At the IAPP’s Data Protection Intensive in London in April, the IAPP sat down with Irish Data Protection Commissioner Billy Hawkes to discuss the ins and outs of a regulator’s daily life on the job, the impending regulation, do-not-track and how he relaxes when he’s not regulating multinational giants headquartered in Ireland.

Hawkes’ office has been busy in the last year preparing for the revised EU data protection regulation, which would see his office take on broader oversight responsibilities as a large number of multinational companies are headquartered there, including Facebook Ireland, among others. Hawkes has asked the Irish government for additional resources in light of this, and says the government has assured him his wish will be granted.

Hawkes is a family man, with three children: two sons, 18 and 17, and a daughter, 21.

Irish Data Protection Commissioner Billy Hawkes at the IAPP Data Protection Intensive in London.

What did you do before you were a DPA?

I was for many years a civil servant. I spent many years working in the Irish government service. My longest stint was in the Irish Foreign Service, I was there for 20 years. I did stints in the Department of Commerce and Finance as well. And then I applied for a competition for data protection commissioner, and much to my surprise got through and was appointed by the government in 2005.

Did you sort of have to learn as you went along when it came to privacy?

Absolutely, when I was trying to figure out ‘why did they possibly choose me over other people,’ I suppose there were aspects of my background that were relevant: my 20 years in the foreign service, including some periods dealing with human rights, and I also spent a period as an insurance regulator. If you look at those two aspects of my past career, I suppose they were of some relevance to the job I’m doing.

What’s a regulator’s day actually like? Are you busy writing fines? Doing audits on site?

The day can be quite varied. We’ve got very good colleagues working in our office and they do a variety of things. They deal with people complaining their data protection rights are being interfered with, and we try and resolve those complaints by contacting the organizations concerned. Usually we resolve them amicably without using enforcement powers, but, if we have to, we use enforcement powers. We also have an active audit function, which goes out to companies and state entities and sees how they are actually complying in practice with data protection law. Then we do outreach activities in terms of talking to organizations about data protection issues they are facing.

We have an active help desk, we also go out and give a lot of presentations; we talk at the IAPP. We also provide various published guidance materials and try and keep our website up to date. We also work with the media. It’s a mixed bag. But the whole objective is to increase the degree of compliance and best practice in data protection in organizations based in Ireland, which also include some U.S. multinationals that have set up their European base in Ireland.

As privacy is increasingly in the news, are complaints on the rise?

Yes, we do see a significant increase in complaints and people asserting their rights more perhaps than in the past, and that’s partly due to knowledge of their rights and – particularly under European law – the right to access all of your information if you want to. That can be particularly helpful in all sorts of circumstances, including when people might be fearful about their jobs, they might want to know would they have a case for unfair dismissal, so they can use the right of access in different contexts. So we do see that.

We also see greater media focus on privacy and more discussion on privacy in terms of our concepts of privacy changing: Are there intergenerational gaps about the Facebook generation versus the older generation, how should we view people who reveal an awful lot about themselves on social networks? What’s the role of data protection authorities when they choose to reveal the information? There’s obviously a huge educational thing, but is that something that’s best done through the schools in terms of getting across to people? You need to be mindful of what you’re saying, because once something’s on the Internet it’s very very hard to get rid of it.

What’s the fastest way a company can negatively attract your attention?

First of all, we learn about it oftentimes when there’s an avalanche of complaints about them. That means there’s something going wrong at that company and we’ll be on the job pretty quickly. We’re also very alive to other sources of potential concern, like the media reports on companies doing certain things; we obviously track those.

Also, in our audit program, we try to get a balance between entities in the public sector and the private sector, and we have a particular focus on companies that hold a lot of information that could matter to people, like the States’ social security administration and tax administration; in the private sector you have businesses like banks and insurance companies. We also try and draw lessons for those sectors. For example, we have a code of practice for the insurance industry, which basically takes the data protection principles and says in practice, in your industry, that’s how we expect you to behave. It’s a process of drawing on different information we have coming to us from different sources we have and trying to always reach for a situation where across the board in orgs in Ireland there is a consciousness of people’s rights to protection of their data and there’s a good level of compliance with that right.

There’s lots of talk about this One-Stop-Shop aspect of the proposed regulation. How might that impact your office? Especially with so many companies headquartered there? Can your office take on that type of burden and responsibility if that is handed down to you?

First of all, we expect it will be handed down to us in one form or another. We already have that responsibility in relation to some U.S. multinationals, which have clearly established their European headquarters in Ireland and clearly stated that the relationship with users is with the Irish entity rather than the U.S. entity. I suppose Facebook-Ireland is the best example; its user relationship for all users outside North America is with the Irish entity. It has its European headquarter in Ireland and a strong compliance function in Ireland. It clearly stated it wished to comply with European law, as transposed into Irish law, and therefore we prioritized them for audit because we were conscious of having a much broader responsibility to a much broader user base than, for example, if we’re auditing a school or something which is solely local. It also reminded us of the challenge involved in auditing and overseeing an information-rich company like that; it did absorb a good deal of resources.

Thankfully, the government recognized that there is a resource requirement, they have given us more resources to deal with the responsibilities that go with having these companies here setting up their one-stop shop and we’ve got a public commitment from the government that we’ll be given such resources as we need to adequately do the job. I think there’s a consciousness in the government that there’s a duty to properly regulate these companies to European standards, and to do that, the data protection authority needs to be properly resourced.

Let’s talk about differences in enforcement approaches between Europe and the U.S. Many feel the EU takes a stricter approach, but the FTC has been ramping up investigations and fines lately. Is the U.S. in fact weaker in terms of regulatory efforts?

Obviously the big difference is in Europe we have a comprehensive system of privacy protection with dedicated authorities for enforcement of that right. And in the U.S. you have a sectoral approach, with, in many cases, stronger and more effective enforcement in those sectors. I mean the FTC has leveraged its authority in relation to consumer protection to take very effective action in the area of privacy towards many companies big and small. It has also used its authority in relation to Safe Harbor. In other words, U.S. companies that have signed up to Safe Harbor and haven’t lived up to their obligations, they have had enforcement action taken against them.

I think what’s very encouraging are the efforts being made by the current administration to achieve a federal umbrella law on privacy. This certainly would be very helpful in terms of the goal of having as much interoperability as possible among EU and U.S. models, because we fundamentally accept we have the same values. We value privacy. But we perhaps give more priority to some things than others. In the U.S. there’s a very strong emphasis on freedom of expression; in Europe, there’s a strong emphasis on protecting personal data because of sad historical misuse of data.

I think there are many things that are encouraging in terms of improving the degree of that interoperability. There are the publications by FTC and DoC, which seek stronger roles for privacy, calls for federal privacy law if that can be achieved. There’s also now a big push for a free trade agreement between the EU and the U.S. and one can imagine the issue of any potential trade barriers arising from differences in privacy regulation might come up there. So there are different drivers, which might encourage, I think, both parties to look at their laws. There’s the new EU regulation, there’s, on the U.S. side, the push for some form of umbrella federal legislation. A lot of drivers, which if they worked out well would greatly improve interoperability, taking account of the fact that the flow of data is now global and there’s a need for global solutions.

What about Do Not Track? Is it doomed to fail?

I certainly wouldn’t assume it’s set up to fail. I think it’s fascinating to watch the process, particularly in the U.S., with companies using privacy as a competitive advantage tool. Certain companies have said we’re going to implement solutions, which basically mean putting do not track into browser settings. There’s been support from the FTC and pushback from the advertising industry. What’s interesting is the concern is the same on both sides of the Atlantic: It’s to give people a sense of control over what’s happening on the Internet, to avoid the sort of creepiness that can be involved in thinking someone’s tracking you and making assumptions, profiling you based on your behavior on the Internet.

Again I think it comes back to the idea of giving the individual more control over their data and I think it will be fascinating to watch it play out. But in the U.S. it’s an issue of competition on privacy. As a regulator, the more you can align commercial objectives with regulatory objectives the more success is likely.

What’s the hardest part of your job? Who do you call when you don’t know the answer?

In some respects, it’s the need to ultimately make decisions based on a principles-based law, which isn’t, as it were, black and white. That can be very difficult because the whole area of privacy is so intertwined with people’s concepts of privacy, their priorities and then with a very general set of principles. That’s certainly a very difficult part.

Who do I ask? The problem about being a commissioner is it’s supposed to be the reverse, people ask you. Who do I ask? I consult with my colleagues in the office as my first priority and rely very much on their advice; they’re my first port of call and I do that extensively. I’m far from knowing everything or getting things right, so the more you can make sure that, when you have to make a decision, you take into account different points of view, the more likely you are to get it right.

The common positions produced at the EU level by the Article 29 Working Party can be helpful in terms of clarifying how the law should be applied in different contexts and this role of the central Euro body will be strengthened under the Regulation. Their recommendations are helpful because we’re all working under common European law and a common set of principles, so it can be helpful when we get together grappling with new issues and new technologies to figure out how we should apply data protection principles

What do you do to relax?

It’s usually to be with family, we’ve got three young people in our family and my wife. So it’s I suppose learning what their issues are, talking them through, sitting down having a glass of wine. Generally relaxing. Bringing them to various sports activities and so on. It’s very much family oriented.


Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Early Bird ends TODAY.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»