Every morning for the last 10 years, Irish Data Protection Commissioner (DPC) Billy Hawkes has taken his 20-minute bicycle ride to the train station to board the tracks for a 50-minute ride to Port Arlington, where his office and staff of 30 greet him. The office moved there years ago when the government decided there was too strong a concentration of state offices in Dublin—where Hawkes lives—and so decentralized some agencies to other parts of the country.
But these days, the train leaves the station without Hawkes. His tenure came to an end on August 31, and he'd relegated his duties to his deputy commissioner, John O’Dwyer until an Irish government committee approved longtime civil servant Helen Dixon as the new data protection commissioner of Ireland.
Dixon will have an increasingly important role to play. Mark Scott recently called the position “relatively obscure” but with “global sway."
Dixon served as registrar of companies previously and has held senior management positions in the Department of Jobs, Enterprise and Innovation. She's slated to sit at Billy's desk within the next few weeks.
Some have said the next commissioner needs more budget and muscle to regulate the volume of global companies processing data in Ireland.
Indeed, the position has proven to be somewhat high-profile as compared with that of other data protection authorities globally. After all, companies like Facebook, Google and Apple all have headquarters there and are under the purview of the Irish DPA.
Hawkes, reflecting on the last decade, said the pressure that comes with regulating those companies is in some ways a happy result, the effect of Ireland’s strategic success in attracting major companies to the country. However, regulating the companies, including conducting audits of Facebook, LinkedIn, Adobe, Apple and Yahoo, was certainly the greatest challenge the office faced.
After all, when Hawkes took his post, he was juggling a very different set of balls.
“When I was first appointed in 2005, the main issues facing our office were strictly domestic, public bodies, hospitals and so on,” he said. “But the success of our investment agency in attracting major companies to Ireland meant I had to deal with concerns from other areas of interest and internationally.”
Although taking on multinationals strained resources for a time, the DPC’s staff has since increased by about one-third, and the office expects to potentially double staff size within the next two years. The government’s been receptive to Hawkes’s needs, he said, which bodes well for his replacement.
“There was recognition that if you have them bringing in these companies on one hand, you must resource the regulator appropriately,” Hawkes said. “Because we do have the responsibility then to regulate these companies to a high standard and to be able to demonstrate to other regulators that we are capable of regulating them to that high standard.”
That doesn’t mean the government has ever written him a blank check, he clarified, but the relationship over the years has generally been one of mutual respect and reciprocity.
A good-natured, soft-spoken, grandfatherly gentleman with blue eyes that practically smile themselves, it’s sometimes hard to imagine Hawkes sitting with a threatening mien across the table from power players at tech giants like Facebook and Google detailing impending regulatory action for various headline-making indiscretions.
And frankly, that was a criticism Hawkes received from time to time in the press: that he had a “soft touch” approach on companies that took some liberties with data use policies and practices.
But Hawkes said the message he conveyed to targeted companies was that his office had a job to do; that the audit process is designed to ensure that a company is at least complying with the law and with best practices, and that it was his office’s duty to work with other data protection authorities both inside and outside of the EU. Perhaps it was his charm and likeability that helped him get the job done when push came to shove. Maybe his sensible approach and lack of ego were two of his greatest assets.
“We think we got across the message that we are a strict regulator in that we insist on high standards and that our approach is one of dialogue. Providing the companies listened and did what we said, we would both come out on top," Hawkes said of his office’s approach. Along the way, of course, there were certainly “lots of full and frank conversations before we reached that happy outcome.”
As for his critics, Hawkes simply said, as you’d imagine he would, that it’s always been his policy to take criticism in stride.
“I treat responsible criticism as something that’s very positive,” Hawkes said. “The way I try to respond to it is in the way that we carry out our work. Constructive criticism is very useful.”
He acknowledges there’ve been both high and low points to the job. Auditing companies the size of small countries was certainly a challenge, especially considering the constraint on resources it placed on the small authority.
Then there was that morning in 2008, he recalls with a chuckle, of the "hacked" annual report. That annual report is quite a moment each year for any data protection authority, generally involving a press release and some media attention. It’s typically a good chance for regulators to tout their accomplishments for the year, shine a light on pressing data protection and privacy concerns and call the government and/or citizenry to task.
“It was meant to be a good news day for us,” Hawkes said.
As it turned out, Hawkes—a private person who has no interest in social media and intends to keep it that way—began his day with a call from one of Ireland’s major radio stations alerting him that a well-known IT expert had been able to hack into the commissioner’s report before it had been officially unveiled on the website.
“So instead of giving out solid advice about data protection, I found myself apologizing for our inadequate data-security measures,” Hawkes chuckled. Hawkes was soon after put live on the radio to explain how it could’ve happened.
“Not the best news for the body tasked with preaching good data practice,” he said. “But a memorable day.”
As for the next commissioner, Hawkes said he can promise she'll never be bored.
“It’s a fascinating job,” he said, with twists and turns that couldn’t be predicted if you tried.
While the fundamentals of the job are the same as in Hawkes’s first annual report 10 years ago, both the technology and the priorities have shifted, the latter for a number of reasons, including the impending data protection regulation and a generational shift in philosophy.
“There’s my generation, and then there’s the Facebook generation,” he said, “and there’s a need to see that. You’re there to protect people’s rights and to give them control.”
As for Hawkes himself, after 44 years of work for his country in various capacities, he’s ready for this retirement.
“I intend to focus on consuming things I have not had enough time for,” he said. “Family, reading, drink and leisurely travel.”
2005: Billy Hawkes appointed as Ireland’s data protection commissioner (DPC) for a five-year term.
2006: Hawkes issued a guidance letter to mortgage intermediaries
2007: Hawkes teams up to fight spam texts
2009: Hawkes issues guidance on data breaches
2010: Hawkes reappointed as Ireland’s DPC for an additional five-year term.
2011: Hawkes audits Facebook and makes several recommendations.
2013: Hawkes audits LinkedIn
2013: Hawkes signs a memorandum of understanding with U.S. FTC Chairwoman Edith Ramirez, “to promote increased cooperation and communication between the two agencies in their effort to protect consumer privacy.”
2014: Yahoo is moving to Ireland! Hawkes will soon be carrying out a privacy audit of the company.
2014: Hawkes auditing Apple’s European sales operation.
2014: Hawkes “covers users of Internet companies based” in Ireland, “including 990 million Facebook users worldwide.”
If you want to comment on this post, you need to login.