European one-stop shop for privacy will rely on ‘consistency mechanism’

28 Jan 2013

John O'Connor, partner at Matheson (left), with Billy Hawkes, Irish Data Protection Commissioner

Ireland’s Data Protection Commissioner Billy Hawkes – who is working with Facebook to ensure the social network meets its global privacy obligations – said today that while the idea of a “one-stop shop” on data protection for multinational companies operating in Europe is attractive, all data protection authorities will need to adhere to the ‘consistency mechanism’ if it is going to work.

Hawkes was speaking at a seminar on privacy and data protection organised by law firm Matheson.

He said that if a one-stop shop data protection and privacy mechanism for multinationals to adhere to was going to work, it is essential for all data protection authorities to rely on the relevant data protection authority in a given country to vindicate rights of all EU citizens.

He said the draft regulation put forward by the European Commission addresses the importance of uniform application of the law within the EU to ensure the free movement of data.

It enshrined the individual right to protection of personal data and insists on the need for greater transparency about what information is being collected, how it is being used and give each citizen greater control over what happens to their data.

“The particular challenges of the online world are addressed head-on with the new right to move your data from one platform to another.

“The ‘right to be forgotten’ is also given concrete expression in a strengthened right to have personal data deleted and an obligation on those who collect such data to state clearly for how long they will retain data.

“And last but not least there is the strengthened right to redress if an organisation fails in its duty to the individual,” Hawkes said.

He said that in the course of his own work, many European multinationals are serving Irish citizens with a plethora of financial and telecoms services while US multinationals have chosen Ireland as a base from which they can serve the EU.

But many companies complain that while there is a common EU law, this law is being interpreted differently in member States.

He said the new regulation will provide greater clarity over which data protection authority has primary oversight responsibility.

Greater powers for European data commissioners

Hawkes said that now all data protection authorities will have the same “teeth” when it comes to dealing with firms who put marketing over consumer privacy.

“It has often been put to me that, when cold commercial decisions have to be made on issues such as marketing, a bottom-line question is ‘what’s it going to cost me if I don’t comply?’ The answer ‘€1m or 2pc of worldwide turnover’ should cause even the most hardened CEO to have second thoughts about taking risks in this area,” Hawkes said.

However, Hawkes cautioned that these powers be used sparingly so as to encourage firms to consult with data commissioners.

“In the Irish data protection authority, we always make clear that we prefer to help companies to comply rather than have to deal with the consequences of non-compliance.”

He said that as the new powers weave their way through the legislative process in council and Parliament, it is essential that all data protection authorities are willing to rely on the relevant data protection authority to vindicate the rights of all EU citizens, not just those of its own member State.

“For this, it will be essential that the ‘consistency mechanism’ works as intended to ensure uniform application of the law.

“It will also be essential that data protection authorities have the resources necessary to carry out their broader European oversight responsibilities. This is a key issue for us due to the large number of multinational companies handling personal data that have substantial operations in Ireland.

“As made clear by [Justice] Minister Alan Shatter after he chaired the informal meeting of EU justice ministers earlier this month, achieving significant progress on the legislative ‘package’ is one of the priorities of the Irish Presidency of the Council of Ministers. 

“Getting data protection law right is important in order to give concrete expression to the right to protection of our personal data and to do so in a way that does not inhibit innovation in the rapidly changing internet world we live in,” Hawkes said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years