It has come a long way from having just 26 staff in an office next to a Centra in Portarlington but not far enough if the State’s personal-data protector has to police a new European Union law that covers 500 million citizens.
Anyone monitoring an email inbox over recent weeks will understand the scale of the task facing Helen Dixon, the Data Protection Commissioner, and her now 100-strong staff as they oversee how businesses are complying with the EU's General Data Protection Regulation (GDPR) after it comes into effect today.
The deluge of emails from businesses – everything from restaurants once booked online to obscure newsletters mistakenly clicked on – seeking consent to hold on to personal data (a requirement of the new regulation) shows the extent to which the law applies to how information is collected, stored and shared.
Failure to comply with the law by deleting or handing back data could land you in Dixon’s in-tray.
Now, with the implementation of the rules, the focus turns to how she will enforce that law and whether she will use the punitive sanctions it grants her as she monitors some of the world’s biggest technology companies and their activities in Europe.
For social media companies such as Facebook, Google and Twitter, whose European headquarters in Dublin puts their compliance with the EU law under Dixon's remit through a "one-stop-shop" mechanism, the stakes are sky high.
Under the rules, the regulator can impose fines as large as €20 million or 4 per cent of global turnover, whichever is higher. In Facebook’s case, that could amount to a fine of €1.4 billion based on the firm’s 2017 turnover of €34 billion.
Enforcement
The law aims to rebalance the relationship between businesses and individuals for the internet age, giving people more control over their own personal information and forcing companies to take responsibility on how they use it. Critical to the law working is how it is enforced and that is the work of regulators such as Dixon.
That will come down to resources. Against the likes of Facebook with its teams of data protection officers and lawyers protecting a company with a market value of €500 billion stands Dixon’s office with a budget of just €11.7 million.
"Are we significantly enough resourced?" she asks in an interview with The Irish Times on a call from Berlin where she is attending a conference. "The answer to that is that it all depends what member states want in terms of enforcement of this important and critical new law that is designed on the one hand to build trust in the digital economy in Europe and on the other hand to protect fundamental rights of individuals."
Last year, in a budget submission, the Data Protection Commission (DPC) pleaded for more money and staff. The office warned about GDPR making 2018 "existentially critical" to the reputation of the Irish regulator and of Ireland "as a country that takes its obligation seriously to fund a professional and internationally respected data protection regulator".
The office stressed a variety of reasons why it needed more money: from the “spotlight of intense international scrutiny” to legal costs over-running by €700,000 as a result of cases in Irish and EU courts, to problems at its Georgian headquarters on Fitzwilliam Square in Dublin which has been running “at full capacity” since the first half of 2017 – with 40 staff in an office intended for 30.
EU scrutiny
Dixon acknowledges that “many eyes are watching us at an EU level” in terms of resourcing. Her supervision of many of the world’s largest multinationals has brought scrutiny and a demand for accountability from Germany, she says.
In response, a sevenfold budget increase sent a signal that Ireland is serious about data protection and “building resources that we need and contributing to what I call the EU Team GDPR” from being “significantly under-resourced” when she joined in late 2014, she argues.
“We have become a much more visible, a much more credible data protection authority in the EU, a voice that is listened to,” she said.
A 2017 study by law academics at Leiden University in the Netherlands found that data protection authorities in Ireland and Germany had the largest budgets in the EU relative to their GDP. They described the Irish regulator’s budget increase as “most remarkable” – more than doubling between 2015 and 2017.
Still, some feel Dixon’s office has not gone far enough, given that the commissioner has never been sufficiently resourced to police laws dating back to 1988.
The DPC has been “chronically under-resourced for the last 30 years”, given the breadth of entities that it regulates with the staff it has, says Daragh O’Brien, managing director of Dublin-based data privacy company Castlebridge. That includes thriving against the odds of decentralisation to Co Laois in 2006 and a shoestring budget thereafter, he notes.
The work of a data policeman under the new law is potentially endless. Many disputes will have a data protection dimension, as the current CervicalCheck scandal has revealed with the withholding of information from patients.
“You have to measure the DPC’s resources against not just the Irish population but the number of users of firms who have headquarters in Ireland,” says TJ McIntyre, a law lecturer at UCD and chairman of Digital Rights Ireland. “And when you take that factor into account, we are still probably very much at the lower end of what we need.”
Those regulated under GDPR will included everything from taxis with technology to monitor journeys and video-record passengers to fitness devices and watches that track fitness, calories and sleep. That means no regulator might have sufficient resources to investigate compliance and respond to complaints.
“The Central Bank at the time of the crash had 500 staff covering financial services regulation – monitoring banks and insurance companies. The Data Protection Commissioner has banks, insurance companies, wedding photographers, fish-and-chip shops and Google and Facebook [to monitor], and they have 100 staff,” said O’Brien.
Dixon says the Irish regulator is not out of kilter with EU counterparts but believes that all data protection authorities have to be bigger. The commission’s own budget submission last year cited the French data protection authority (CNIL) with 200 staff and the UK Information Commissioner’s Office, the biggest data protection authority in the world, with 450 staff, as examples of how they compare with Ireland.
“The level of resourcing for this regulator is high by European standards for data protection commissions but no other European country has the level of data processing to manage that Ireland has,” said Simon McGarr, a solicitor and director of Data Compliance Europe.
He points to London’s status as the global insurance centre supported by “enormous regulatory spend” as a “good model” that should be followed here to cement Ireland’s reputation as an international technology hub.
Pressure on the Irish regulator to meet the demands of the new law will come in other ways. GDPR aims to simplify the regulatory environment across the EU by simplifying the rules. Dixon will have follow to a new EU decision-making body, the European Data Protection Board. That creates a mechanism for regulators in other countries to have a say in how the Irish commissioner handles cases for them.
Dixon has described this union as “existentially fundamental for EU data protection authorities” creating a “very significant psychological and operational change”.
In her speech to the Berlin conference, she likened the union to a marriage with the European Commission acting as a “highly influential” mother-in-law. She warned that if the authorities don’t mature and accept that “lifestyles have to change,” then “rancour and dysfunctionality and divorce will ensue”.
This relationship means that the Irish commissioner could come under pressure if Germany or France thinks Ireland is failing to get it right in protecting the data of their citizens.
Staff numbers
Dixon herself believes her office needs, at a minimum, to double her current number of staff to 200 to cope with “handling the numbers of transactions at a reasonable pace that I anticipate I will get”. She anticipates tens of thousands of data breach notifications each year, up from close to 3,000 currently.
“The question is: what volume of transactions can we simultaneously deal with? If we want to work faster, we need a lot more resources and we should have greater resources,” she said. She intends to apply to Government for another significant budget increase in 2019, she says.
The new law arrives against the backdrop of heightened awareness around data protection issues, including a suspected high-profile data breach at Independent News & Media, controversy around a public services card and international tensions over data harvesting of Facebook users for political profiling by the now defunct Cambridge Analytica in the election of Donald Trump.
The DPC’s publication of an investigation raising concerns about the handling of personal information on patients in hospitals just days before GDPR comes into effect is not seen as coincidental. It showed a proactive regulator scoping out a potential problem in public bodies.
Specialists in the sector voice concern, however, that the Irish regulator does not have the culture or sufficient (or enough suitable) staff yet to show the necessary investigatory desire to be taken seriously as a credible international regulator.
For her part, Dixon points to the commissioner's 2,600 "section 10" investigations on potential data protection law breaches last year, its role in High Court litigation involving Facebook and Austria privacy activist Max Schrems, and more than a dozen legal proceedings being appealed against her office by data subjects or controllers as demonstrating the commissioner's skills and resources to take on investigations and complex cases.
While she believes she will need much more staff, she is satisfied that she has recruited the right staff, bringing in technologists and lawyers trained in fair procedures with criminal law backgrounds. And, from today, she will have attention-grabbing fines at her disposal.
Her aim, as GDPR dictates, is for “effective, proportionate and dissuasive” enforcement. While making an example of a high-profile company early on is not a tactic Dixon will deliberately pursue, a well-known company could be an early target.
“It may well, of course, be the case that there ends up being a high-profile organisation in scope for the first significant enforcement action simply because those organisations have huge number of data subjects and, potentially, in some cases pose significant risks,” she said.
The industry generally fears regulators out to make a name for themselves by dragging companies through the courts rather than establishing rules that companies can follow.
Dixon’s approach to future workloads – setting out five legal frameworks into which issues crossing her desk could now fall – suggests she will travel this route but take a careful, staggered approach: an enforcement notice directing action (delete/stop processing/stop transferring data) by a particular date or else face a fine.
Consulting and co-ordinating with fellow data protection regulators may slow deliberations further and could throw up the first post-GDPR complications if one regulator acts unilaterally on enforcement.
All this might grant a grace period for individuals and businesses but data protection experts believe that time will be limited.
“If you get a slap on the wrist on Monday, that might be the last slap on the wrist you get,” said data protection specialist Daragh O’Brien. “Next it will be a slap on your wallet.”
The Regulator: Ireland’s Data Protection Commissioner
Annual budget
2014: €1.8 million
2015: €3.6 million
2016: €4.7 million
2017: €7.5 million
2018: €11.7 million
Staff
2014: 26
2015: 48
2016: 65
2017: 85
Currently: 100
End 2018: 140 (estimated)
End 2019: 180-200 (estimated)
The Regulated: multinationals
Annual turnovers (2017)
Google: $110 billion
Facebook: $40 billion
Twitter: $2.4 billion
LinkedIn parent Microsoft: $90 billion