On 1 June 2015, users of Dropbox, the popular online file-sharing service, became subject to Irish data protection law and the Office of the Data Protection Commissioner (ODPC). This change follows a similar move by Twitter, whose users outside of the US became subject to Irish regulation on 18 May 2015.
With many of the world’s largest technology companies basing their European operations in Ireland, the ODPC remains firmly in the spotlight. Reacting to the Twitter decision, Data Protection Commissioner Helen Dixon noted that the ODPC already saw itself as responsible for policing Twitter insofar as Irish users are concerned. While the ODPC has come in for some criticism, particularly in the wake of Max Schrems’s much publicised case involving Facebook, the Commissioner has strongly defended the position of her Office, commenting that the criticism “doesn’t stand up to any analysis and there’s no evidence for what’s asserted in most cases.”
Having already secured a doubling of funding, a new Dublin office and an ambitious recruitment drive (as reported here); the Commissioner has restated her Office’s plan to audit Apple, Yahoo and Adobe. Facebook has already been through two Irish data protection audits – a process described by the Commissioner as “incredibly thorough”. The Commissioner has also described the regular contact her office has with Facebook (indeed, the Commissioner has not ruled out a further audit), demonstrating a desire to understand how companies operate and process data.
This ongoing engagement with organisations, particularly in the tech sector, shows the ODPC’s willingness to adopt a pragmatic approach to regulation.
Meanwhile, European legislators are negotiating a new Regulation to replace the existing Data Protection Directive. Under the latest text, national data protection authorities would have a greater say in cross-border enforcement cases and a new European Data Protection Board (EDPB) would resolve disputes between them.
In that context, Facebook EMEA’s Vice-President of Public Policy recently warned against a fragmentation of data protection regulation in Europe. Facebook is not alone in expressing concern that recent developments could undermine the clarity and efficiency envisaged by the “One Stop Shop” proposal.