She prizes privacy — not hers, but yours
Irish regulator could have major influence on firms like Facebook
DUBLIN, Ireland — If Mark Zuckerberg doesn’t know who Helen Dixon is, he will soon.
From an unassuming town house in the Irish capital, Dixon, the country’s data protection commissioner, leads an agency that was once a bureaucratic backwater. Employees share offices and have few of the perks available in Facebook’s building nearby: The main free amenities here are water, coffee and tea.
Yet Dixon will soon gain vast new authority to investigate and fine Facebook, as well as an array of other technology giants with regional headquarters in Ireland. Amid increased concerns over online privacy, a sweeping new European privacy law could make her one of the world’s most consequential regulators.
She is eager to test her newfound power. But the question remains whether her tiny agency is able — or willing — to stand up to tech behe- moths of Silicon Valley.
“There’s a wave coming toward us that we need to push back against,” Dixon, who spent the first 10 years of her career working for tech companies, said in an interview.
Europe’s new General Data Protection Regulation is seen by experts as the world’s most aggressive set of internet privacy rules. It is expected to come into force Friday, and it will give more than 500 million people living in the European Union the right to keep companies from collecting personal data, or to have it deleted. Regulators like Dixon will be able to fine companies up to 4 percent of global revenue — equivalent to about $1.6 billion for Facebook.
The privacy law highlights broader skepticism of Silicon Valley in Europe, where regulators have punished companies for violating tax and antitrust laws, not doing enough to stop the spread of hate speech and misinformation online, and intrusively gobbling up data on consumers.
Ireland in particular is taking center stage in the wide-ranging battle. The country is the European headquarters for data-hungry companies including Airbnb, Apple, Facebook, Google, Twitter and Microsoft, which owns LinkedIn.
If companies do not comply with the law, Dixon said, “they will suffer consequences.”
But for all the tough talk, the reality is that her agency subsists on an annual budget of about $9 million. That’s roughly as much revenue as the companies she oversees generate in 10 minutes. Facebook, which also owns WhatsApp and Instagram, has hundreds of people globally working on data protection regulation alone, including lawyers and privacy experts hired in Dublin.
The data protection office was once an afterthought. During an effort by the Irish government to move less-critical agencies out of Dublin, it was relocated 50 miles west to a town called Portarlington, population 8,368, in 2006. Its power was so limited that it could not publicize investigations.
Dixon, whose father was an army officer and mother a teacher, grew up in a small town in central Ireland before moving to Dublin in college. She worked for companies including Citrix Systems before moving into government. She later received a postgraduate diploma in computer science.
Fittingly for her current position, Dixon guards her privacy. She will not share her age, other than saying she is in her “40s,” and she has become more careful with data since taking the job. She does not use Facebook or Instagram (though she does have a LinkedIn profile).
Since taking over in 2014, Dixon has successfully lobbied for more funding and got the headquarters put back in Dublin. A move to a bigger office is in the works. She has hired lawyers, investigators and engineers. The staff will total 140 this year, up from 30 when she joined, with plans to reach 200 in the next few years, if budget increases are approved.
But if data privacy is truly a priority globally, Dixon said, more resources are needed. Her office is actually among the better funded privacy agencies globally, but is still a minnow compared with, say, Ireland’s financial services regulator, which has a budget about 40 times greater.
“The question for governments is, how much enforcement do we want to do, how seriously do we want to take the risk to our fundamental rights and freedoms in this area?” said Dixon, carrying a bound copy of the new law. “We need the funding and resources commensurate with the level of importance. This office would suggest it should be far more highly resourced.”
Budgetary constraints are not new to regulators overseeing powerful industries. But privacy groups worry that without strong oversight, the European rules, years in the making, will do little to crimp the power of Silicon Valley.
There is evidence those concerns are well founded. In a Reuters survey of privacy regulators in 24 European Union countries, 17 said they did not have the needed funding or legal powers to enforce data protection regulation. Ireland did not participate in the survey.
Dixon must also contend with skepticism among privacy advocates, stemming largely from Ireland’s history of lax oversight of the technology industry.
Her predecessors are faulted for not taking earlier action against Facebook, even when complaints were filed years ago about datamining practices similar to those eventually used by political consulting firm Cambridge Analytica. The European Commission in 2016 also ordered Ireland to recoup about $15.6 billion in unpaid taxes from Apple. (The decision is being appealed.)
“The culture has to be changed,” said Max Schrems, a lawyer and online privacy advocate from Austria who filed the earlier complaints against Facebook. “You can have the best law, but if nobody enforces it, then you’re not going to go anywhere.”
Adam Satariano is a New York Times writer.