"I think the Irish data protection authority (DPA) performs its statutory role in a very unique context, given the presence of so many data-rich multinationals that service the entire European market from here. This means that the world's eyes are very much upon us all the time," said Data Protection Commissioner Helen Dixon.
She took up the role less than a year ago, when the office had 29 staff and was based in Portarlington, Co Laois.
Since then, Dixon has identified a number of priorities to address with her team in the coming years.
They include expansion, establishing a Dublin presence, improving the authority’s communication and customer service functions, driving better compliance and outcomes in terms of public sector use of personal information and improving international cooperation.
She outlined these goals and the office's progress in implementing them at a recent privacy conference in Maynooth University. The event brought together lawyers, technologists, industry experts and academics to discuss approaches to emerging privacy issues.
Expansion
Dixon said staff recruitment was “well under way” after the near doubling of the DPA’s budget this year to €3.65 million.
Ten new staff have started working in the authority’s temporary office in Dublin. Eight more, including a team of technologists and lawyers, will start in the next few weeks. The office’s new head of communications is scheduled to start in September.
“It is my own view, and one that’s widely shared in Europe, that the Irish office has been significantly understaffed in the past relative to its statutory role and compounded then by the presence of so many data-rich multinationals in Ireland. So this current round of recruitment and expansion is going to go some way towards addressing that historic issue,” she said.
At the conference, Dixon rejected past claims, particularly from regional data protection commissioners in Germany, that the under-resourcing was an intentional strategy by the Irish Government to attract multinationals to Ireland.
She said funding to all public bodies was being cut at a time when data-rich multinationals were building their operations in Ireland.
Communications
Dixon said improving the DPC’s communications function in general and its website in particular were things the office “needs to conquer”.
She said the website, which has “tons” of information and needs culling, also requires modernisation and better search capability.
Dr Eoin O'Dell, associate professor of law at Trinity College Dublin, said the appointment of a new director of communications to the office was very important. "The website needs improvement, and online channels like Facebook and Twitter need to be properly engaged with. Unfortunately, these things haven't happened in the past, and it's important they happen in the future."
Dixon said the improvements are a priority her office will deliver on over the next 12 months. She said she plans to include a section on the EU’s new data protection regulations “to start introducing stakeholders to the new legal framework . . . in advance of implementation”.
As to whether the office's communication plans include engagement over social media, Dixon told The Irish Times: "As highlighted in our recent annual report, one of my immediate goals is to improve the customer service, website and communications functions of the DPC, and this will certainly involve an examination of social media as a way of getting our message across."
Speaking at the conference, Dixon said the office had “a lot of work to do” on the customer service front, including its aim of “conducting its statutory role in as transparent and open a way as possible”.
As reported previously, the DPC uses an engaged approach with data controllers, rather than taking legal action in every instance.
Ideally, Dixon said, “the controller agrees to implement best practice recommendations before enforcement action is necessary. But what I think we need to do better at is somehow communicating on an ongoing basis how and what we are engaging in and what results are being delivered.”
Dixon said the Irish Data Protection Acts “oblige the Irish DPA to investigate every complaint” made by individuals against data controllers. She said more than half of these were subject access complaints, and that right-to-be-forgotten issues were a new stream where people can complain when search engines have refused to delist certain search results.
Challenges
“The obligation to investigate every complaint poses very significant challenges for the office, as it becomes obliged to investigate many issues that at their core have very little to do with data protection but which do have a personal data element to them,” she said.
“It seems to me that European regulators are expected to do many different things. Authorities are expected to investigate every complaint from every single individual that has any element of a data protection issue in it, whether that issue is still alive or not, and to mediate for an amicable resolution, and that’s a labour-intensive process.”
She suggested that “perhaps the complaint should be at a certain threshold of data protection at issue”.
Dixon said complaints often resulted from data controllers’ “poor handling of customer service complaints or, indeed, bad customer service in the first instance”. She said this often led to the customer making an access request of the controller, which consumes both time and resources.
“Good customer service and an effective complaints mechanism would relieve the overall administrative burden for everyone concerned and obviously assist the customer in achieving timely redress.”