The man in Portarlington who protects people’s data

Differing European approaches pose challenges for data commissioner

Billy Hawkes, Data Protection Commissioner, Portarlington, Co Laois, Ireland. Photograph: James Flynn/APX

Billy Hawkes, Data Protection Commissioner, Portarlington, Co Laois, Ireland. Photograph: James Flynn/APX

 

Ireland’s success in the digital goldrush is visible to anyone who walks around Dublin’s Grand Canal Dock area, past the gleaming European headquarters of Google and Facebook.

But there’s another side to Ireland’s digital hub, on a roundabout outside Portarlington opposite the humming hulk of Odlum’s flour mill.

Ireland’s Data Protection Commissioner was established in 1988 but moved 80km outside Dublin in 2006 as part of the decentralisation initiative. When other agencies failed to follow, and decentralisation was dropped, the DPC’s temporary premises above a convenience store became its permanent home.

The DPC’s premises belie its importance under EU law. For instance, Facebook’s Dublin headquarters – and the data it collects on users from Dublin to Dubrovnik – come under the oversight of Portarlington. So Ireland is not just a tech hub, it is also a data protection hub – something not everyone in Europe is happy about.

With little fanfare, DPC chief Billy Hawkes, a soft-spoken but sharp-thinking former diplomat, has become a key player in a European debate now back in the spotlight after the revelations of Edward Snowden. It’s a challenging role .

First, he has to work with rules written long before Google or Facebook began offering their revolutionary services free of charge in exchange for the right to collect and sell on user information.

Second, radically different data protection standards around the continent – coloured by different historical experiences and legal norms – mean that, for Mr Hawkes, it can be “a bit bewildering” to understand all that is expected of him around Europe.

Data protection in Germany, for instance, is a human rights issue. German citizens have a constitutional right to privacy and control over their personal data, arising from disastrous experience of where a lack of control can lead.

Ireland has no such historical baggage, so data protection is often understood in a consumer rights context such as how to stop being bombarded with junk mail.

What this means in practice is clear on the train from Heuston station to Portarlington. Irish Rail’s policy of displaying passenger names above reserved seats – viewed as a convenience in Ireland – would prompt uproar from German privacy authorities.


Contrasting views
Given these contrasting views of the same issue, it’s clear that applying one set of European rules to such a slippery concept as data protection was always going to be a challenge.

So how is Ireland doing in its frontline data protection role? Ask around Europe and you hear varied opinions. Many are complimentary, particularly of the recent efforts during the Irish presidency to negotiate tough new European data protection rules. But there are critical voices, too: that Ireland is economically beholden to Google and Facebook and keeps them happy with light-touch and under-resourced data protection regulations.

In Portarlington, Mr Hawkes rejects all of these accusations vigorously. Ireland has learned from the banking crisis of where soft-touch regulation leads, he says. The commissioner has just been granted 10 extra staff – far from a given in this economic climate – to match its European responsibilities.

That most of the 1,000 complaints the DPC receives annually are resolved amicably is, he says, a success story. Choosing an amicable resolution of problems rather than a legal stand-off mean, he says, that his core staff of 30 – with the option of hiring in technical or legal expertise as required – is more than adequate, even when grappling with Dublin-based tech giants.

“People who would want you to wave a stick might say that proves you are a weak regulator,” he says. “On the contrary, I think it is good to use powers of persuasion backed up by enforcement powers.”

The Snowden affair has revived some European criticism of Ireland’s commitment to data protection. Of greatest concern is that, on the DPC’s watch, Facebook and other companies are illegally handing over European data to the US intelligence service.

Mr Hawkes’s remarks on RTÉ radio last month that the handover did not concern him is, according to his German counterpart Peter Schaar, symptomatic of Ireland’s “more broad interpretation” of EU data protection rules.

“Ireland is of the opinion that it shouldn’t apply the bridle too tightly – a different approach than here in Germany,” said Mr Schaar, the federal data protection commissioner.

Mr Hawkes suggests two separate issues have become blurred in the Snowden affair: first, the handover of information by US companies to law enforcement authorities and, second, the US National Security Agency’s alleged suck-up of unlimited data by tapping telecommunications lines. The DPC chief has no problem with the first, as they are covered by pre-existing legal provisions. Mr Schaar argues that Mr Hawkes “may be correct, from a position of Irish law” on this point “but even in the area of security, exceptions to [data protection] law have to be proportional”.


International standards
Mr Hawkes replies that, given the global nature of telecommunications, allegations of massive NSA line-tapping show the need for urgent agreement on international standards of what is reasonable and proportionate in this area. The Snowden affair has proven a “useful stimulus”, he said, triggering a push by Berlin to add a data protection protocol to the UN universal declaration of human rights.

But even before then, Mr Hawkes says the time has come for EU member states to consider whether their own data rules strike the right balance between security and freedom.

Of particular concern to data protection authorities around Europe are rules forcing telecommunications companies to retain user data for up to 24 months in case law enforcement authorities require them.

“We are in no position to be throwing stones at the Americans because of what we do,” says Mr Hawkes.

His Portarlington office faces a busy future: new European data protection regulations, likely to be agreed in the coming months, will bring greater responsibilty and scrutiny of the DPC by European colleagues. Despite their disagreements, both the DPC and its critics agree that, on data protection, closer European co-operation is the only way forward.

For the German Green MEP Jan-Philipp Albrecht, criticising the DPC is not about bringing the “renegade Irish” into line but about raising political awareness about an important issue.

“This is like the battle over labour law in the early 20th century,” says Mr Albrecht, European Parliament rapporteur on the new data protection regulation. “Politicians have forgotten how to fight these battles and have not yet found an answer because they still cling to the nation state idea, an idea that simply doesn’t work in a globalised and digital world.”
This article is the result of a collaboration between Die Zeit and The Irish Times