Elizabeth Denham’s speech to the International Privacy Forum, a public event following the 50th Asia Pacific Privacy Authorities (APPA) Forum in Wellington, New Zealand on 4 December 2018.
Ms Denham spoke about convergence and the importance of strong international relationships particularly in the context of the GDPR.
Original speech may differ from delivered version.
I’m a long way from my own front door! Or at least my front door in my adopted country! But I must say in some ways I feel right at home. My links with APPA are wide and deep. When I was Privacy Commissioner for British Columbia I held the secretariat for APPA and I have fond memories of hosting APPA meetings in Vancouver.
I am a frequent flier. Once a month, I travel to Brussels to sit on the European Data Protection Board with regulators from 27 other EU jurisdictions. That’s the independent body set up to ensure consistency in the enforcement and oversight of the General Data Protection Regulation across borders.
And over the past year I have spoken at events all over the northern hemisphere. But it’s rare that I make it this far south.
During this trip I’m talking with my fellow regulators in the Asia Pacific region. On my way to the APPA meeting, I had a fascinating stopover in Hong Kong to visit Commissioner Wong and his office. They are out in front in their thought leadership on digital ethics and accountability. And I am delighted to be back in New Zealand meeting other Asia Pacific regulators and national bodies in this country. I then move on to India where I’ll be meeting ministers and tech leaders in that emerging powerhouse.
As Commissioner in the UK, I am one of the member authorities on the European Data Protection Board.
But the ICO’s international imprint goes deeper than Europe.
The ICO is a co-chair of the Common Thread Network which links up data protection and privacy authorities in Commonwealth nations. The network promotes cross-border cooperation and builds capacity by sharing knowledge on emerging trends, regulatory changes and best practices for effective data protection.
And I was recently elected chair of the International Conference of Data Protection and Privacy Commissioners – the ICDPPC. Following in the footsteps of my colleagues John Edwards and Isabelle Falque-Pierrotin, the French Commissioner.
The ICDPPC is a truly unique global forum encompassing more than 120 independent privacy authorities from across all continents. It champions strong and independent authorities and ensures they can share cutting edge policy and enforcement experience. Several of my ICDPPC Executive Committee commissioner colleagues are here today – Raymund, Marguerite, Angelene – we pretty much have quorum in New Zealand!
I am keen to ensure that the ICDPPC supports member authorities with strategies and best practices that are inclusive of diverse legal frameworks and cultural backgrounds. I am finding this trip to Asia Pacific particularly enlightening from a cross-cultural perspective. I’m seeing different approaches to privacy friendly innovation that are culturally specific, and reflect the values of those jurisdictions. But the ties that bind us are strong data protection laws. And strong data protection regulators.
In the age of borderless data flows, there has never been a more important time for global coherence in data protection and privacy.
So let’s think about global data protection standards. The new European law – the GDPR - has a global pedigree. Regulatory instruments and practices developed elsewhere in the world were embedded in its DNA during its drafting.
We in the EU made vigorous efforts to learn from abroad and embrace policy instruments that were pioneered in other countries.
Fair information practices and breach notification originated in the US; accountability and Privacy by Default and Design in Canada; Codes of Practice from the UK and New Zealand; and innovation measures from East Asia.
The Europeans took the Best in Breed to create a Best in Show.
The movement towards global convergence is nothing new. If you look at the broad history of privacy and data protection over the last 40 years, there has been a general convergence of understanding about what it means for an organisation to process personal data responsibly. And there’s a general agreement about the rights that individuals should have over that data.
This has been – and is – a complex process of networking involving give and take from the global community. There has been a matching up of standards, of course – guidelines, conventions, and, most notably the GDPR.
These approaches have had an impact on jurisdictions that have been later adopters of national data protection laws. The more people you have in the data protection club, the greater the clamour for others to join and to make their data protection laws align to existing international approaches.
It appears to be a race to the top when it comes to data protection standards globally. And right now some aspects of the GDPR appear to be leading the race.
That’s not to say a cut and paste of the GDPR is the solution for anyone. It’s fit for purpose in Europe; but that doesn’t mean it’s fit for purpose the world over. Each nation’s culture and constitution, legal framework, and trading relationships play an important role when it comes to data protection. Those differences must be acknowledged and respected.
And as a law, the GDPR isn’t perfect. But it is a catalyst for law reform outside of Europe.
Take what’s happening here in New Zealand with the draft Bill for an enhanced privacy law.
Yours is a 25-year-old law. When it was drafted in the 1990s, who could have envisioned the social media ecosystem, AI and machine learning, and individuals’ desire for data portability?
There’s nothing like a new law to focus consumer and citizen attention on their rights. That’s certainly our experience over the introduction of the GDPR.
It’s just over six months since the new law came into effect across Europe bringing with it greater accountability, transparency and consumer control.
As anticipated, I am seeing more of everything in the UK.
More complaints from the public – from 9,000 to 19,000 in a comparable six month period. Complaints about subject access, data portability and data security. All of our front line services have jumped by at least 100 per cent.
More breach reports – over 8,000 since the end of May when it became mandatory in some high risk circumstances.
And more stakeholder engagement as we work closely with organisations to advise on privacy risks from the outset.
We can do all of this because the UK parliament has given us an updated fee regime, giving us control and certainty around our own funding. Our headcount is 60 per cent higher than in 2016 – at almost 700 and growing.
The ICO’s deputy commissioner James Dipple-Johnstone will be giving more detail about our GDPR experience so far, when he speaks on the upcoming panel discussion “GDPR six months on.”
Some of the really new provisions in the law need time to bed in. Algorithmic explainability, the detailed expectations in privacy by design, codes of conduct, extra territorial application and enforcement.
One thing I know for sure is that we will look back on this time as pivotal in public awareness – the moment that people woke up to the potential of their personal data.
Privacy and data security have gone mainstream.
Data is about people
And it’s not just because of the GDPR. Cyber hacks affecting millions or hundreds of millions of people. And more, invisible, profiling, micro targeting techniques in elections, opaque AI – all these things have increased people’s concerns.
I flew here on Cathay Pacific. And whenever I opened a search bar to look up their website my results page overflowed with articles about their major breach in September – affecting 9 million passengers’ data. People are talking about it, people are writing about it, people are angry and concerned about it. This breach has legs.
And that translates to business impact. Because as people become more aware, they expect – they demand – greater safeguards and control. The ICO’s research tells us that only one in three people in the UK trust organisations to handle their personal data in line with the law. That’s better than it was, but it’s still not good enough.
Businesses that embrace a commitment to strong privacy protection will be the ones to flourish. Given that personal data is the prime asset in the fourth industrial revolution, our citizens expect security of their information and privacy as part of the services they buy. Trust in this space is hard won but easily lost.
Another key driver for improvement is mandatory breach reporting for certain high risk cases. I know this is being considered as part of the current update here in New Zealand.
As I’ve mentioned, the ICO has received more than 8,000 breach reports since May and it’s one of the areas that concerns business most.
And rightly so. Because breach reporting is a not a mere administrative responsibility. It speaks to the accountability principle of the GDPR. The accountability principle requires you to take responsibility for what you do with personal data – and have processes and systems in place to demonstrate this compliance.
If, within the 72 hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability data checks and balances in place - as required by law.
I believe that data breach reporting drives companies to invest in better security and better data governance.
For this reason, I believe breach reporting to be one of the most significant upgrades in the new law.
And the ICO has had an upgrade too. The GDPR brings data protection law into the digital age and it’s imperative the regulator is fit for purpose too.
Now we are moving into a different phase where we engage with UK businesses and citizens differently. We need to be more of a collaborative, inquiring, helpful regulator — working with organisations on data protection impact assessments and codes of conduct. This is ICO 2.0.
We’re investing heavily in technical roles – a new deputy commissioner responsible for innovation and tech, an AI fellow who will help design our process for auditing algorithms, an expert tech panel and an expanded intelligence hub. A focus for the coming year will be on digital ethics and internet harms. And I know I am going to find the details of work done on ethical impact assessments by the Hong Kong Commissioner to be a key input in the ICO’s work.
We are moving quickly ahead with our own regulatory sandbox, a safe space for companies to beta-test their ideas, services and business models. It’s a recognition of the circular, rather than linear nature of the design process. And we are taking lessons from our colleagues in Singapore who are ahead of us in the sandbox space.
These new developments are part of a wider trend at the ICO towards ever greater innovation - domestically and internationally.
GDPR and New Zealand
But what does the GDPR mean for New Zealand or any non-EU jurisdiction?
If your business has an establishment in the EU where personal information is processed, or if you are offering goods or services or monitoring behaviour of people in the EU, you are caught by the GDPR. You must comply with all of the provisions in the GDPR in relation to processing EU residents’ data.
First important message is — don’t panic. If you’re already following good data protection practices for your customers then you’re already a good part of the way there. My office has provided tools to guide businesses in their compliance work for GDPR – including checklists so you can assure yourself of the key points in your own thinking.
And generally you will know if you’re caught by the GDPR because you will be actively directing services to EU residents. It is not just because your website is accessible in the EU!
Take one example – A Wellington retailer, offering products available on line with payments to be made in British pounds, processing multiple orders a day from individuals in the UK, and making it easy to ship products to them. That retailer will be subject to the GDPR and the oversight of the ICO.
There is more detail on targeting and monitoring criteria in EDPB draft guidelines published last month. But the main point of departure from the previous law is that GDPR is focused on where people are, rather than where equipment involved in the processing is located.
What does this extra territorial reach mean in practice?
It means thinking about privacy at the design stage – privacy by design, data protection impact assessments, and data minimisation.
It means planning for how you are going to respond to EU residents who want to exercise their rights including the right to erasure and right to rectification.
And it means determining if you need a representative in the EU when it comes to the GDPR. And bear in mind – you need to trust that this representative can convey on your behalf how you are evidencing compliance with the rules, including reporting to the local data protection regulator in the EU.
But remember, when it comes to enforcement action, proportionality is embedded in the GDPR. And EU data protection regulators have a range of tools available in our toolkits. So we’re going to prioritise our enforcement activity towards those bad actors who are a direct threat to EU residents. Companies who are trying their best to comply with the rules and are cooperating with EU regulators can expect to engage the advisory and warning end of our toolkit rather than the 4% of global turnover fines.
A word on Brexit. Not too many of my audiences and meetings go by without a word on Brexit.
These are extraordinary times as the UK re-defines its 40 year relationship with the EU. There’s no blueprint for this. Things feel pretty bumpy at the moment. There are still many unknowns about the shape of the final agreement. But one thing that has been clear from the outset is that the UK and the EU understand the importance of common data protection. This is reflected in the UK government’s position paper, the text of the withdrawal agreement, and the agreed joint political declaration on the future UK-EU relationship.
I don’t have to tell anyone in this room that data underpins the digital economy, security cooperation, and public services. Being here in Wellington I realise the depth of cultural, social, familial and professional links between the UK and New Zealand. It’s a similarly deep and cherished relationship with our European neighbours. That’s why I am confident that at the end of the day a way through will be found to make sure data can continue to flow. Including with third countries – like New Zealand – who have adequacy agreements with the EU.
There is mutual interest and goodwill in finding our way through the question of data flows and legal instruments.
Ultimately the future relationship is one for the politicians. But whatever happens, the UK government has committed to retaining the GDPR and a strong independent well-resourced ICO.
We expect to still work with our EU colleagues on international enforcement cooperation. We share their values and have deep and constructive relationships.
Now, a word on our Cambridge Analytica-Facebook investigation. This is a truly international file with around 50 countries affected in the harvesting of their citizens’ profile data by an app developer and shared with Cambridge Analytica for political purposes.
We have issued civil penalties and are pursuing criminal enforcement. Our investigation continues. We are presently working through a trove of evidence seized from the company and elsewhere. We are cooperating with our regulatory colleagues and law enforcement bodies around the world to ensure all our citizens are safe and protected. And to ensure that lessons are learned to protect the integrity of our democratic processes.
The world is getting smaller.
And wherever people are in the world – Australia or Argentina, Bermuda or Burkina Faso — they are concerned about what happens to their data. And as we’ve seen in the Cambridge Analytica case, they want to be certain that when they entrust their information to an organisation it will be respected and valued and kept safe.
In the UK, as in New Zealand, data protection is embedded in our culture. It’s been in UK domestic law for more than 30 years. People expect their personal data to be handled in line with the law and when it isn’t, they know that a strong regulator has their back.
We really do live in uncertain and bumpy times. There is a lot of knee-jerk reaction to specific events. Our collective drive towards coherent privacy standards can be driven off-course by unanticipated political or judicial events. But we have to keep our eyes focused on the long term.
So how do I see the future? Lawmakers will be influenced by other jurisdictions when their citizens come to them wondering why they don’t enjoy the same privacy rights as people across a border, across an ocean. People can be persuasive when it comes to politics.
I also think there will be a continuing trend towards convergence of our laws and practices – and this convergence is speeding up. Just last week in Westminster, an unprecedented Grand Committee of parliamentarians from nine jurisdictions - including Singapore, Argentina, Brazil, Canada and Ireland - heard from witnesses on electoral interference and internet harms. There is political will to find joined up solutions to their citizens’ concerns.
In the medium term — I have renewed hope for interoperability, particularly in the efforts of many of the data protection authorities in this room. As chair of the ICDPPC I will work with all of my APPA colleagues and other members to find pragmatic links and bridges between various accountability and standards regimes.
This is all ultimately about people. Data is increasingly internationalised. We can’t let the protection of individuals fall between the cracks of different regulatory regimes.
I believe there IS a way through! The presence of so many regulators and businesses in this room today gives me confidence that we are in a race to the top on data protection.