Original script may differ from delivered version
Elizabeth Denham's speech at the 30th annual conference of Privacy Laws and Business, Cambridge, on 4 July 2017
Well – this is such an privilege. My role as Information Commissioner takes me all over the world, but I must say that having the opportunity to soak up the Cambridge atmosphere has been a real honour. Thank you Stewart for not only arranging a fascinating conference programme, but for treating us to some behind-the-scenes stuff too.
I wonder if you’ve laid on fireworks? It is the 4th of July after all. US Independence Day.
But in case any of you were wondering – mine is a Canadian accent.
I celebrated Canada Day on Saturday July 1 with my family in Victoria, British Columbia before catching a flight back here to talk to you today.
We marked Canada’s sesquicentennial of being a sovereign nation, a short time by British standards, and from the name, you know my former home of Victoria has a rich British heritage.
But since this is the 4th of July – let’s go back to the United States.
This is Thomas Jefferson.
A Founding Father and the third President of the US. Some 241 years ago his greatest and most powerful achievement was being adopted: the Declaration of Independence that carved out a new, independent nation, after much conflict.
In the world of data protection regulation independence is important too. Independent of the political machinations of Whitehall and independent of the business, industry, charities and public sectors my office regulates.
Having the freedom to exercise my role without fear or favour. Not being in anyone’s pocket. Being equally fair and robust whatever the sector, whatever the pleadings of special interest.
But effective regulation doesn’t work by the regulator’s actions alone. It’s about interdependence. Listening, collaborating, co-operating.
And it’s about being relevant. Keeping one step ahead of the pack. Not always trying to do something new, but doing things differently. Doing things better. Innovating.
At the risk of sounding like a high school history teacher, Jefferson understood that concept.
He said: Laws and institutions must go hand in hand with the progress of the human mind.
As that becomes more developed, more enlightened, as new discoveries are made, new truths discovered and manners and opinions change . . . institutions must advance also to keep pace with the times.
So that’s what I want to talk to you about today. Interdependence and innovation. Because listening to other points of view, considering alternative approaches, collaborating with each other – this gives rise to innovation. Not always doing something brand new, but doing something different to achieve something better.
Innovation and consumer trust
For me, the end game in the data protection field is always about increasing public trust and confidence in how their personal data is used.
This is fundamental. Innovation relies on consumer trust. The digital economy depends on the trust of consumers to engage with it. Trust in both privacy and Freedom of Information regulation is fundamental to democracy.
The way our personal information is handled has never been more important.
We have a digital infrastructure that was unimaginable when the current Data Protection Act was forged 20 years ago.
Technology is moving so fast.
You know I’ve learned a lot of new British-isms since coming here from Canada, including this quaint motto: An Englishman’s home is his castle.
That castle may be warm – thanks to your internet-connected thermostat. It may be restful – thanks to Alexa’s choice of soothing mood music. It may be efficient – thanks to your smart meter that keeps tabs on how much you’re spending on energy.
All this creates a digital trail. Almost everything we do – keeping in touch with friends through social media, online shopping, exercising, driving, watching television leaves a digital trail.
Then add in Big Data, AI and machine learning – these tools and technologies are all gathering momentum.
It’s my job to make sure that people’s fundamental privacy rights are not sacrificed in the name of innovation.
And we are on it.
Some of our most high profile cases – those that define my office and how we see the law – involve services and businesses used by millions of people.
In May, I launched an investigation into how political campaigners use data analytics to target potential voters with bespoke adverts or information.
My office’s investigation is ongoing but this much is clear: these tools can have a significant impact on people’s privacy and it is important that there is greater and genuine transparency about the use of such techniques. We must ensure that people have control over their own data and that the law is upheld.
The Facebook/WhatsApp case allowed my office to shine a light on how the proposed sharing of data would really impact on users’ privacy. Our intervention – along with a number of other European data protection authorities - was quick and effective. As a result, Facebook felt compelled to pause data sharing until it could satisfy the concerns of the European data protection supervisors, of which I am one!
I will always stand up for the privacy rights of UK citizens. I listen to what they say. What they are worried about. Where they feel their trust is being eroded.
I’ll tell you what I don’t hear. I don’t hear people wondering about future adequacy arrangements or what our role will be with the future European Data Protection Board.
These are important issues that underpin the data protection framework, but they are not what concerns the person in the street. What I believe citizens are interested in is what protection is being given to their data. Who’s holding organisations to account on their behalf? Who’s on their side?
To me, as the regulator, these are relevant questions.
Yes, these are changing and challenging times, but they are also an opportunity to have a direct impact on public trust.
That’s what our new Information Rights Strategic Plan sets out to achieve. It is a guide to how the ICO will grow, evolve – innovate - to make sure we’re staying relevant and making a difference.
At its heart is public trust and confidence.
Because I think it’s clear that a lot of people feel they’ve lost control of their own data. Our last ICO survey found that three quarters of UK adults don’t trust business to look after their personal information. Their phone number, address, email. Their bank details.
That’s shocking to me. Is it shocking to you?
That’s why consumers and citizens are central to what we do at the ICO and why, in the first year of my tenure as UK Information Commissioner, I have further equipped my office to get the job done.
You know, when I first arrived here a lot of people asked me why I wanted this job. I wanted it because I have long-admired the work of the ICO and its place in the world. And I felt I had something to offer – that I could take it to the next level. That I could innovate.
So I’ve shaken things up a little.
My senior leadership team has been strengthened to help us to meet the challenges of GDPR, Brexit and whatever comes after that. My tech resource – already expert and knowledgeable – is being expanded. I have created a new department to deal with international issues – more of that later – and I now have a bespoke Parliamentary liaison team as well as a London office to strengthen our influence in Westminster.
And speaking of Westminster, it was encouraging to see data protection enjoy such prominence as part of the Queen’s Speech. We’re pleased the government recognises the importance of data protection, and its central role in technological innovation and trust in the digital economy. We look forward to offering our view as to how the UK can continue to ensure its strength in this area.
Whilst I consider the ICO to be an innovative regulator – willing to do things differently – it is also a champion of innovation in others. But there are rules.
May I return to Jefferson? He said: ”In matters of style swim with the current; in matters of principle, stand like a rock.”
When it comes to privacy and innovation, I am immovable.
Many times I have said that privacy does not have to be the price we pay for innovation. The two can sit side by side. They must sit side by side.
It’s not always an easy partnership and, like most relationships, a lot of energy and effort is needed to make it work. But that’s what the law requires and it’s what the public expects.
Our investigation into the Royal Free Hospital is a case in point. This was a tough one and I’ve had to make hard choices balancing fundamental privacy rights with genuine medical progress that is saving lives.
My final report has sent a clear message to innovators of the future – take privacy into account. The end, no matter how laudable, does not justify the means.
I mentioned earlier that our current research shows that three quarters of the public don’t trust the way businesses use their data.
You will also know that I want to see that statistic reduce. But that requires evidence of what is causing the problem as well as considered ideas for how to address it.
So last month I launched a Grants Programme to promote and support independent, innovative research and solutions focused on privacy and data protection issues.
There will be a number of grants awarded each year for a minimum £20,000 and a maximum £100,000.
We are also looking at how we might be able to engage more deeply with companies as they seek to implement privacy by design.
How we can contribute to a “safe space” by building a sandbox where companies can test their ideas, services and business models. How we can better recognise the circular rather than linear nature of the design process.
Separate, but related, we need to become more comfortable about recognising good practice and drawing on exemplars. To that end, all outputs from the projects will be placed in the public domain.
We should be able to find ways to give credit where credit is due without that translating into a free pass for an individual organisation or practice.
Working with other regulators
I’ve spoken a lot about innovation but I promised to talk about interdependence too.
Look around this room. Take a glance at the conference programme. 15 nations officially represented. All of us listening and learning from each other. Contributing to the discussion and wanting to be a part of what happens next.
And what will happen next? Well, we know GDPR is coming on May 25 2018. That’s 325 days away. And we know there will be a new data protection act to fill in the gap.
My office is contributing to guidance for organisations. Staff are speaking at key conferences and events and we’re supporting businesses with online resources like our small business toolkit.
And then there’s Brexit and what our data protection law will look like once we’ve left the European Union.
How will the UK’s implementation of GDPR evolve once we exit? How will data flow? Will the government seek a determination of adequacy? When I’m talking to organisations, trade bodies, financial institutions, I get asked these questions a lot.
Because stable data transfer is crucial for all sectors – not just business.
Crime doesn’t respect national borders – so there are implications for national security and cross-border policing. Medical research communities operate on a global basis. And commerce does too – it’s as easy to buy a book from an online shop based in Canada as it is to pop into a local bookshop here in Cambridge.
Ultimately, these issues will be dealt with by Parliament.
But we are standing front and centre ready to contribute to those discussions. And we are doing things right now to ensure the high standards we have in the UK are maintained so we can better navigate smoothly through Brexit and beyond.
We remain an active member of Article 29 and are influencing major guidance, such as consent and profiling. My office has enjoyed a good relationship with the Council of Europe since 1981 and we are strengthening those links.
We are proud and active members of the Common Thread Network which links up data protection and privacy authorities in Commonwealth nations. I am pleased to say that South Africa has recently become our newest member. I am also pleased to say that I have been confirmed as co-chair of the network along with Executive Director Tekki Akuetteh of Ghana.
We will continue to play a leading role in international networks – I have been very involved, for example, with privacy authorities in the Asia-Pacific region and I have recently been in the US to speak with authorities such as the Federal Trade Commission and the Federal Bureau of Investigation. Data knows no borders and we have shared files with these agencies.
More and more countries are adopting data protection laws. Others, like Japan and South Korea are modernising them. And we’re all looking to each other to include the Best Bits into our own laws. Converging. The Data Protection Impact Assessments in GDPR originated in the US, for example.
So now is a good time for us to hear from others and, in the spirit of interdependence, listen to what they have to say. I can tell you what I think is happening - what I see happening - but I very much wanted to give you the chance to hear it from the horse’s mouth, so to speak.
My counterparts in three very different parts of the world kindly agreed to take time out to give their view of the world and their place in it. They’ll give us their take on how data protection is aligning globally and what aspects of their own legislation they consider key.
First up Daniel Therrien, Privacy Commissioner of Canada. This is a country whose laws I know well.
Next to Germany. We’ll hear from Commissioner Andrea Vosshoff from the Federal Commission for Data Protection and Freedom of Information which advocates an international alignment of data protection laws.
And finally a trip to the other side of the world. John Edwards, the New Zealand Privacy Commissioner endorses a practical, straight-forward approach that sets out a standard of expectation for citizens.
Interesting stuff, yes? And I must formally thank my international colleagues for taking the time and effort to contribute to this speech.
The movement towards global convergence that they reference is nothing new. If you look at the broad history of privacy and data protection over the last 40 years there has been a general convergence of understanding about what it means for an organisation to process personal data responsibly. And there’s a general agreement about the rights that individuals should have over that data.
This has been – and is – a complex process of networking involving give and take from the global community. There has been a matching up of standards, of course – guidelines, conventions and, most notably the EU directive and GDPR.
And these formal standards have had an impact on later adopters. The more people you have in the data protection club, the more benefits there are for others to join and for them to make their data protection laws align to existing international standards.
But there are less formal routes too.
There is a robust international network of regulators, advocates, tech experts, academics, corporations that talks, listens, meets in venues all over the world. Venues like this one. As a result there is a growing global understanding of what works and what doesn’t.
So that now we have a data protection toolbox that, instead of being applied to a particular nation, has become global. Twenty years ago there were few Privacy Impact Assessments in Europe. Codes of practice were only apparent in a few countries, such as the UK, New Zealand and the Netherlands. And privacy-enhancing technologies were generally considered useful add-ons that consumers and organisations could choose as they wished.
Now there is a common recognition that all authorities need to make creative use of all the tools in the toolbox.
And this global repertoire of instruments is reflected in the GDPR. Let me reel some off - privacy by default and design, codes of practice, privacy seals, PIAs, data protection officers, accountability mechanisms for good privacy management.
Europe made vigorous efforts to learn from abroad and to embrace policy instruments that were pioneered in other countries.
And on the thorny subject of cross-border transfers, there are now a variety of tools available to regulate that too. In addition to adequacy assessments based on the black letter of the law, we now see also Binding Corporate Rules, Standard Contractual Clauses, codes of conduct, standards, seals - all available to facilitate the legal transfer of personal data.
It seems like we’re following Jefferson’s advice to advance and keep pace with the times.
There’s something else we can learn here. Perhaps this global willingness to use a whole range of tools reflects an emerging recognition that data protection does not require top-down, command and sanction regulation.
That’s not to say that enforcement powers strengthened under the GDPR will not need to be used as necessary. But it does recognise that regulation is not, and never has been, a top-down process. We can achieve so much more by taking softer approaches – steering rather than rowing, guiding rather than commanding.
Our work in this area is being spearheaded by my new International Strategy and Intelligence Department – which has international activity as its core focus.
It was set up as part of our new International Strategy, which I have published today.
The strategy sets out how we will maintain and develop our influence within the global information rights community over the next four years.
It should be noted that this document – this blueprint for how we’ll deliver on our international objectives – was informed by experts from all over the world who challenged our perceived priorities and advised on what our next steps should be.
Much of what I’ve been talking about today is contained within its pages – maintaining our influence in Europe during the transition to GDPR, through Brexit and beyond; maximising our relevance in an increasingly globalised world; ensuring that UK data protection law and practice sets the bar for high global standards; and addressing the uncertainty of legal protections for international data flows to and from the EU.
Europe will always be important to us, but a lot of our work is going to be beyond the Continent. Not because we’re exiting the EU, but because data knows no borders.
Research (by TechUK and Frontier Economics) shows that the UK’s digital economy is growing 30 per cent faster than the rest of the economy.
But the rest of the economy is becoming ever more digital too, as globalisation accelerates and the need for businesses and services to operate across borders becomes increasingly important.
This growth is a key driver for the UK economy. But there must still be protective measures in place for consumers.
It all comes back to consumers. Citizens. People.
I’ve spoken about the importance of public trust and confidence in a world where technology is moving so fast, it’s hard for considerations of personal privacy to keep pace. But as the regulator it’s my job to protect the rights of citizens and ensure that privacy is afforded the same consideration as innovation.
There is little doubt that there are challenging times now, and challenging times ahead. But we are well placed to tackle them. We have a voice. It’s a powerful one and it is heard around the world. But we are excellent listeners too. That is our strength.
And these challenges, they are opportunities. A chance to give people back control of their own data.
Indulge me as I conclude by returning to my US theme. As yet another great American innovator, Thomas Edison, said: “Opportunity is missed by most people because it is dressed in overalls and looks like hard work.”
Well, my capable staff and I? We’re not afraid to get our hands dirty.
Thank you for being here today.