The Irish data official who serves as one of the globe’s most consequential privacy regulators rejects the idea that her office is a roadblock to efforts to reform Silicon Valley giants like Facebook. But she acknowledged the challenges of reining in a U.S. tech industry that has ignited a worldwide data revolution with few privacy protections baked in.
And Helen Dixon said the reality is it will take time to produce results from the 18 major technology investigations her office is pursuing — 11 of which involve Facebook or its platforms WhatsApp and Instagram.
“These aren’t matters where we can take in a complaint today and tomorrow make a conclusion on it," Dixon, Ireland’s data protection commissioner, said during an interview at POLITICO’s Washington-area headquarters. "They’re not overnight, and anyone who understands anything about the process understands it takes time."
Dixon's role is especially important because Ireland is the European home for many of the tech industry’s biggest firms, including Facebook, Google, Twitter and Microsoft. That means that under European Union law, Dixon is responsible for making sure they comply with the EU’s General Data Protection Regulation, a sweeping privacy rule that took effect last year.
In a POLITICO story published April 24, some activists and regulators in other European countries suggested Ireland was being too cautious and deferential to tech companies in enforcing the GDPR. But in the interview Thursday, Dixon painted her office as an aggressive and conscientious regulator attempting to build cases that will last.
Dixon was also incredulous at the accusation that Ireland has dragged its heels while other European regulators have gotten to work.
"Where is the evidence of enforcement by the French and Germans?” she said. “If we count up and look at our annual reports and look at the prosecution cases that we've taken, we're sometimes a little bit confused when we're told, 'Well, shouldn't you be more like Germany?' Because we're going, 'Can you point us to the enforcement that Germany has done?’”
Dixon was in Washington, D.C. — the second time in four weeks, she said — to keynote a major privacy conference, but also to accept the Senate Commerce Committee’s invitation to testify at its hearing examining how the U.S. might go about crafting its own comprehensive privacy rules.
The notion that her shop goes easy on Facebook because of its large footprint in Ireland is unfounded, Dixon said, and is balanced with complaints she says she hears that it is also going too hard against the company.
Her office is pursuing 18 major investigations targeting “big tech” companies, Dixon said. Of those, eight involve Facebook, on topics ranging from timely breach notification to whether the company is living up to its obligation under the GDPR to give users the right to access their data. Two involve WhatsApp and one involves Instagram — both Facebook-owned companies.
But there’s a reason for paying so much attention to Facebook, Dixon said: “We didn't think there would be so many significant data breaches announced by one company.”
Added Dixon, “At one point there was a new breach being notified to us under the GDPR every fortnight, and so we opened a consolidated investigation to look at, 'How could it be that one company is repeatedly suffering from these breaches?'”
The GDPR went into effect in the European Union on May 25, 2018, and Dixon argued that it takes time for the investigations it triggered to reach conclusions.
First, she said, her team needs to build a record of evidence of company behavior and then apply to that the high-level principles established by GDPR. "There's no page of the GDPR that I can open to and say, 'Oh, that's prohibited. Tick.'"
Companies then need to be given the right to respond. Only then, said Dixon, can the data commissioner's office move forward with a resolution to the case that can stand up before not only other European data regulators but in court.
Back at home, meanwhile, Facebook is facing a potential $5 billion fine as a result of its alleged violation of a 2011 consent agreement with the U.S. Federal Trade Commission. Dixon called comparisons with any potential penalty waged by her office “apples and oranges.”
Under the GDPR, companies like Facebook face penalties of up to 4 percent of annual worldwide revenue — a punishment that Dixon's office can levy more than once.
“While big figures have been bandied about in terms of a once-off settlement, the GDPR is going to be with us probably for another 20 years,” said Dixon. “And in each of the investigations, fines can be applied in each separate case.”
“As new issues keep arising, we'll keep investigating and pursuing,” she said. “So in a very theoretical sense, if we're forced based on a risk-based analysis to keep opening investigations, the fines are going to mount up over time.”
U.S. lawmakers, both Republicans and Democrats, are attempting right now to come up with some sort of national privacy legislation. Dixon said she avoids saying what, exactly, other countries’ data protection regimes should be.
That said, Dixon added: "We inherited the platforms in Ireland as exported from Silicon Valley, typically. When they were exported without the filter of a baseline data protection law, our job was then rolling back features and forcing a reverse engineering based on EU data protection laws. So if you have that filter before technology and innovation exports, potentially so much the better."
Article originally published on POLITICO Magazine