Editor’s note: The Irish Independent reports Helen Dixon will move to the Commission for Communications Regulation after she departs Ireland’s Data Protection Commission.
Helen Dixon was the world's first global privacy regulator. Her departure from the role of Ireland's Data Protection Commissioner, after an eventful 10-year term, marks the end of an era in technology regulation. It is an era marked by the arrival of the EU General Data Protection Regulation, its initial implementation — not just in Europe but also in the U.S. and the rest of the world — as well as its enforcement. Now a new era dawns, with policymakers' attention in Europe, the U.S. and China shifting to the regulation of artificial intelligence.
While she perhaps didn't "make EU regulation great again," as some flame-throwing advocates and politicians had hoped, Dixon was a paragon of judicious, balanced, disciplined and principled enforcement and regulation. She transformed the DPC from a small regional office to a Dublin-headquartered powerhouse with more than 220 expert staff, including some of the leading minds in privacy regulation anywhere in the world.
She stood up for fair and proportionate regulation as the way to ultimately protect privacy rights and the free flow of data in the EU. Despite being in the crosshairs of unrelenting public, political and industry pressure, she achieved a unique, unprecedented enforcement record, blazing a trail for global privacy enforcement agencies by bringing to heel not just enormously powerful multinational companies but also formidable government agencies.
How does a regulator from an island 250 miles off the coast of the continent, home to just 5 million people, become the linchpin of Europe's — and in many respects, the world's — privacy regime? Credit — or, depending on your point of view, debit — the GDPR's one-stop-shop mechanism.
Under it, non-European companies became subject to primary jurisdiction of the regulator in the country when their main establishment was in the EU. And a long list of technology giants, including Apple, Alphabet (Google), Meta (Facebook, Instagram and WhatsApp) and Microsoft, as well as HP, IBM, Intel, LinkedIn, Oracle, Qualcomm, Salesforce and many more, have made the Emerald Isle their European home.
To be clear, choosing Ireland had nothing to do with the country's data protection policies and everything to do with tax laws. But this effectively charged Dixon with responsibility for not just 500 million European consumers but also for the billions of consumers these tech companies have in the U.S. and the rest of the world.
It also placed Dixon in an untenable situation. While the U.S. projected its immense economic and technological power to the EU via these corporate establishments in Ireland, the EU projected its regulatory — and some would say moral — authority back to the U.S. via Ireland's DPC. In many cases, Dixon found herself between a rock and a hard place. American companies warned that aggressive enforcement of an often-vague legislative mandate would result in real, concrete economic harm. Whereas European bureaucrats, the advocacy community, and increasingly European media and politicians, complained the laws weren't implemented and enforced fast enough, harshly enough, and with sufficient vigor and zeal.
This tension came to a head with the unraveling of the EU-U.S. Safe Harbor arrangement and later the Privacy Shield. These developments laid bare the fact that EU policymakers have at best limited ability to affect U.S. surveillance reform, not to mention Washington's legislative agenda. As their fallback option, European advocates pushed to squeeze U.S. companies, for example by curtailing Meta's ability to function, which requires free flow of data across the Atlantic. They hoped by pressuring those companies, they could motivate U.S. policymakers to act.
In reality, alas, this was a one-dimensional chess game that repeatedly resulted in stalemate. Surveillance reform in the U.S. involves interests far stronger than even the mighty Silicon Valley lobby, not least those of national security agencies of European countries themselves. In the meantime, cutting off trans-Atlantic data flows and business practices would impose steep costs on European consumers, businesses, scientific research and economic growth.
Emerging from this thicket of interests, Ireland's DPC compiled an unprecedented enforcement track record. Some of the major cases it resolved were the signature data transfer disputes, including, of course, the references of the so-called 'Schrems' cases to the Court of Justice of the EU; domestic action rightsizing the Irish public services card; and decisions concerning Facebook's targeted advertising, WhatsApp's transparency obligations and Meta's security breach, which affected the data of 500 million users.
By any measure, the case volume and fines processed by the DPC dwarfed those of other regulators in or out of the EU.
Cynics who have argued the DPC had to be forced into action by its associates on the European Data Protection Board failed to see the forest for the trees. In fact, the DPC led massively complicated investigations, including the grunt work of meticulous fact finding and legal analysis, which sometimes takes years. In these cases, the role of other data protection authorities was limited to raising their hands at the end of the process to argue "the fine should've been steeper."
So, please give credit where credit is due.
Dixon's shortcomings seldom manifested in courts or the regulatory arena. It's in the court of public opinion that she became a lightning rod for criticism by advocates, politicians and fellow DPAs. Perhaps in 2018, when she effectively became the European — or even global — privacy commissioner, she should have launched a comprehensive communications strategy in 24 European languages with a focus on Brussels, which is home to the European Commission, the EDPB, advocacy organizations and media outlets. At the time, though, the DPC was a small domestic agency. Over the years, Dixon enhanced the DPC's public footprint. She raised public awareness of data protection and the GDPR by regularly speaking at conferences and giving press interviews, including profiles by 60 Minutes and The New York Times.
In many ways, Dixon's challenges were baked into GDPR itself, with its soft legal obligations and byzantine mechanism for resolving disputes between regulators. As we enter a new era of regulation affecting AI, a technology that could profoundly impact the future of humanity, we should follow the trail Dixon set for us and learn from her experiences as the first and strongest global privacy regulator.