With Europe’s sweeping new data privacy law, Ireland is in the middle of a standoff between regulators and tech companies.
By Adam Satariano of the NYTimes
DUBLIN — If Mark Zuckerberg doesn’t know who Helen Dixon is, he will soon.
From an unassuming townhouse in the Irish capital, Ms. Dixon, the country’s data protection commissioner, leads an agency that was once a bureaucratic backwater. Employees share offices and have few of the perks available in Facebook’s building nearby: The main free amenities here are water, coffee and tea.
Yet Ms. Dixon will soon gain vast new authority to investigate and fine Facebook, as well as an array of other technology giants with regional headquarters in Ireland. Amid increased concerns over online privacy, a sweeping new European privacy law could make her one of the world’s most consequential regulators.
She is eager to test her newfound power. But the question remains whether her tiny agency is able — or willing — to stand up to tech behemoths of Silicon Valley.
“There’s a wave coming toward us that we need to push back against,” Ms. Dixon, who spent the first 10 years of her career working for tech companies, said in an interview.
Europe’s new General Data Protection Regulation is seen by experts as the world’s most aggressive set of internet privacy rules. It is expected to come into force on May 25, and it will give more than 500 million people living in the European Union the right to keep companies from collecting personal data, or to have it deleted. Regulators like Ms. Dixon will be able to fine companies up to 4 percent of global revenue — equivalent to about $1.6 billion for Facebook.
The privacy law highlights broader skepticism of Silicon Valley in Europe, where regulators have punished companies for violating tax and antitrust laws, not doing enough to stop the spread of hate speech and misinformation online, and intrusively gobbling up data on consumers.
Ireland in particular is taking center stage in the wide-ranging battle. The country is the European headquarters for data-hungry companies including Airbnb, Apple, Facebook, Google, Twitter and Microsoft, which owns LinkedIn.
If companies do not comply with the law, Ms. Dixon said, “they will suffer consequences.”
But for all the tough talk, the reality is that her agency subsists on an annual budget of 7.5 million euros, equivalent to $9 million. That’s roughly as much revenue as the companies she oversees generate over all in 10 minutes. Facebook, which also owns WhatsApp and Instagram, has hundreds of people globally working on data protection regulation alone, including lawyers and privacy experts hired in Dublin.
The data protection office was once an afterthought. During an effort by the Irish government to move less-critical agencies out of Dublin, it was relocated in 2006 50 miles west to a town called Portarlington, population 8,368. Its power was so limited that it could not publicize investigations.
Ms. Dixon, whose father was an army officer and mother a schoolteacher, grew up in a small town in central Ireland before moving to Dublin for university. She worked for companies including the business software firm Citrix Systems before moving into government. She later received a postgraduate diploma in computer science.
Fittingly for her current position, Ms. Dixon guards her privacy. She will not share her age, other than saying she is in her “40s,” and she has become more careful with data since taking the job. She does not use Facebook or Instagram (though she does have a LinkedIn profile).
Since taking over in 2014, Ms. Dixon has successfully lobbied for more funding and got the headquarters put back in Dublin. A move to a bigger office is in the works. She has hired lawyers, investigators and engineers. The staff will total 140 this year, up from 30 when she joined, with plans to reach 200 in the next few years, if budget increases are approved.
But if data privacy is truly a priority globally, Ms. Dixon said, more resources are needed. Her office is actually among the better funded privacy agencies globally, but is still a minnow compared with, say, Ireland’s financial services regulator, which has a budget about 40 times greater.
“The question for governments is, how much enforcement do we want to do, how seriously do we want to take the risk to our fundamental rights and freedoms in this area?” said Ms. Dixon, carrying a bound copy of the new law. “We need the funding and resources commensurate with the level of importance. This office would suggest it should be far more highly resourced.”
Budgetary constraints are not new to regulators overseeing powerful industries. But privacy groups worry that without strong oversight, the European rules, years in the making, will do little to crimp the power of Silicon Valley.
There is evidence those concerns are well founded. In a Reuters survey of privacy regulators in 24 European Union countries, 17 said they did not have the needed funding or legal powers to enforce data protection regulation. Ireland did not participate in the survey.
Ms. Dixon must also contend with skepticism among privacy advocates, stemming largely from Ireland’s history of lax oversight of the technology industry.
Her predecessors are faulted for not taking earlier action against Facebook, even when complaints were filed years ago about data-mining practices similar to those eventually used by the political consulting firm Cambridge Analytica. The European Commission in 2016 also ordered Ireland to recoup about $15.6 billion in unpaid taxes from Apple. (The decision is being appealed.)
“The culture has to be changed,” said Max Schrems, a Austria-based lawyer and online privacy advocate who filed the earlier complaints against Facebook. “You can have the best law, but if nobody enforces it, then you’re not going to go anywhere.”
Advocates of the new law say it is already having a positive impact and that oversight is spread out. A new European Data Protection Board will help coordinate investigations and pool resources across European Union countries, giving regulators outside Ireland the ability to bring action. The data protection regulation also allows private groups to recruit consumers into class-action-style complaints — not as common in Europe as the United States — that could result in sizable damages against businesses.
A looming question, however, is how much people really care. Ms. Dixon cited Facebook’s most recent financial report, which showed growing user numbers, revenue and profit, despite the Cambridge Analytica scandal.
“We should be acting as data protection authorities in the name of data subjects, but you often as a regulator in this space have the feeling that you’re not mandated by the general public,” she said. “Either they don’t care or they actively oppose what we’re doing.”
Representatives from the technology industry have made regular visits to the converted 18th-century Georgian home used by Ms. Dixon’s team. Aware that a public backlash is putting pressure on regulators to rein in Silicon Valley, Facebook and others have been courting Ms. Dixon, putting forward their case that their data protection policies comply with the new European law.
“We’ve really leapt into explaining what we’ve done and the thinking that’s gone into that,” said Stephen Deadman, Facebook’s global deputy chief privacy officer. “I’ve got faith and confidence that the way Helen Dixon’s office will perform its function will be true to the spirit and requirements of G.D.P.R., rather than being blown around by whatever is happening in the media.”
Google and Twitter declined to comment.
Even with limited resources, Ms. Dixon is studying her adversaries.
When Mr. Zuckerberg testified before Congress last month, she stayed up late at home despite the time difference to watch as the Facebook chief executive answered questions.
Asked if she had a message for him and other tech executives, she said they should expect her to use her new powers “to the fullest.”