Irish data office struggling to cope with EU demands

27.09.12 @ 09:24

  1. By Nikolaj Nielsen
  2. Nikolaj email
  3. Nikolaj Twitter

BRUSSELS - The data protection office (DPC) in crisis-hit Ireland might need to hire more staff to cope with the demands of an upcoming EU privacy law.

  • The Irish office of the data protection commissioner has a staff of 22; seven are investigating officers and three are compliance officers (Photo: Notat)

Ireland is the EU headquarters of some of the world's largest Internet companies, including Facebook and Google.

It is also one of three EU countries, along with Greece and Portugal, currently being drip-fed bailout money to help balance its books.

Billy Hawkes, Ireland's data protection supervisor, told EU justice and home commissioner Viviane Reding on Monday (24 September) that data protection authorities will need additional resources to "carry out their broader European oversight responsibilities."

"This is a key issue for us due to the large number of multinational companies handling personal data that have substantial operations in Ireland," he said.

The draft regulation is scheduled for final review next summer under the upcoming Irish EU presidency, which has said data protection will be one of its key priorities.

The bill calls for a single national data protection authority in each EU member state to prevent overlap and industry-wide abuse.

Both Ireland and Germany, for instance, reached similar conclusions in a recent case to ban Facebook from using face-recognition software.

Ireland received all the complaints from across Europe because Facebook has its European office there, the Irish Times reports.

In theory, the new EU law would have prevented the two separate authorities from spending resources to reach the same conclusion.

Specifically, the regulation calls for a single national authority to carry out investigations, take binding decisions, impose sanctions and deal with complaints. Each national watchdog is also to work with other member states to ensure rules are consistently enforced.

But Hawke's office told EUobserver the mandatory data breach notification requirement would entail additional work.

The regulation requires companies and organisations to notify the DPC of any serious breaches within 24 hours if possible.

"Equally, if we are lead regulator for companies providing services to a large number of citizens in the EU then we will be required to investigate complaints from such persons as well as Irish residents," said a Hawke spokesperson.

She noted they are currently hiring a technology advisor but would not specify how many additional staff members they would need to handle the extra work.

The case is now with the Irish government, which is examining the additional resources that will be required by Hawke's office.

The DPC has a staff of 22, seven of whome investigating officers and three are compliance officers.

France, in comparison, has a total staff of over 140 and Germany just under 100 on federal level as well as at least another hundred dispersed across its 16 landes.

The DPC told this website in an email that "offices in other MS [member states] are proportionate to the size of their population and ours is proportionately equivalent to those."

For its part, civil liberties group Privacy International (PI) ranked Ireland’s data protection laws in a EU-wide survey in 2010 as some of the lowest in Europe.

"Ireland, alongside the UK has the lowest overall rating in Europe, Turkey excluded, including one of the lowest on statutory protection and enforcement," a consumer rights advocate and campaigner at PI said.

She commended the DPC's recent decision to ban Facebook from using its face-snapping software, however.