of having to prove that she will not prioritise one set of interests over those of citizen rights and privacy concerns.

On the other hand, she brings to bear a masters in governance and European economic and public affairs, a background in computer science and inside experience of technology multinationals.

How that mix works in practice will become apparent quickly in this extremely demanding, public, and internationally rigorous role.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection


Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.