Audio Transcript:

Marco Werman: Facebook is one of those global companies. The California-based social media giant is often the target of privacy complaints from users here in the US. Users outside North America have to go through Ireland. You see, Facebook, like other tech giants, set up a subsidiary there to take advantage of low Irish corporate tax rates. The company says its global users fall under that subsidiary's jurisdiction. But that also makes Facebook subject to Irish regulation. And that's where Billy Hawkes comes in. He's Ireland's "Data Protection Commissioner" in charge of protecting the privacy of millions of people.

Billy Hawkes: The key thing you are looking for is that they're fully respecting the rights of the users. So first of all that they're very clear to their users, what exactly is the deal, what information we're collecting about you and how we're going to use it. The basic deal when you're using these so-called free services is that you're not charged any money for the service, but what you is you give a license to these companies to use the information you place on the site to charge advertisers to be able to target you. And the richer the information you provide on these sites, obviously the more these companies can charge.

Werman: What are the typical complaints you get from, for example, Facebook users when they call the Data Protection Officer, get in touch with you?

Hawkes: Well, one major complaint is, "I'm not getting access to all of my information when I ask for access to all of it." We do reply patiently, giving them the full list of data items that you can get automatically from Facebook and that usually is sufficient I think to satisfy them. Other complaints we have received in fact aren't data protection complaints. They are objecting because they don't like what somebody else has said about them on Facebook, but that's not in the are of data protection as such. It can ultimately be in the area of defamation law, but not strictly data protection. And also we get complaints that, for example, "I asked for my account to be deleted and I don't believe it has been deleted." So we have to point out to them or establish as necessary that your account has been deleted and that's your right under data protection law.

Werman: I mean just on Facebook alone you've got nearly a billion users outside North America. You've also got to watch these international companies in Ireland. And I saw a picture of your office. You don't have a lot of space. I mean how do you do this huge job?

Hawkes: Well, I think we take it quite calmly. In Ireland, we're fairly well known for communicating, so we do communicate very clearly what our expectations are. Again, the approach, as I say, is one they choose to establish in Ireland. We set out clearly what is expected of them and if we discover in fact there's something that has not been dealt with adequately in our audit then we do investigate it. Under the law we must give a formal decision as to whether or not the law has been broken, and if it has been broken we have a duty to enforce it.

Werman: I've seen some critics say that your office actually allows companies to do whatever they want with personal data. How do you respond to that?

Hawkes: I think it's based on a total misunderstanding of how we do business in Ireland. People who come to Ireland are often surprised, for example, by the fact our police aren't armed. So by definition, they have to talk to people because it's a matter of survival. Our method of enforcement is to explain our expectations quite clearly, to make clear, "You must comply with the law," and then to point out, "We can force you to comply if you don't." So I think it's partly because so much of our work is done quietly as it were behind closed doors, but very effectively that this perception exists that we are a soft-touch regulator. In other words, we don't spend our time issuing press releases condemning companies. We basically, if we have to, we beat them up behind closed doors and then we all go out smiling. That's our approach in general. And we find this a very effective way of doing business.

Werman: I mean, Billy, you know from firsthand experience how this data privacy thing works. Has the kind of proximity to it changed the way you use your own computer?

Hawkes: It certainly made me more conscious I think of data, more conscious of what you would put on the internet. I'm certainly likewise telling my children to try and get them to be a little careful because, again, the generation, they're in the post-teens, being on social networks is just an integral part of their life. It's an extension of what we would regard as real life, so it's a new way of socializing. So I think it's question of educating them also through the educational system. I must say I do think that sometimes we don't give enough credit to young people. I think certainly they're quite tech-savvy and in fact in many ways I think the generation we have to be more concerned about is an older generation who, for example, to communicate with their nephews or grandchildren who may be on another continent, may not be as tech-savvy and may not be as used to the precautions you have to take to protect yourself. Certainly that's my experience both dealing with my own family and more generally with the type of issues that come to our office.

Werman: Billy Hawkes is the Data Protection Commissioner of Ireland. Thank you so much for your time, sir.

Hawkes: Not at all.