Take 5 for Privacy Podcast – A Conversation with Helen Dixon, Data Protection Commissioner for Ireland

October.06.2020

In our first episode, Heather Egan Sussman and Helen Dixon, Data Protection Commissioner for Ireland, discuss the 5 questions on the minds of privacy professionals and innovative companies today. Commissioner Dixon shares her views on how best to regulate data protection and what’s ahead in this area.

 

About our guest:

Helen Dixon, Data Protection Commissioner for IrelandHelen Dixon was appointed as Data Protection Commissioner for Ireland in September 2014. Responsible for upholding the rights of individuals regarding how data about them is used, Helen has overseen the transformation of the Irish Data Protection Commission in the areas of human resources and budget. Since the GDPR came into effect, the role and remit of the Commission for Data Protection has deepened to include a stronger enforcement focus and the Irish Data Protection Commission is the EU Lead Supervisory Authority for many of the world’s largest tech companies that are head quartered in Ireland.

Commissioner Dixon is a regular contributor at national and international engagements and appears regularly in the media to drive awareness of data protection laws and promote a common sense approach to its application.

  • Heather Sussman:

    Hello and welcome to “Take 5 for Privacy,” a podcast where we interview notable practitioners in privacy, asking the same five questions to help advance important policy discussions impacting privacy today.

    My name is Heather Egan Sussman, and I lead the Cyber, Privacy and Data Innovation practice group at Orrick.

    Joining me today is Helen Dixon, the Data Protection Commissioner for Ireland. Appointed to this role in September 2014, Helen is responsible for upholding the rights of individuals, regarding how data about them is used. Since the GDPR came into effect, the role and remit of the Commission for Data Protection has deepened to include a stronger enforcement focus and the Irish Data Protection Commission is the EU lead supervisory authority for many of the world’s largest tech companies that are headquartered in Ireland.

    Helen’s prior roles included serving as the Irish Registrar of Companies, holding senior roles in a key economic government department working on economic migration policy, science, technology, and innovation policy. And she spent the first ten years of her career in the IT industry.

    Helen also holds a number of post-graduate qualifications, including in computer science. We love to find women in STEM.

    Helen, thank you for being that inspiration and we are so happy to have you here.

    Helen:

    Hi, Heather. Delighted to have this opportunity to join you here today, even if it’s just virtually.

    Heather:

    Helen, there have been extraordinary changes in our world since 2014, let alone in privacy. In your view, what is the most critical issue in privacy today?

    Helen:

    I think the most critical issue we have in data protection today is literally how we best regulate it. We know that the processing of personal data is now so ubiquitous that laws like the EU’s General Data Protection Regulation—it’s governing an infinite number of everyday public and private contexts and scenarios, all of which involve the processing of personal data. Positively, now, we see that the world is going through a period of increasing adoption of comprehensive data protection laws in many jurisdictions. And, of course, in the U.S., you’re still having the debate around that. But we’re seeing a corresponding increase in investment in public enforcement of all of these laws. But I think, when we look at them, the most critical issue of data protection is to find a means to best identify how those scarce public regulatory and enforcement resources can be applied to the most pressing issues of our time and to the benefit to those affected by personal data processing. So, you’ll know from the U.S. states as well as here in the EU, that mandatory data breach notification to data protection authorities is a feature many of the regions. Here in the EU, we have compulsory handling of every individual complaint by the data protection authority. And so how do data protection authorities best deal with the volume of issues that are coming at them and find a way to prioritize, while also having foresight of the next big issues that are on the horizon? So, I think a subset of that question about how we best regulate is, how do those of us concerned with effective regulation measure the effects and benefits of different regulatory approaches? So, as you know, approaches can involve issuing guidance—including sector-specific guidance—approaches involve the handling and resolving of individual complaints—over 10,000 in my office last year. Regulation also involves hard-edged enforcement with big fines and corrective measures off the back of larger-scale investigations. And then, of course, then we have informal international cooperation with other global data protection authorities. But it seems to me that much that has been written by academics about the theories of regulation, including newer theories that are grounded in behavioral economics and nudge theories— they’re not specific to the characteristics of personal data regulation where the regulator entities are not sector-specific, where there is little or no (sounds like: exemptive) regulation provided for in law and where fundamental rights and individual complaint-handling is mixed with a form of non-market supervision of regulatory authorities. And, of course, for the volumes of through push through the data protection authorities are enormous. So, I think this is a critical issue today for investing more and more in public regulation and enforcement of data protection and privacy around the world, but we’re not clear what constitutes the most effective mix and waiting of approaches. We’re not going to be as successful as we could be.

    Heather:

    So, regulation and addressing the challenges affecting regulation and effective regulation today is a key issue. How do we address that issue, in your view, going forward?

    Helen:

    So, I think there are several things we need to do to address the issue, maybe starting with my last point about the specific and unusual characteristics of data protection or privacy as a regulatory field. In my view, there is a need now for academic research that specifically looks at how regulatory theory is best applied in data protection regulatory context about reference to its specific characteristics including, as I mentioned earlier, the ubiquitous nature of personal data processing. Clearly to me, this area of regulation differs considerably from typical market regulations in the areas of aviation, banking, financial services or competition. And at the moment, there appears to be a frequent and dominant narrative that only hard enforcement cases and large fines apply to big companies are worthy of the resources of data protection authorities. And this view appears to conflict with regulatory theory that promotes building trust between regulated entities and regulators, ensuring that there are shared values and an understanding of those values and engaging through regulatory conversations (sounds like: exemptive or exempting) to avoid later problems and (inaudible). So, of course, while there has to be strong enforcement with tough sanctions for willful and negligent violation of data protection rules, theory is that these would be reserved for just those types of cases at the extreme. So, I think we need more research in this area. I think we need to more agreed metrics to measure the effects of enforcement and regulation, which, after all—while enforcement is about delivering changes in behavior on the part of the regulated entities, and of course commentary to the effect that fines are just the cost of doing business for larger companies. They don’t inspire confidence that fines alone change behaviors, even if they make a great headline or a news story for a day. And then on the issue of regulatory priorities and global regulatory priorities in data protection, I think we need more real engagement between data protection authorities themselves, but much more importantly, better engagement between the data protection authority community, the public companies, regulated entities, academics and broader stakeholders. So, for example, my office—the Irish Data Protection Commission—we’re of course a member of the European Data Protection Board. We’re a member of the Global Privacy Assembly. But it seems to me we’ve probably spent far too much of our time talking to ourselves as data protection authorities and not enough investment in reaching out and accepting inputs in.

    Heather:

    These are all great points, Helen. So, academic study—engagement on this issue within in the community—really terrific. Terrific ideas. Can you share a challenge that you’ve had to overcome in privacy and the lessons you learned from that experience?

    Helen:

    So I think, and maybe I’m representing a challenge right now, but I think the biggest data protection challenge I have faced is around how to communicate clear messages to the broad range of stakeholders that I want to address and also that I’m simultaneously address at any point in time. So, in line with those earlier comments that I made, my office regulates hundreds of thousands of entities, charities and voluntary bodies, as well as public sector and government, as well as private sector entities and all of the big tech platforms. And, of course, we know that, under the EEU’s general data protection regulation, a risk-based approach is promoted. While much of the GDPR and the application of data protection law could be said to be about the application of common sense, in reality, in terms of fairness and transparency, you know very well that there are aspects of the law that are, nonetheless, complex and technical in procedural terms. So, take for example, the case of the Irish Data Protection Commission took to the Irish High Court, seeking a reference to Europe’s highest court, the CJU, in relation to the validity of the EU data transfer’s instrument that’s known as standard contractual clauses. And if you think of the significance of that case and the importance of the approach my office was trying to adopt, it has been extremely difficult to communicate it in a way that creates real comprehension depending on the audience. And then often competing with the attempts I and my office seek to implement around effective communication, there can be counter or opposing narratives that bear, in our view, little resemblance to the facts or the truth of the matter and deliberately appear to mischaracterize aspects of the issues. So, when I think about what I’ve learned from this challenge, I’ve really learned that’s an everyday challenge that takes work every single day. It has to be taken up fresh every morning. It requires a really multifaceted approach using difference channels to convey different message of varying content and complexity. And as I said earlier, because more and more money is being invested in public regulation and enforcement, it is important that the public understands what the purpose of regulation is and how it is serving them. So for my office, we like to keep a particular focus in staying relevant to the public and not just legal practitioners and experts in the field, so we try to keep that focus on sharing useful and interesting case studies as we go.

    Heather:

    Brilliant, Helen. The issue of communication affects not only regulators. It affects companies. It affects communities. And I find that the challenge too with this remote work arrangement in which many of us around the world find ourselves is it makes communication that much more difficult. So, finding ways to overcome that is a constant challenge and we appreciate all the investment that you’re making in that area.

    Helen, can you tell us, what is your privacy pet peeve?

    Helen:

    {Laughter} It was a long list, so I had to drill down and think about one. I think my pet peeve, certainly for today in data protection, is the quantity of daily Twitter declarations that this, that, and the other is “illegal” under the GDPR. So, I think there continues to be a failure on the part of many to recognize the context-specific analysis and a balancing of rights is generally required to conclude whether something complies with the principles of data protection or of the GDPR or under any other region. So, connected with that pet peeve is that many people end up getting turned off data protection, which I think is a shame, when they read these kinds of declarations because it’s suddenly “illegal” to print the names on the back of a sweatshirt as a souvenir for children that have participated in a high-performance sports camp. So, you end up in the realm of the ridiculous and denying people things that are not, in fact, illegal. So, while my office is always delighted to see that there is a lot of dialogue and engagement around data protection regulation—because it should be something for everyone—I think more nuance wouldn’t go astray in quite a bit of the public commentary that tends to circulate. And I think it all comes back to a common-sense approach again.

    Heather:

    And your point about communication, for sure. So, you know, it’s a challenge when you’ve got only a certain number of characters to deliver your message, right? And so, I hear you, nuanced discussion is so key to continue to advance very important policy discussions today.

    So, Helen, on a lighter note, tell us a fun fact about you that people may not know.

    Helen:

    Well, I certainly think this is a fact about me that people may not know, but I have been a somewhat unlucky open-water swimmer in Dublin, where I live. On one evening a couple of summers ago when I was swimming with my cousin, I was stung in the face by a very large jelly fish. While yelping and panicking and in shock because of the sudden pain in my face, a seal with a mustache appeared within two inches of my face, clearly attracted by my yelping, and attempted to—well, I think he was attempting to attack me. My cousin insists that he just wanted to play, but it was a fairly unpleasant evening all told.

    Heather:

    Oh, I’m sorry. Yes. You know, growing up on Cape Cod, we have our fair shares of seals in the area these days, so not only are they—they can be intimidating because they’re so large, but they also smell. {Laughter} It doesn’t make for a very pleasant encounter.

    Helen:

    His mustache was bothering me considerably when he was up close.

    Heather:

    Well, I hope you’ve recovered from that jelly fish sting.

    Helen:

    I have.

    Heather:

    And maybe you’ve developed a life-long appreciation, at least, for seals.

    Helen:

    {Laughter}

    Heather:

    Helen, thank you so much for joining us today on Take 5 for Privacy. It’s been wonderful to chat with you and to hear your perspective.

    Helen:

    Thank you, Heather.