When Billy Hawkes was appointed as Ireland's data protection commissioner in 2005, Gmail was still in beta; Facebook was only open to a handful of colleges; and Steve Jobs was secretly designing a mobile phone.
Now, those tools are at the center of millions of people's lives, helping them manage their information by cataloging reams of it. And Hawkes, a 62-year-old, white-haired politician, has become the first line of defense for privacy-conscious Europeans. Apple, Google, Facebook and LinkedIn are among the companies that have established their European headquarters in Ireland, helping them to attain some well-documented corporate tax benefits. In turn, that has given Hawkes unprecedented oversight on how the sensitive information of users is collected and stored.
I met Hawkes late last year at a convention in Dublin that caters to international Web startups. He doesn’t often go to these types of events, but he’s familiar with the venue, which is the headquarters for Ireland's nearly three-centuries-old Royal Dublin Society. In a crowded hall outside the VIP room, he suggests we find someplace quiet and leads me through what appears to be an emergency exit to a historic-looking library, which has walls lined with crowded bookshelves. As he sits across from me at long table, it's quite the contrast — the man in charge of protecting digital information in a room full of old tomes. And it's not the only dual realities he faces.
After serving in various roles within the Irish government for more than 30 years, Hawkes finds himself in the middle of a tech tug of war. Politicians want these tech companies to stay in their country and bring jobs, but they also want to protect citizens’ privacy. Hawkes must balance these concerns when conducting the data protection agency’s audits, which look at how Internet companies with Irish bases handle information. All of this is done with a barebones staff. “It's a significant challenge for us,” Hawkes says.
Hawkes's decision not to pursue regulatory action against tech companies in response to the National Security Agency leaks was the subject of public criticism and a court case targeting him. He says the companies weren’t breaking the rules because they were required by law to disclose information to the U.S. government. "For me, it’s a cut and dry issue,” he says.
The current rules may make government spying OK, but Hawkes says the NSA revelations could spur changes. European Union officials plan to complete a new data-protection agreement with the U.S. by mid-2014.
"The NSA stuff is in fact putting more pressure for more restrictions," Hawkes says. "There’s no question that there’s a need to update them to match the new challenges in technology." When the original directive was put in place in 1995, "there weren’t any LinkedIns or Facebooks,” he says.
In the meantime, Ireland’s online privacy watchdog works with companies to review their data practices and makes recommendations on how to improve them. Facebook agreed to allow Hawkes’s agency to publish its audit, and Hawkes says the company made changes to the social network based on recommendations from the report, such as offering a self-service tool that allows users to download their data and the ability to selectively delete personal information. Those changes benefited all of Facebook’s billion-plus users worldwide, Hawkes says.
The Irish data protection commission is currently examining LinkedIn’s data policies. Hawkes hopes the company will allow the agency to publish its report like Facebook did, but there’s no rule requiring companies to do so. Hawkes declined to comment on the progress of the audit or the findings so far. Hani Durzy, a spokesman for LinkedIn, says the company expects to see a final report from Ireland's Data Protection Commissioner by March, but he declined to comment on whether LinkedIn will let the agency publish its report.
Hawkes says he won’t seek reappointment in 2015 when his current term as commissioner ends. But he should have plenty to do before then. Twitter and Dropbox both have significant operations in Ireland, and they're expected to establish their European bases there. Twitter declined to comment, and Dropbox didn't respond to requests for comment, but if they do pick Ireland, Hawkes expects audits of those companies will be next on the to-do list.