Deputy Commissioner (Policy) Steve Wood's speech at the 9th European Data Protection Days conference in Berlin on 20 May 2019.
Original script may differ from delivered version.
It’s a pleasure to be here today and I would like to thank the organisers for putting such a significant event in the calendar and bringing together so many key players in the data protection and privacy field.
The last few years have really seen a step change in the way that data protection is viewed – in the UK, across the EU and in many other parts of the world. It is no longer a compliance step that businesses think of to be completed at the end of a project but the incorporation of principles - accountability, transparency, fairness - that go to the heart of good business practice.
Before looking forward to the ICO’s international strategy I would like to return briefly to 2018 and a couple of momentous moments.
Firstly, on a more sombre note, we saw the passing away of one of the UK’s most celebrated sons: Astrophysicist, Stephen Hawking. He managed to make the complex understandable to people around the world and encouraged real innovation. This should be an inspiration to all of us.
And I do think that a key role of the guardians of data protection law is to give a vision of what matters, amongst so much detail, and to encourage collaboration.
2018 also included the launch of the GDPR and this month will see its anniversary.
As one of those involved in the early days of planning for the law, going back to 2012, it felt like a long and bumpy road to get to that point. But it is fantastic to see what has emerged from those long days.
GDPR has built the foundation of high standards that have enabled data protection to become a mainstream consumer issue across the EU.
Public awareness has never been higher and more people than ever are exercising their rights. GDPR is influencing many laws around the world. The next phase is enforcement and we are confident that the ICO and colleagues in the EDPB will deliver.
The ICO recently announced its first GDPR action, ordering HMRC, the UK tax authority, to delete 5 million voice records that had been collected without valid consent. Watch this space for further announcements soon.
Yes, as my colleagues have attested to in previous sessions, there are teething issues and challenges that must be overcome. But these should not distract us from the achievements.
Against these important challenges, sits a further challenge for the ICO – Brexit – yes, I have to talk about the B-Word.
At some point our relationship with Europe and the way that we interact with our DP partners will change. We know that. What we don’t know yet is what precisely these changes will be.
Whatever happens however we do expect to continue our constructive and fruitful dialogue. And we will use the relationships we already have with our European partners to promote ways of working that are mutually beneficial to citizens and organisations.
The ICO’s international strategy, published in 2017, made clear that, post Brexit, a strong relationship with the EU DP regime was vital – remaining aligned with GDPR and working closely on areas such as enforcement. The UK Government’s commitment to retaining GDPR in law, post Brexit, has also been clear since 2017.
As it stands we remain a member of EU and the ICO remains an active member of the EDPB.
And we will also be looking to engage with our partners from across the globe.
It is a well-worn but no less applicable trope that the world is getting smaller and nowhere is this truer than in the world of data protection. This is in fact the reason that I am speaking to you today - to talk about our international strategy.
Technology, media and creative industries are booming. Just last month, Bloomberg reported that the digital economy – or the ‘Flat White Economy’ - has become the UK’s largest economic sector. This demonstrates the opportunities that the digital world provides and these should be encouraged.
But we also know the risks to personal data and privacy that the unregulated processing of personal data brings. This new economy disrupts notions of local laws and seeks a world where data has no borders. However, this does not mean a race to the bottom or that protections cannot be maintained across borders. This is why joining up our efforts is so important.
I recently returned from a visit to Sao Paolo. As many of you will be aware, the Brazilians are in the process of implementing a new data protection regime. Their new law, many aspects modelled on GDPR, comes into force next year.
One crucial question is still not resolved – the creation of the new independent data protection authority. Speaking to businesses and data protection professionals I heard many of the same questions that were raised and that we asked ourselves during the genesis of the GDPR.
- How do we implement these laws in practice?
- How can we build trust as the long term aim?
What was not questioned however the need for stronger, more up-to-date laws was. And for an independent authority to uphold rights and set the direction for compliance.
What business has made clear is the need for consistency. Last month, Henry Farrell - co-author of Privacy and Power - said in the Financial Times that:
‘Businesses hate restrictive rules, but they hate them much less than uncertainty.
This makes sense.
Clear domestic laws that are proportionately applied will help. But maintaining high standards, the convergence of general principles across different areas, and effective interoperability is also essential.
This will not be an easy job. The dynamic nature of technology brings new and unforeseen privacy implications. Our job is therefore to rise to the challenge of being an agile, joined-up, global regulator that will protect the public but understands the context of the digital economy.
Our focus on fundamental rights must not be diluted but we must find bridges between international systems, to make convergence work in practice. The principle of accountability, which transcends borders, will be key to this.
But what is ‘accountability’?
Accountability not only drives the GDPR but is also a critical component of data protection and privacy law, regulation, and industry guidance across the world.
It captures in law an onus on companies to understand the risks, and to mitigate those risks. It also reflects that people are increasingly demanding to be shown how their data is used and how it is being protected.
Accountability requires a change of culture within organisations, and the bedding in of key governance systems and values. We know from our investigations and audits that this has not happened yet. We will therefore be doing more to ensure that this happens. What is clear however is the wider ambition for progress in this area.
What emerged from her survey was the tremendous degree of agreement between different regions and organisations about what the objective for accountability should be. In many ways then we have a common set of values, priorities and goals.
Our goal is therefore to harness this convergence in order to turn the accountability principle into a robust but global solution for high and consistent data protection standards.
And the good news is that mechanisms already exist that we, in partnership with our data protection colleagues, can use to achieve this.
In October of last year our Commissioner was elected chair of the International Conference of Data Protection and Privacy Commissioners – the ICDPPC. This provides a real opportunity for collaboration as it is the only conference that brings together data protection authorities from across the world.
Elizabeth’s aspiration is for the conference to play a leading role in shaping international standards for data protection convergence and enabling interoperability.
Everywhere we look globally, data protection and privacy standards are becoming stronger and adding new signatories and members. The modernised Convention 108 continues to grow across traditional boundaries – with countries such as Mexico joining. Networks, such as the Ibero-American network are taking more of a policy role leading through the adoption of their own standards.
The role of ICDPPC will be the global cartographer – taking the unique voice of data protection and privacy commissioners globally to influence and join up standards worldwide and ensure they are effective in practice.
We are currently consulting on a new Policy Strategy for the ICDPPC, in advance of the next conference in Tirana in October. This must combine a vision with the practical.
There are six goals - ranging from the longer term objectives on global policy and standards to more immediate steps we should take now to improve cooperation and share good practice.
The ICO is also growing its International Directorate more generally, almost doubling its size from where we were only two years ago. This will ensure we have the ability to deliver on one of the key pillars of our strategy – the continuation of our engagement with leading privacy networks.
For example, we are already engaged with the important work of the OECD Working Party for Security and Privacy to revise its privacy guidelines. We will also continue to develop stronger links with data protection authorities in Commonwealth countries through the Common Thread Network.
But we must not stop there.
Next week Elizabeth will be travelling to Tokyo to attend the Asia Pacific Privacy Authorities forum and the G20 – a chance to discuss global privacy trends, exchange domestic experiences and seek cooperation on education and enforcement. And this last point is crucial.
Enforcement in our complex digital ecosystem will not be effective if we only view it through a domestic lens - we must learn lessons from the Facebook and Cambridge Analytica investigation.
This not only demonstrated the sophisticated way that personal data can be exploited. It also showed that, virus-like, the illegal harvesting of data quickly infected more than one country.
We will therefore continue to play a leading role in joined-up, effective and efficient international enforcement co-operation mechanisms.
In our investigation of Facebook and Cambridge Analytica we looked both inwards – working with other regulators and security forces within the UK – and outwards, co-ordinating our efforts with our partners in Europe and globally. This must be the model for future investigations of this nature.
The recent announcement that San Francisco is banning the use of facial recognition technology illustrates how privacy rights are becoming a universal societal issue. These challenges are global and will be debated in major cities across the world.
Through coming together and collaborating we can learn from each other about what best practice looks like.