Helen Dixon, Ireland's Data Protection Commissioner, discusses her office's role when companies profile or use data analytics for political purposes, and what has been learned from being in cases before Europe's highest court.
Thomson Reuters senior associate editor of privacy and data security, Melissa Sachs, spoke with Helen Dixon, Ireland’s Data Protection Commissioner since her appointment in 2014, about the General Data Protection Regulation (GDPR), what data controllers and processors need to keep in mind under the GDPR, and how her office responds to criticism about its regulation of Facebook in Ireland.
Melissa Sachs: With the GDPR, new breach notification, cybersecurity, and data protection laws in Singapore, China and Russia, and the rise of ransomware attacks, what do you think has gotten less press than deserved?
Helen Dixon: While the GDPR has gotten a lot of press, it is well-deserved coverage. The GDPR is the biggest and most important show in town. It’s the newest framework and now the global standard.
Sachs: Profiling and using data analytics for political purposes has recently gained a lot of news coverage. In general, what do you think is the role of your office?
Dixon: Our office has a role to supervise data collection and processing, which needs to be lawful, fair and transparent. On a practical level, our office needs information on how data controllers or processors use data subjects’ profiles and some sense of the algorithms at work. If the data controllers are collecting a sensitive category of data, they need to get explicit consent.
However, if policymakers want to ban sponsored stories before an election, for example, or have an imprint to say who is behind an ad, then that is a matter of policy. Scotland required an imprint to show which side was funding ads.
Sachs: What is the number one issue that you think data controllers and data processors are not paying enough attention to right now?
Dixon: Transparency and data subject rights, including that personal data must be processed lawfully and fairly. Data controllers must understand the legal basis for processing and keeping the records that Article 30 of the GDPR requires. This is a proactive area of interest for our office.
For example, before the UK’s current investigation of Cambridge Analytica, we had already asked Facebook to address the issue with third-party apps and access to data during and after our 2011 and 2012 investigations and reports. Facebook tried to rectify this issue with more granular controls over how apps can access friends’ data. However, we recently found out about how Andrew Kogan disclosed user data to Cambridge Analytica that he gathered through his app before Facebook changed its policy. But this goes back to the transparency issue.
Our office is keen to see how Facebook and other platforms will oversee the privacy practices of app developers.
Sachs: Regarding Cambridge Analytica, how does your office respond to a March 19 article or March 21 opinion piece in the Irish Times that criticized how your office regulated Facebook after receiving a complaint in 2011 from Max Schrems, an Austrian law student, which flagged how a loophole that allowed Facebook app developers to harvest data from users’ friends, or your office’s role in overseeing Facebook’s compliance with a decision from the European Court of Justice (ECJ), the EU’s highest court, on the issues Schrems raised?
Dixon: Those articles confused me because the ECJ’s decision in Schrems v Data Protection Commissioner (Case C-362/14) EU:C:2015:650 declared the safe harbor framework invalid (see Legal update, ECJ rules that the EU-US safe harbor arrangement is invalid). The decision had nothing to do with harvesting data. But, in general, my office must follow the law. My office can’t regulate by press release or popularity, which means it may issue decisions that follow the law, which the public doesn’t agree with or like.
Sachs: Recently, Ireland has been at the forefront of issues before the highest U.S. and EU courts (see United States v. Microsoft Corp., No. 17-2 (U.S. Apr. 17, 2018), and EU’s top court asked to probe Facebook U.S. data transfers). What have you learned with your country in the spotlight?
Dixon: Our office has a legal obligation to investigate and litigate certain cases. It has been useful to generate a body of caselaw and legal certainty, and we’ve gained knowledge through our experience before the courts. This is helpful because litigation will be necessary to resolve some issues that will arise under the GDPR while other issues will need a combination of political action and legislation.
For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.