While the revelations of whistleblower Edward Snowden about the surveillance activities of the United States National Security Agency (NSA) extended tentacles into the related area of data protection in 2013, regulators in the European Union spent most of the year wrestling with proposals to harmonise the law across 28 member states.

A new EU regulation, first tabled in a proposal by the European Commission in 2012, would place new responsibilities on the regulators and also on businesses throughout the union.

Negotiations have stalled and the regulation is now unlikely to scrape through before the European Parliament elections in May. But the proposals still on the table would, in theory, place an extra burden on Ireland’s Data Protection Commissioner, Billy Hawkes.

The so-called one-stop shop mechanism would likely see him become the lead regulator in Europe for major multinationals with head offices in Ireland, including such companies as Facebook, Google and Apple.

In comments at a privacy conference in Brussels last month, Mr Hawkes indicated he did not relish the prospect of taking on the responsibility for regulating such multinationals for all citizens of the EU.



One-stop shop

Saying he would not view the one-stop shop “with any great enthusiasm”, he suggested it would draw resources from dealing with complaints about the likes of telecommunications firms and others, which are a greater source of complaints to his office by Irish citizens.

“However, as a good European, which I try to be, I do accept the logic of the one-stop shop and I will accept the consequences and the burdens that go with it,” he said.

Speaking at his office in Portarlington before that conference, Mr Hawkes said he was already prioritising for attention those companies operating across the EU for which processing of personal data was core to their activities.

“Depending on, obviously, the number of the companies involved – and certainly if many more companies were to declare to be established in Ireland for data protection purposes – we would require more resources to be able to discharge our oversight responsibilities.”

He welcomed what he said was a clear commitment by Minister for Justice Alan Shatter to ensure he was adequately resourced for any new responsibilities – though again it remains to be seen what will emerge.

Privacy campaigners such as the Austrian-based Europe v Facebook group believe his office has not been sufficiently robust in its enforcement actions.

The group, led by Max Schrems, is seeking judicial review of Mr Hawkes’s decision not to pursue complaints made to his office about the gathering of personal data under the NSA’s Prism programme from US firms based here. Mr Hawkes is also in the process of making formal decisions on 22 earlier complaints by the group relating to the privacy policies of Facebook, which underwent a major audit by his office two years ago.



Light-touch regulation

Mr Hawkes cautiously describes the approach taken by the complainants as “forceful” and, not for the first time, rejects the suggestion of “light touch” regulation by his office.

“One thing we certainly don’t have is a light touch,” he said. “We have a very rigorous approach to oversight of organisations but we do try to use the resources that are given to us in an intelligent way. It does not necessarily involve always hiring more people on our staff. It can also involve using outside expertise to help us in particular areas.”

His office is completing an audit of the online professional networking service LinkedIn, which has European offices here. This year it will carry out an audit of Apple Ireland.

Mr Hawkes points out that Irish citizens tend not to complain about companies such as Google, which control huge amounts of their personal data.

Google, which has its European office in Dublin, is facing a co-ordinated action by other European data protection authorities over changes announced to its privacy policies last year. It was recently fined €900,000 by the Spanish data protection authority, which said the “highly ambiguous” language Google used in its privacy policy made it hard for people to find out what would happen to their data.

The Dutch data protection authority also recently said some of Google’s policies were not in compliance with Dutch law. The company said it had engaged with both authorities to explain its policy and how it allows it to create “simpler, more effective services”.

“I think data protection law has a difficulty dealing with these so-called free services, where in fact the payment for the services is a licence to use your personal data. Based on the lack of complaints we receive from Irish people, Irish residents seem to accept the deal,” said Mr Hawkes.

“Such international research that has been done in this area does suggest – however you might like or dislike it from a privacy point of view – that people, faced with that type of choice, will accept that type of deal as opposed to having to pay for a service where there aren’t any ads or there’s no use of their data.”



Personal data

What people here complain about in increasing numbers is the refusal or failure of organisations to give them access to their personal data.

“I think we are likely to show, in terms of this year’s statistics, that denial of the right of access will probably be the top source of complaint. It will have supplanted spam – privacy in electronic communications – as a category,” Mr Hawkes said.

He has in the past linked this to the changed circumstances in which people find themselves due to the recession.

“I think we can certainly see the use of the right of access, for example, by lawyers representing individuals who, for example, may have issues with their financial institutions about mortgages and so on, or who may have issues with employers about possible unfair dismissal.”

Last year, his office took a number of prosecutions against companies in the telecommunications sector for unsolicited marketing – spam – by text, email and telephone. It also dealt with a huge data breach at the Ennis-based company Loyaltybuild. Some 1.5 million European citizens were affected by the hacking of that system, exposing data including credit card details in some cases.

“In terms of the number of people impacted, including outside of Ireland, it was definitely the most significant one we have dealt with,” Mr Hawkes said.

“We certainly are hoping that messages have gone out there far more broadly in terms of reminding organisations of the key message that you can outsource [data] processing but not your responsibilities.”