Laying down the law

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

It’s cold and grey in London on the day I meet Information Commissioner Elizabeth Denham. But she doesn’t seem to mind. “I’m used to the rain,” she says. “I come from British Columbia and I find the weather very similar. Vancouver weather – Victoria weather – is a lot like London and Cheshire, so I’m not surprised by some gloomy skies. I’ve adjusted to that.”

In July 2016, Denham moved from Vancouver to Cheshire with her retired computer-scientist husband, to become the UK’s Information Commissioner – the fifth since the role was created in 1984 – replacing Christopher Graham, former director general of the UK Advertising Standards Authority, who had completed his five-year term. 

The Information Commissioner’s Office (ICO) is the independent body established to uphold information rights in the UK. One of its key tasks at present is the rollout of the European Union General Data Protection Regulation (GDPR), which was approved by the EU Parliament in April 2016, after four years of preparation. 

The GDPR is intended to strengthen and unify data protection for individuals within the EU. Denham describes it as a “once in a generation change, and a new high watermark for data protection”. When it is fully introduced in 2018, the regulation will herald several key changes, creating a single, broad set of rules across the EU. These changes include: expansion of the definition of personal data; greater liability of data processors and controllers; increased fines; and strengthening of the enforcement regime. 

Seeing this through would be a challenging task at the best of times, but Denham agreed to take it on before British voters’ unexpected decision to leave the European Union. 

“I thought I’d be coming to this job with an established set of challenges: new law, new regulation – I knew there would be some complexities, but I thought the pathway was fairly clear,” she says. “But I applied for the job before the referendum and I started just afterwards, so what I didn’t anticipate was the significance of the challenge presented by the decision.”

Question marks

Coming in, the biggest questions Denham felt needed to be answered were: what would happen to regulation as a result of the Brexit vote; what would the law look like in 2018, when the regulation is live; and what would happen after that?  

“There were so many question marks. My first six to eight weeks in the role involved a lot of meetings with stakeholders and government officials – meetings with senior public servants to hammer out what this could mean.” 

As it stands, Denham says there could be some uncertainty in the years after Brexit but – because data is foundational to the digital economy and data needs to flow – she believes there’s a very strong argument that the UK will have equivalent laws to the European Union.

Challenges

Denham has form in taking on tasks of this magnitude; she held a role in Alberta, Canada, where she was charged with building the regulatory programme for a new private sector privacy law. After that, she went to the Canadian federal regulator, to take over when another new law came into place (see CV box). 

“Perhaps there’s some consistency in my movement,” she says. “I’m following the new laws and engaging in the challenge of bringing in a new law.” And although she’s thriving on that challenge, the impact on her task of the Brexit vote was immediate and sizeable.

“It didn’t allow me to take my time and settle into the role. I barely had my feet under the table when we were meeting with government, with industry groups, commissioning legal research; we were right into the work from day two. The policy work and the advisory work was pretty significant very early on, and will continue. 

“I work with my 27 colleagues – my European counterparts – and we’re looking at consistency and policies, and decision-making in the GDPR. At the same time, the UK is planning to leave that group. So it’s a complicated relationship. And I’m a Canadian to boot, so it’s interesting.” 

The ICO deliberately advertised the role beyond the UK, Denham says, and she was specifically encouraged to apply. 

She was known in Canada for her aggressive approach – in particular for a hard-hitting investigation into a ministerial official deleting emails that were covered by a freedom of information (FOI) request – as well as for leading a probe into privacy in Facebook, which resulted in global changes to the social networking site. 

Denham regards the ICO’s decision to advertise the role globally as a demonstration of its interest in the wider world and the idea that international candidates – in particular those from Commonwealth countries – might have something to bring. Although, naturally, there are differences between information law in the UK and Canada, many broader issues are applicable to both countries, and the institutional framework is similar.

I ask Denham if being a Canadian has added an extra layer to the challenge. She believes that while there are similarities between the two countries that have made the change easier – for example, data protection laws and FOI laws have fundamental principles, and there are shared parliamentary traditions – there are also a number of differences. 

“The language is different – that was a big surprise to me,” she says. 

“The business traditions and business language are different; I find my staff quite often say: ‘Well, that’s a very North American thing to say’ – and I think what they mean is how explicit or direct the language is in business in North America, compared with in the UK.

“I have a 500-page book of British idioms that I’m studying so I can understand what my staff say.” 

The other key difference, Denham explains, is that the British public is concerned with a noticeably different set of threats from their North American counterparts. 

While Britons are seemingly worried about commercial marketing, nuisance calls and the trade in personal information, North Americans are more concerned about government and police surveillance.

Proactivity

Although GDPR implementation and the data-protection regime are the focus of Denham’s work, her priorities for the office are a little different. Bringing in a new law is not just about setting up the complaint process, she explains, or working out how to administer sanctions and fines, but about connecting to the industry – to the organisations that are going to be impacted by the law. 

She is keen for the ICO to set out its stall as a proactive regulator – to “go out looking for trouble” and not just wait for complaints or issues to land on its doorstep. This, she says, involves understanding potential future – not just current – risks to data protection, in particular from new technology. 

Denham knows, first hand, the opportunities that technology can offer; one of her sons (she has four children) is an app developer in Silicon Valley, the other a particle physicist teaching data analytics. She also sees it in the cases that the ICO takes on.

The drive to improve the technology capacity of the ICO has begun with the imminent search for a chief technology strategist and more technical investigators. “We need to be more connected with tech developments, with universities, so that we can learn more and be on the front foot when it comes to changing technology – because technology moves much faster than the law,” Denham says.

So are there any technological developments that she’s particularly wary of?

“I think what we most need to understand is the adoption of sophisticated analytics, machine learning, and artificial intelligence, because the tech is so far beyond where we examined it before. 

“This isn’t a question of databases coming together, this is about opaque data processing, where individuals don’t really know what they can complain about because they don’t know what’s happening. I think the regulator’s going to play a really significant role in ensuring that there’s fairness and transparency in the way data is processed and shared.

“That’s what I mean about being proactive; we don’t just wait until calls come in or complaints come through the door – we actually go out and look at what’s happening in the environment.”

Another issue that will come under close scrutiny by Denham in the years to come is business-to-business trade in personal information. She has already issued the regulator’s first fine to a data broker; The Data Supply Company has been ordered to pay a £20,000 penalty for unlawfully trading personal information. According to the ruling, the information was acquired from other firms’ websites, where many of the privacy notices were ‘too general and unspecific to comply with the law’.

This adds to another record for Denham; she has already overseen the ICO’s largest fine to date, of £400,000, issued to telecoms company TalkTalk after it failed to protect consumer data from a cyber attack. The maximum possible fine under existing regulation is £500,000; under the GDPR, the ICO will be able to hit firms with fines of up to 4% of their global turnover. 

However, Denham recognises that there is a difference between those companies that are aware of the law and deliberately ignore it, and those that are not as familiar with the nuances of the legislation. 

“We have the discretion in our enforcement policy to take action against those who know what the law says – and know how to apply it – but purposefully disregard it, and others that need a stern letter and an education session,” she says. “We have the discretion and the ability to see the difference.”

Self-regulation

Enforcement doesn’t stop at the ICO’s front door, however. At the beginning of the year, the regulator confirmed that it had investigated itself for failing to meet British data protection laws on a number of occasions since 2013. It has upheld 14 of those complaints.

“The ICO handles a lot of personal data in the processing of our complaints – in carrying out our regulatory role – and, sometimes, we make mistakes and personal data has been sent to the wrong address,” says Denham. “We act on that; we have good controls, but no organisation is 100% perfect and never going to lose data or share data inappropriately. What we’re looking for is not perfection, but the capacity to comply with the law and take appropriate action and redress when something goes wrong.” 

Denham feels that other industries could learn from researchers when it comes to approaching data protection in a balanced way. 

“I think the research standards are a model for the way forward in figuring out and balancing the legitimate interests of an organisation to use data, and the legitimate interest of an individual to their privacy,” she says. 

“The research community has a blueprint for weighing those two – sometimes competing – strong public interests. There is a lot that researchers can show to companies that are trying to figure this out for themselves. 

“It’s in their DNA. Companies that have been in the research business for a long time have dealt with data-protection issues. Now we are moving into a scale beyond where we were before, but the same principles apply: fairness of data processing; transparency for individual consumers; that people understand what’s happening with their data, and so on.  

“Because the good players in the research industry are doing the right thing already, the new rules in the GDPR – and the use of new technology – shouldn’t change that game. 

“That’s not the case for other industries that are just discovering the value of data for the first time.”