Kia ora kotou katoa.
That’s a greeting in te reo Maori, the Maori language of my homeland, Aotearoa New Zealand.
Thank you for the kind invitation from the Chair to speak before this Committee.
I am pleased to be here as the UK’s regulator for data protection.
My principal reason for being here is to provide you with reassurance that I take my responsibility of protecting Europeans data in the United Kingdom very seriously, and that I will continue to do so through the process of law reform, and beyond.
It is a privilege to have that responsibility, and I am pleased to account to you, as elected representatives of those whose data I am entrusted to protect.
The world of privacy and data protection has become more complicated, and more important as technology develops, and new data based business models emerge. These changes present challenges to consumers and regulators whether from New Zealand, the EU, the UK or elsewhere in the world.Data protection legislation touches every part of our lives. Our increasingly digital society and economy are built on trillions of uses and exchanges of personal and public information every day.
And we are more interconnected than we have ever been. Data moves around the world at the speed of light. The same data can be in many jurisdictions contemporaneously.
This is why it is so important for regulators like my office to build and maintain strong links with international colleagues for the mutual benefit of all of our populations.
I am an independent statutory officer, with a mandate from the British Parliament to act in the best interests of the people of the United Kingdom.
The UK of course has a common law framework unlike Europe which creates a different regulatory approach.
But the principles in our respective laws which underpin GDPR are shared values.
We need to work together with our European colleagues, and with industry to ensure the people of the United Kingdom, and of Europe enjoy a high standard of privacy and data protection.
The domestic and international political upheavals and transformations of recent years have done nothing to affect the ICO’s, and my, commitment to ensuring that the UK provides the highest levels of personal data protection for all EU citizens.
It remains a fact, and will continue to be the case, that data in Manchester or Belfast will be protected to the same standard as data in Madrid or Belgium. To maintain this requires strong relationships and communication between regulators.
It is of course a fact that the ICO is no longer part of the European Data Protection Board, and that the mechanisms for consistency in the application of the GDPR are no longer formally available to us.We would like to see the Commission and EDPB use the tools under Article 50 GDPR to facilitate cooperation formally with third country data protection authorities and we remain willing and available to work together on that basis.
However, in the absence of that one forum for sharing and collaboration, I continue to work bilaterally with my European colleagues, and to participate with them in fora from the G7 groups of data protection authorities, the OECD, the Global Privacy Assembly, the Council of Europe and others.
These forums provide opportunities for us to explore solutions to the many challenges we face. Ranking highly amongst those is how to meet the challenge set by Japan for the 2019 G20 of achieving data free flows with trust.
It is important that do not close the door on any initiatives in this area, and that is why I welcome the UK’s involvement in the Global CBPR Forum, and urge colleagues in Europe also to participate in those conversations.
I am delighted to be here this week to meet with this Committee as well as regulatory counterparts here in Belgium and later in France to build and strengthen our existing partnerships in a spirit of friendship and co-operation.
We sometimes hear criticism that my office doesn’t enforce the law enough. That we should be issuing more, and larger fines. But fines are not the only expression of enforcement and arguably often not the most effective.
In my view, enforcement involves a range of regulatory responses to non-compliance. There is a spectrum from warnings and reprimands at one end, through to compliance orders, orders to delete data and significant fines at the other.
In the past 18 months we’ve issued more than 40 reprimands to public and private organisations, ordering them to improve compliance and data protection practices.
Fines certainly have their place. Where an organisation has profited from unlawful non-compliance, and put people’s data at risk as a result, it is incumbent on me to reach for the most strict sanctions.
For example, we recently fined TikTok £12.7m for a number of breaches of data protection law, including failing to use children’s personal data lawfully.We also fined Clearview AI Inc £7.5m for using images of people in the UK, and elsewhere, that were collected from the web and social media to create a global online database that could be used by some police forces for facial recognition.
But a regulator’s success or failure is not measured by the number or quantum of fines it issues, but by the outcomes its actions have for individual rights.
The Data Protection and Digital Information Bill will help us get better outcomes for the people of the UK, and EU citizens whose data is in the UK will also benefit from that. The Bill gives us enhanced powers, more transparency and more accountability so I’d like to tell you a little more about that.I met members of parliament in London last week to give my overall views on the UK's Data protection and Digital Information Bill. And I expect to remain engaged by parliamentarians with interests in the reform bill throughout its parliamentary journey.
The Bill is an ‘evolution’, not ‘revolution’. It amends the existing data protection framework, rather than replacing GDPR. When you examine it, you will see that the foundations remain the same, and will achieve the same or improved level of protection for data as is currently the case.
The governance changes in the Bill mean that the ICO will have greater diversity and resilience at its most senior decision-making level. It preserves the independence we require to regulate both business and the public sector. The Bill increases the ICO’s accountability to the UK Parliament and the public through reporting obligations. I welcome that transparency measure.
One aspect of this new accountability framework that has been mentioned is the ability of the Secretary of State to set “strategic objectives” for the ICO.
These will be at a high level and will not make a material difference to the independence of the ICO. For example I will only have to “have regard” to those matters. Having done so, I am free to exercise my own judgement on the matter before me. They will not create any opportunity for any member of government to interfere or influence the activities of the ICO on a day to day basis.
As the UK’s independent regulator, we’ve been advising the UK Government based on our experience of the current regulatory regime.
We set out a number of concerns during the consultation process.
We felt strongly that giving the minister the power to approve or reject all complex or novel guidance would reduce the ICO’s independence.
We raised these concerns with government and have worked closely with them to find a solution which maintains our regulatory independence and promotes trust and confidence in the process.
As a result, the power of the Secretary of State to approve or reject guidance applies only to the most significant matters requiring a statutory code, and we have ensured that safeguards are put in place to enhance the transparency and accountability of the process.
Subject access requests are an important tool for individuals exercising their data protection rights. I want to reassure the Committee that the basic right for anyone to request information about themselves is not changing.
The bill provides more detail on how organisations can handle requests that are vexatious and excessive.
We advised government on the importance of subject access requests and were successful in convincing government to abandon a proposal to introduce charging for requests.
We advocated strongly, and successfully to retain human oversight of automated decision making.
As expected, the UK achieved adequacy. And the UK Government has been in regular contact with the European Commission to ensure adequacy is retained. The regulator is not part of the adequacy decision making process. And we know that any law reform will mean a re-appraisal of adequacy. In my view, nothing in the Bill will jeopardise that position.
The Bill follows the GDPR model for international transfers, so European authorities need not be concerned that European data will be subject to onward transfer to jurisdictions that do not have sufficient protections.
In 2018 the UK government chose to include national security data processing by the UK’s intelligence services in its enactment of the GDPR.
This coverage of intelligence services also provided the ICO with the ability to enforce data protection law in this area.
This represents a strong approach by the UK to ensuring that national security data processing balances its duties to safety with a regard for data subject rights.
The UN Special Rapporteur highlighted progress on the effective oversight of the UK’s intelligence services following his visit to UK in 2021.
Taking all those areas together I’m pleased to say that we are able to support the Bill as it currently stands.
The work the ICO is already doing and the new opportunities the Bill presents will help us on our mission to “empower the UK public through information”.
I hope that reassures you the same protections apply to European citizens.
But for our mission to be successful we need coordination and cooperation and to be an outward looking regulator.
I was delighted to speak yesterday with the Belgian Data Protection Authority on our shared ambition of closer collaborative working.
This builds on our success of achieving a Memorandum of Understanding with the Irish Data Protection Authority.
I also look forward to conversations on cooperation with the Dutch Data Protection Authority later today and French Data Protection Authority on Thursday.
Finally, I am very pleased to be attending the EDPS and BfDI event, hosted by the Bavarian Data Protection Commissioner this evening, to celebrate the 5th anniversary of the GDPR, and meeting many of my European friends there.
Let me end there on that note of positivity to say happy anniversary, GDPR.
Thank you, Chair. And I am happy to take questions.