, IRELAND, Oct 20 – With an office above a grocery shop and a staff of just 50, Ireland’s data privacy authority makes an unlikely watchdog for hundreds of millions of European web users.
The Irish Data Protection Commissioner (DPC) is responsible for auditing and reviewing the privacy settings of dozens of tech companies that have their European headquarters in Ireland, drawn by low taxes and a well-educated workforce.
Facebook, Google, Twitter, LinkedIn, Apple and Microsoft are just some of the household names under the DPC’s remit, which has come under scrutiny after a landmark European Court of Justice verdict this month.
The ECJ ruled invalid an agreement allowing Facebook to transfer European citizens’ personal information to the United States, and an Irish court will on Tuesday begin considering whether to launch an investigation into the deal.
Max Schrems, the Austrian legal student who challenged the agreement, had argued it did not properly protect Europeans’ data from access by spy agencies, in the wake of revelations of mass digital eavesdropping by the US National Security Agency.
It is from an unlikely location — the small rural town of Portarlington, 90 kilometres (56 miles) from Dublin — that the watchdog coordinates its policing of the world’s giant tech multinationals.
On the town’s Main Street, locals are quick to offer directions to the DPC’s modest offices, but few have paid much attention to the work that goes on behind its walls.
“We would always drive by and know it’s there, but you wouldn’t think too deeply about it,” said local student Tom Morris, 21.
The DPC moved to Portarlington as part of a push to decentralise government agencies in the mid-2000s and encourage employment outside Ireland’s main cities.
“Portarlington was never an economic hotspot,” said pensioner John O’Byrne. “Any jobs are welcome.”
When the DPC was set up in 1998, it would have been hard to foresee how Internet companies would come to dominate everyday life or how Ireland would become a European hub for the world’s tech giants.
Critics have pointed to the DPC’s rural base, small staff and minuscule budget as evidence that Ireland has failed to take seriously its responsibilities at the vanguard of Europe’s data protection regime.
“There was no doubt there was a shortage of resources, whether for financial or other reasons,” said Simon McGarr, a solicitor working with Digital Rights Ireland.
In the past 18 months, coinciding with the appointment of Helen Dixon as the new commissioner, Dublin has moved to beef up its approach.
Irish Prime Minister Enda Kenny created a data protection portfolio in a cabinet reshuffle last year.
Last week an extra 1.1 million euros ($1.25 million) was allocated to the DPC, bringing its 2016 budget to over 4.7 million euros, compared to 1.8 million euros two years ago.
Staff numbers have doubled — but there are still only about 50 of them, compared to more than 300 million Facebook users in Europe.
This year the DPC opened a second office, giving it a presence in Dublin close to “Silicon Docks” — the area where many of the tech giants are located in the capital.
– Too lenient? –
But with multinational investment a key component of the Irish economy, critics have accused the DPC of taking a lenient approach towards the companies.
It is a “business protection authority and not a data protection authority,” said Max Schrems, the young Austrian privacy campaigner whose war on the EU-US transfer deal prompted it to collapse.
But Data Protection Minister Dara Murphy contested the charge.
“It’s inaccurate and unfounded that we have a light touch regulation, because we don’t have,” Murphy said.
“Our data commissioner is independent. All decisions are subject to the laws of Ireland and European laws,” he told AFP.
He added: “There’s a significant economic benefit to the country having these companies here and we’re more than happy to provide adequate first class regulation.”
But there is no doubt the DPC favours a collaborative rather than combative approach to regulation.
“The office proactively engages with industry, helping to shape how companies work with data, rather than simply watching for transgressions,” a DPC spokeswoman told AFP in an emailed statement.
Schrems said: “The idea that being friendly with companies is going to help is just childish.”