Ireland's Privacy Cop Sets Pace for EU Regulation of Multinationals
28 December 2016 - 3:49AM
Dow Jones News
By Sam Schechner
DUBLIN -- When chat service WhatsApp last summer did an
about-face and started sharing users' personal information with
parent company Facebook Inc., Ireland's top privacy cop jumped into
action.
Helen Dixon, Ireland's data-protection commissioner, activated a
10-person investigative unit she had created to probe multinational
tech firms, and she pushed to coordinate multiple probes across
Europe. She has since put both Facebook and WhatsApp through rounds
of questioning at her agency's new offices in Dublin.
The case is one of the most high-profile tests since the
European Union agreed on a new law for regulating data-protection
and privacy matters across the continent, which has long tilted
toward stricter rules than in the U.S.
While the law doesn't take effect until 2018, it will eventually
give tiny Ireland the authority to hit companies with big fines --
up to 4% of global revenue -- for violations. Other EU countries
will share the same power, but Ms. Dixon stands to take an outsize
role in the global debate over data-protection and privacy issues
given the prominence of the companies that have their European
headquarters in Ireland -- including giants like Facebook, Apple
Inc., Alphabet Inc.'s Google and Airbnb Inc.
"We are effectively regulating the global rollout of the
products these companies propose," Ms. Dixon said in an interview.
"The standards that we set in Europe will influence how data
privacy is done around the world."
That puts Ireland and its data-protection chief in the global
spotlight. Ms. Dixon two years ago took over an agency that faced
frequent accusations of industry bias. Ireland, after all, drew the
world's tech darlings in part because of its business-friendly tax
and governance environment. Its tax treatment of Apple is now the
subject of a policy tug of war between Dublin and the EU.
Before Ms. Dixon took over, the privacy commissioner had a
single tiny office above a small-town supermarket. She has since
doubled staff to 60 with plans to reach nearly 100 next year.
Ireland boosted her 2017 budget to EUR7.5 million ($7.8 million),
up 58% from this year. In August, she opened a new office in a
renovated four-story townhouse in Dublin -- but expects the team to
outgrow the space as early as next year.
Meanwhile, Ms. Dixon is in a wrestling match with other national
data-protection agencies in the EU, many of which want a say over
the multinationals squarely in her sights. Under the new EU privacy
law, a lead authority must consult with EU counterparts on major
cross-border cases, and the leader can be overruled. But for now,
in cases like WhatsApp, there is no formal lead authority, and
cross-border collaboration is ad hoc.
"For the moment, Ireland is one among many," said Isabelle
Falque-Pierrotin, France's privacy chief and the head of a
pan-European advisory group comprising the bloc's 28
data-protection regulators.
The EU recently accused Facebook of making misleading statements
in 2014 when seeking approval to buy WhatsApp, which could lead to
a fine of up to $179 million. But in the privacy case under Ms.
Dixon's purview, any fines would be minimal under current Irish
law. She can send cases directly to court with the ceiling on fines
set at EUR3,000 -- far less than the 4% of world-wide revenue that
will become possible under EU law in 2018.
More immediately, however, Ireland could order Facebook to
change its behavior, which combined with possible action and fines
by other EU regulators would point to a tougher enforcement ahead
for companies. "We aren't look to hang a sign around our necks
saying 'leader,' but that is what we are doing when it comes to
communicating with the other regulators," Ms. Dixon said.
A spokeswoman for Facebook said last summer's changes to
WhatsApp's privacy policy "comply with applicable law," but added
that the company held off on sharing some WhatsApp data with
Facebook in Europe pending the outcome of the investigations opened
in several countries.
There are skeptics of Ireland's policing of corporate practices.
Irish data-protection officials have long promoted what they call
an "engaged approach" to regulation. Through frequent conversations
with companies, they say they foster compliance before there is a
violation that needs punishing.
While corporate lawyers applaud the approach, some privacy
activists have said it is still too cozy. When Facebook launched a
new privacy policy in 2015, several data-protection authorities
opened parallel investigations into it -- but not Irish regulators.
"It is no secret that in the past we have had different views on
legal topics concerning Facebook," said Johannes Caspar, privacy
commissioner in Hamburg, Germany.
Ms. Dixon, who spent nearly 11 years working for American
corporations before moving to the public sector in 2007, rejects
the notion that the agency has been a pushover through the years.
She said that striking deals with companies to change practices
sometimes does more to protect citizens than ending up in years of
enforcement litigation.
Dara Murphy, Ireland's data-protection minister, who helps
oversee the regulator, says Ireland will prove unflinching in
applying the EU's new privacy law: "It will be in the interest of
our regulator here is that it become clear quite quickly that the
Irish interpretation is as robust as anyone else's."
Write to Sam Schechner at sam.schechner@wsj.com
(END) Dow Jones Newswires
December 27, 2016 11:34 ET (16:34 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Apr 2024 to May 2024
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From May 2023 to May 2024