Ireland’s data protection commissioner works in eye of data storm

10 Sep 2013

Billy Hawkes, Ireland's data protection commissioner

Depending on which way he looks at it, Billy Hawkes, Ireland’s data protection commissioner (DPC), has either been blessed or cursed with being in the right or wrong place at an interesting time.

Ireland is in a position where, on the one hand, it’s home to the international operations of some of the biggest names in tech – Facebook, Google, Apple, Microsoft, Amazon, Twitter, and many others.

On the other hand, this puts Hawkes in the eye of the perfect storm. Plenty falls under his remit: from what social networks are doing with its users’ data, to what State organisations or businesses are doing with citizens’ information, to allegations from former CIA contractor Edward Snowden about an US intelligence organisation’s activities against ordinary internet users.

Future Human

Hawkes began working as a civil servant at the age of 19. His career has traversed stints at the Comptroller and Auditor General’s office, working on behalf of the Department of Foreign Affairs in Rome, Geneva, Lebanon and Saudi Arabia, and working at the Department of Trade and Tourism under now-Taoiseach Enda Kenny.

Hawkes applied for the job of data protection commissioner in 2005 and to his surprise, he landed the role.

Data protection commissioner’s role

Until recent years, Hawkes’ decentralised office in Portarlington, Co Laois, focused mainly on the data-protection aspects of Irish organisations. This included chastising and fining companies for intrusive marketing – think spam mail and SMS (short message service) – to addressing public and private-sector organisations that lose people’s personal information through data breaches arising from lost or stolen unencrypted laptops and phones.

The DPC’s approach is to ensure organisations know what their requirements are in terms of data protection, encourage them to comply, and talk to them, Hawkes said. All of that is backed up by enforcement, Hawkes added.

A bigger element of the commission’s job in recent years has been ensuring the public sector respects the DPC’s role when it comes to citizens’ privacy.  

Hawkes said a huge focus of the commission is communicating to public-sector employers the importance of correctly managing information, as well as ensuring those employers relay that importance to their employees.

The law obliges people to hand over personal information to public-sector officials so the DPC would hold those officials to a very high standard, said Hawkes.

“If there is any form of data sharing or access there has to be a very good reason (for it),” said Hawkes.

A recent example is the Property Tax, he added. The Office of the Revenue Commissioners has significant powers to access all sorts of data.

“In this instance, they just needed the name of the property owner and address of the house, not information on utility bills or whether people were paying them or not.”

Enter Edward Snowden

In addition, Snowden’s claims that the US National Security Agency (NSA) has allegedly spied on both US and non-US citizens’ internet activities with the alleged collusion of internet and telecoms giants has the potential to make Hawkes’ work all the more meaningful.

After privacy campaign group Europe-v-Facebook challenged the DPC, Hawkes said he will not investigate Apple or Facebook over the transfer of personal data to the NSA because the US has signed up to EU privacy principles via a Safe Harbor agreement.

Companies that sign up to these principles agree to ensure EU standards of data protection will continue to be applied even if that data is transferred to the US.

The European Commission has indicated it is reviewing the Safe Harbor agreement in light of the Snowden revelations, Hawkes said.

As to whether Irish citizens have anything to fear with regards to cyber snooping by spy agencies, Hawkes said the evidence so far suggests Irish people are rarely on the radar.

While the situation is not entirely clear, Hawkes said, the evidence the DPC has from global companies like Facebook and Google suggests that access to user data is only granted in response to specific requests and that usually only basic subscriber information is revealed.

The number of requests from US authorities to such companies also seem relatively small, said Hawkes. For example, Facebook received 11,000-12,000 requests for user data in a six-month period from a range of US authorities, from the NSA down to local sheriffs. (The corresponding number of data requests by Irish law enforcement to the social network is 34.)

The information leaked by Snowden also suggests the US has sought access to very little information in Ireland, said Hawkes.

It is also clear that while such companies grant foreign law-enforcement authorities access to data, not all requests are granted, said Hawkes.

Number of requests for data

To put the figures into context, access by Irish law enforcement, mainly the gardaí but also potentially the Army and Revenue, to data held by telecommunications companies under Irish data-retention law is running at about 10,000 requests per year.

Snowden’s revelations aside, the DPC became global news in its own right after spearheading a global privacy audit of all of Facebook’s activities outside the US.

The agency began a major audit of Facebook Ireland in 2011 after Europe-v-Facebook lodged 22 complaints over privacy settings and how data is handled. After the audit, Facebook Ireland agreed to a range of “best practice” improvements, including the removal of a “tag suggest” feature for photographs.

The DPC’s next major feat of auditing will take in LinkedIn, Apple, Twitter and other companies.

Hawkes said his impression of Facebook and other social networks based in Ireland is that they are, in fact, keen to comply and demonstrate they have done so.

“Social networks, as their name implies, are about sharing information. Users choose themselves what information to share and with whom,” said Hawkes.

“The focus in our audits has been on ensuring that users are given clear information on how to choose the audience for such personal information and also on the extent to which the social network will use such information to deliver targeted advertising.”

Hawkes said that in these recessionary times, some smaller firms are tempted to opt for lower-cost options like SMS and email marketing to sell goods. “What you need to realise about Irish people is they view their mobile phones as their personal space. Irish people get very annoyed if they are marketed to in this way.”

Data security

The DPC has also focused on the standard of data security in such networks, including their procedures for dealing with law-enforcement requests for access to user data.

In general, the DPC has found the social networks to be receptive to the need for good quality information to users and robust security measures, said Hawkes.

He added that users of social networks also need to take responsibility for their actions and to be aware of the viral effect of social media.

Education and information seem to be the key, said Hawkes.

“Social networks are now an integral part of the normal day-to-day communication between individuals,” he said. “Those individuals need to fully appreciate the difference between talking to your friends face-to-face and doing it on a platform where you leave a record.”

There has been a shift in this area in what people consider to be private, Hawkes said.

“If you want to reveal all about yourself to the world, that’s your right but you should know the possible consequences. Schools and parents are playing an important role,” he said. “It may be more challenging to get parents or grandparents to understand the ‘rules of the game’ in the new era.”

While this new era presents new privacy and data challenges almost daily, Hawkes said he is confident that firms that fall under his jurisdiction will comply.

Every year, the DPC sets targets for the companies it wants to audit.

“If you are operating on a global basis but fall under our jurisdiction, our first task is to audit you and get to know the nature of the data you are processing,” said Hawkes. “If you are not listening, then we have powers to force you to comply with legal requirements.”

A version of this article appeared in The Sunday Times on 8 September

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years