The Data Protection Commission – some thoughts

Politico Europe ran a story yesterday that painted the Irish DPC in a light we hadn’t seen in a number of years. I was quoted in the article in two places and the impression could be drawn that I endorsed or backed the editorial angle of the piece, which seemed to be hell bent on establishing that the Irish Government and the DPC were in thrall to the big tech companies.

As with many things, life is not that straightforward, and the quotes attributed to me may have lost context in their translation, given I had spoken to Nicholas Vincour many months ago. And when I spoke to him, I was clear that there was nuance in the position of the Irish DPC which needed to be understood and the position of “kowtowing to big tech” was an over simplification that was headline friendly but did an immense disservice to the staff in the DPC.

The position of the DPC is not helped by the fact that the Irish Government sometimes seems to forget that they are an independent body and that independence is enshrined in EU Treaty. A few years ago, the Department of Enterprise went so far as to include them in a list of “agents of State policy” for job creation. That was an inexcusable error. Of course, the optics of the association of the Office with various technology companies or with Government FDI strategy are often difficult to manage, and they recently fell foul of this with a trip to the US where they appeared to be acting in concert with our FDI agency, the Industrial Development Authority (IDA).

The position of the DPC is also not helped by the fact that it is taking so damn long to get the other shoe dropped on regulatory enforcement actions. But when we peel back the covers on this, it is difficult not to have sympathy for an organisation that has seen a significant increase in staffing, a large amount of internal change, and a significantly evolving regulatory environment they are responsible for. Sympathy should not, in this context, be confused with acceptance however. The Office needs to do better.

But Ireland has had previous examples of hasty action in regulatory matters which have resulted in the powers of Regulators being challenged or curtailed. Indeed the previous holder of the office of Data Protection Commissioner, Billy Hawkes, famously lost an appeal by a former Minister for Justice with regard to unauthorised disclosure of personal data, which has left us with the slightly bizarre situation that if a person is told something verbally without it being recorded in electronic or written form, the disclosure of that is not unauthorised processing under the Data Protection Act.

We also have a Common Law legal system in which an entity that is prosecuted by the DPC has a right of appeal, and a right to a presumption of innocence no matter how baldly obvious to the dogs in the street the facts of the case might seem. This is a frustrating check and balance, but it is a key part of our criminal justice system. In that context, the DPC does have to follow some procedures for the investigation of complaints and the gathering of evidence to ensure that the standard of proof for action is met. And, while I am often at pains to grumble about the slow pace of action by the DPC, I am equally vocal about the bizarre positioning of other regulators as role models fixing the world.

For example, while the ICO, Liz Denham, is lauded for her high profile actions against Facebook, Cambridge Analytica, and SCL, one has to ask what exactly has been achieved? In her haste to be seen as a strong regulator she announced on the TV news she’d be getting a search warrant, a process that took nearly a week, giving Cambridge Analytica a few days to dispose of documentation etc. In contrast, the Irish DPC has launched (at last count) 16 investigations in to Facebook, and has appointed staff specifically to manage that block of investigations, indicating a “gloves are coming off” mindset, albeit one that has to work within the legal structures that constrain the investigative and prosecutorial functions

Do I believe the Irish DPC is perfect? No. I don’t. And I probably never will, because there will always be something that can be improved on in the structure, resourcing, skillsets, and engagement models of any regulatory body. Do I think Helen Dixon is the person for the role? Well, she was adjudged the best candidate in an open international advertised competition and, contrary to what was written in the Politico article, she has had experience as a Regulatory enforcer, albeit in the slightly less fast-paced world of company law compliance as the Registrar of Companies. I often wonder if I would receive similar criticism if I was in that role given I would inevitably be cast as an “industry insider” given my former role in the Regulatory function of a telco,

Much has been made in recent years of the lag between DPC audits of Facebook in 2011 and Facebook making changes. In the real world of IT projects, sometimes it can take that long to get changes made. Also, it’s worth considering whether any other Regulators took action to review or investigate Facebook during that time, and whether or not Facebook would have acted faster if there had been 26 other regulatory voices backing up the concerns raised by the Irish DPC, who at the time had a total of 30 staff.

Finally, I am irked by the lazy rehashing of the “Regulator above a shop” meme that was old news back in 2011 and is now just incorrect news. The DPC budget is now 10 times what it was in 2014. There are two offices in Dublin city centre to accommodate the increased staff. And, frankly, it simply shouldn’t matter where the office of a Regulatory body is. The focus should be on the effectiveness and the results of that Regulator, with consideration given to the factors that might affect that.

Do I have concerns about the optics of the DPC being associated with industry groups such as CIPL or FPF who draw funding from US tech companies? Yes, I do, but I share those concerns about ALL EU regulators who engage with lobbyists and think tanks. Unfortunately this is a necessary evil in regulatory contexts and just needs to be carefully managed. Proverbs involving the need for long spoons when dining with certain folk spring to mind.

Do I think the DPC could do better in closing low-hanging fruit cases and speeding up the throughput of investigations and enforcement actions? Yes. But that is a function of staffing, experience, and evidence gathering.

Do I think the DPC could do more to engage with Irish civic society organisations like Digital Rights Ireland in a constructive manner? Yes.

Do I think the DPC could improve their support of DPOs in Public Sector and Private Sector organisations with actual enforcement and with guidance on how to handle the conflicts that can arise? Yes (and this is especially important for Public Sector organisations).

Do I think the DPC favours tech companies over others in an effort to support an advantage for Ireland? No. And I was clear with Politico that that was my view. Ireland has lots of other advantages and we are beyond the point where we would profit from being seen as “light touch”. But the optics are challenging.