Ireland's Dixon taking the long view on privacy for GDPR, Facebook, Privacy Shield, other issues
28 March 2018. By Mike Swift.
The week after the global privacy crisis broke involving Facebook and Cambridge Analytica would have been a convenient time for Helen Dixon, Ireland’s data protection commissioner, to stick close to home.
“It would have been a lot easier to stay back at the office, putting out fires, minding the shop,” Dixon agreed, as she sat down for an interview Tuesday with MLex in Washington, DC. With her office taking a central role in the ongoing inquiry because Facebook’s European headquarters is in Ireland, she had plenty on her mind.
But Dixon is playing the long game on privacy and data security. With the effective date of the General Data Protection Regulation less than two months away, staying home wasn’t an option. In multiple public appearances at the IAPP’s Global Privacy Summit* this week, in meetings at the White House, and at evening dinners and cocktail hours with the world’s leading privacy and data security enforcers past and present, Dixon has been listening as much as talking.
“What we’re really hoping to learn is what remaining misconceptions there are around the GDPR, what additional information stakeholders would like to hear from us, and what clarifications we can provide,” she said. “Ideally, we’d like to learn that stakeholders are embracing what the GDRP is about, which is all about accountability. It’s not about ticks-box compliance.”
With the GDPR going into effect May 25, the Irish data protection authority is staffing up to be the lead enforcer with Facebook, Google and other big multinational Internet companies basing their European operations in Ireland. Dixon said that with about 100 staffers in place and plans to hire another 40 to 50 this year, she feels ready for Ireland to be among “the top tier of national DPAs.”
The weekend the Facebook-Cambridge Analytica story broke was St. Patrick’s Day weekend in Ireland — not the time an Irish regulator would have preferred a privacy breach of that magnitude to be revealed. Nevertheless, Dixon said Facebook gets good marks for responding immediately to the data protection watchdog's many questions.
She gives Facebook lower marks, however, for how it presented the situation to the public.
“In relation to their initial response, I think their response wasn’t clear enough in stating immediately when the story broke that as a platform, with these thousands and thousands of app developers operating on their platform, that they have a responsibility in terms of oversight,” Dixon said.
As the inquiry goes forward, Dixon sees three areas of questioning that Facebook will have to answer. Facebook will have to account, she said, for the privacy exposure prior to 2014 of the Facebook friends of people who downloaded apps that harvested user data. Prior to 2014, when Facebook changed its app policy, those apps may have had access to the data of the app-users’ friends. Facebook has acknowledged that it learned in 2015 that a third party, Cambridge Analytica, gained access to the leaked data; Dixon’s office wants to know why that wasn’t disclosed. Also, Dixon’s office and other investigators want to know exactly how the leaked personal data might have been used to microtarget Facebook users with advertising or other types of content.
Dixon acknowledged that there presently is no European legal requirement for Facebook to disclose the privacy leak that happened three years ago. “There is no mandatory requirement in EU law currently. So you have to look at what are you going to be able to achieve” in terms of enforcement, she said.
But, again, Dixon is playing the long game. She made clear that her office won’t just be asking about the Facebook-Cambridge Analytica issue, but about the much broader question of data collection by apps running on all big Internet platforms.
“I think there are obligations on the platform — and not just Facebook; they are not operating in a way others didn’t in terms of oversight of developers on their platforms — there is an onus on the platform to ensure there is a compliance with their own policies, and some type of active oversight,” she said.
In other words, the operator of any major online platform — Google’s Android and Apple’s iOS would be two obvious candidates — should brace for questions from Dixon and other European regulators about the data collection activities of the apps running on their platforms.
“I think one of the things we want to do as a data protection authority is work with other European data authorities in terms of supervision of app operators in various EU member states,” Dixon said. “We as DPAs have known there is an issue with app operators. We need to think about effective means by which we can supervise and compel their compliance.”
Dixon met at the White House with Abigail Slater, President Donald Trump’s newly named lead advisor for technology, and telecom and cybersecurity issues on the White House’s National Economic Council.
Dixon and other European officials are concerned about the slow pace of appointments to the US Federal Trade Commission, the lead US enforcer for the EU-US Privacy Shield. That agreement allows the transfer of Europeans' personal data to the United States.
While Trump has made nominations for all five open seats on the FTC, none of the nominees has been confirmed by the US Senate. European officials want to know when that is going to happen.
“The FTC has a role in enforcement with Privacy Shield,” Dixon said. “We are a kind of partner in terms of being data protection authorities in one form or another. So it is a concern.”
Dixon dined with former FTC Chairwoman Edith Ramirez at an event held by Ramirez’s new law firm, Hogan Lovells, this week. Another evening, Dixon joined the outgoing head of the Article 29 Working Party, Isabelle Falque-Pierrotin, and the new head of the European regulator, Andrea Jelinek, along with privacy regulators from Hong Kong to Brussels to toast “Long live the GDPR!”
Dixon has not met the nominee for chairman of the FTC, Joseph Simons, but she anticipates no problems working with the Trump appointee. “We’ re used to building up new relations with new commissioners as they change over in the EU, and with new officials in the US. So I have no doubt that will happen again,” she said.
Dixon does see a silver lining from the Facebook-Cambridge Analytica situation. In the wake of the revelations, she spent a lot of time talking about the privacy breach in the Irish media, including an appearance on national television to discuss the matter.
“It was interesting that some friends contacted me after that broadcast to say, ‘Oh, I didn’t know that was how it worked’ — which I find amazing,” Dixon said. “So a positive that came out of the story is that it’s opening up people to understanding how these free services work, and perhaps making it clear to them what the risks are.
“There are people who do understand the risks and who do understand the deal, and who are fans of personalization and fans of interest-based advertising. But if that’s their choice, it has to be an informed choice,” she said.
* IAPP Global Privacy Summit. Washington, DC. March 27-28, 2018.