Facebook — like other tech giants — set up a subsidiary in Ireland to take advantage of low Irish corporate tax rates. The company says its global users fall under that subsidiary's jurisdiction. But that also makes Facebook subject to Irish law.
And that's where Billy Hawkes comes in. He's Ireland's Data Protection Commissioner. Hawkes is in charge of protecting the privacy of some 990 million global Facebook users. It's a job he takes seriously.
"The key thing you are looking out for is that [these companies] are fully respecting the rights of users," he says. "First of all, that they are very clear to their users what exactly is the deal — what information we're collecting about you and how we're going to use it.
"The basic deal when you are using these so-called 'free' services is that you are not charged any money for the service, but what you do is you give a license to these companies to use the information you place on the site to charge advertisers to be able to target you. And the richer the information you provide on these sites, obviously, the more these companies can charge."
One major complaint, says Hawkes, is that people don't feel they are seeing all their private information when they ask Facebook for it. "We do reply patiently," he says, "giving them the full list of data items that you can actually get automatically from Facebook. And that usually is sufficient to satisfy them."
Hawkes says many complaints he receives have nothing to do with data protection. Instead, people often complain to his office about something said about them on Facebook. That, he says, is in the area of defamation law, not data protection law.
People will often complain, as well, that they deleted their Facebook accounts, but they don't believe the account actually was deleted. Hawkes's office confirms that the accounts were deleted.
He says global users of Facebook have different rights than those in North America. They can access all of the information Facebook collects, if they request it, and have the ability to delete their accounts permanently. In the US, when someone deletes a profile, it goes into a sort of ghost mode, ready in case the person decides to log back in.
Hawkes does have his critics. Many don't think he's doing enough to protect personal data. But Hawkes thinks most of those critiques are based on a misunderstanding of how business is done in Ireland.
He says people who come to Ireland are often surprised that the police don't carry guns. "So by definition, they have to talk to people because it is a matter of survival." He says his office has the same method for protecting data security. They explain their expectations and the law clearly to companies like Facebook and then point out that they can force the companies to comply if they don't.
People have the impression that the Irish are "soft touch" regulators, he says, "because so much of our work is done quietly, behind closed doors, but very effectively. ... We don't spend our time issuing press releases condemning companies. If we have to, we beat them up behind closed doors, and then we all go out smiling," he says, "and we find this a very effective way of doing business."
Hawkes doesn't worry so much about privacy issues for young people because he thinks they are savvy about how the Internet works. "Sometimes, we don't give enough credit to young people. Certainly, they are quite tech savvy. In fact, in many ways, the generation we need to be more concerned about is an older generation who ... may not be as tech savvy and may not be as used to the precautions you have to take to protect yourself."
Editor's note: This article was updated to include additional information.