Information Commissioner Elizabeth Denham's speech at the G20 Side Event - International Seminar on Personal Data in Tokyo on 3 June 2019.
Original script may differ from delivered version.
A special thank you to our hosts the Personal Information Protection Commission. I understand there are several ways to say thank you in Japanese, and given the hospitality I’ve enjoyed since I’ve been here I can understand why. So Doumo Arigatou.
I’m speaking to you today as a Canadian living in the UK, working as the UK’s data protection commissioner, and as a consumer of the digital services of many international businesses. But I am also addressing you as chair of the International Conference of Data Protection and Privacy Commissioners – the only global forum of privacy commissioners. So it feels right for me to be addressing a G20 event on international data flows.
I work with difference every day. Difference in laws, cultures, language, outlook. So I can see how important it is to build bridges and focus on what we share - our citizens’ shared expectations that their privacy will be respected.
Inconsistency in our respective laws and their application and enforcement can lead to inconsistency for individuals and businesses.
Significant differences in data protection approaches across our jurisdictions can have a confusing and damaging effect on consumer and business understanding of how laws operate and what they are there to safeguard.
But I’m not here today to advocate for homogeneity and uniformity in law. Rather, I am here to advocate for acknowledgement and respect for our differences and to find practical ways to bridge them. Only by doing so can we move towards a model of data flow with trust.
That’s what I want to talk to you about today. How we find the interoperability that lets personal data flow with the right protections. And why we must put Data Flow with Trust at the centre of our work.
For me, trust means citizens knowing how their data is being used, how they can control its use, where the data is going, and that no matter where it goes that someone – a privacy commissioner – has their back.
I have worked in data protection for more than two decades now, and within that time there’s been a clear evolution of the law that continues to the present. What has struck me over the years, is how as the digital economy grows, our law makers and regulators increasingly see things alike, learn, and borrow concepts from one another.
One such core concept that is heavily borrowed across jurisdictions is accountability. Originally a Canadian legal concept, this set out a requirement for businesses to mitigate the risks from how they were using people’s data.
That concept then travelled beyond Canadian borders, and later found itself as a core principle in the EU’s GDPR. And the GDPR also includes security breach notification – a US innovation now widely adopted. In fact, the GDPR’s parentage is global – it has ideas and concepts from other regions written into its DNA.
This approach, of new laws in one country reflecting existing ones in others is important. We benefit from the learning of others and ultimately then from better drafted laws. We are seeing a global convergence of principles and rights. A race to the top.
Legal convergence is an element of interoperability, but it won’t solve our problems on its own.
Interoperability between jurisdictions is not easy to achieve. Interoperability begins with an understanding of the commonalities and differences between the systems. It is only with this understanding that we can then devise tools to enable data flows with trust. This is the central challenge for governments, privacy commissioners and business.
The EU’s adequacy process is one approach to achieve intreoperability; it has been used successfully to find common ground in legislative approaches as diverse as that of New Zealand, Israel and Japan. The GDPR sets a high bar in terms of data standards, and that bar might seem quite prescriptive for some. But, as an approach, it has achieved trust for European residents’ data processed in adequate jurisdictions. But it cannot be an exclusive tool.
Japan and the EU struck a new path in the mutual recognition of each other’s laws. Japan could show us the way as a bridge between APEC and EU systems. There is further work for governments to do to consider the merit of a wider application of such an approach – that could include codes, standards and certification systems that allow data transfers with trust.
The UK will play its part in this post-Brexit. The UK Government is committed to retaining high data protection standards - the GDPR, which has been copied over in full in the exit legislation. And after Brexit, the UK will operate its own transfer regime, including effective trust based controls for international transfers.
The legal concept of accountability is another possible route forward in interoperability.
Accountability is ultimately about encouraging consumer trust, and that role forms part of every privacy commissioner’s responsibilities. Accountability is a bridge that connects many jurisdictions – Canada, Hong Kong, Australia, Singapore and the EU. The EU’s Binding Corporate Rules and APEC’s Cross Border Privacy Rules are both examples of accountability mechanisms. They require demonstrable proof that organisations have implemented systems and controls to protect data and people.
Now the challenge for government, privacy commissioners and business is to find ways to connect our accountability systems. As individuals, we travel the world and we need to charge our phones. But we do not expect the find the same power socket everywhere we go. We bring adaptors with us.
We need to bring the same mind-set to data protection. We need to build adaptors within our different accountability systems to enable data flows with trust. We need to take action now to build bridges between our systems.
It makes business sense, it makes consumer protection sense, and the sooner we work on this the greater the benefits. But this will only work if we approach the discussion of our differences with respect, and a focus on that which separates us that actually matters to protection of individuals.
In the short term, if we could reach government and regulatory consensus around the concrete meaning of accountability - and how to deliver, demonstrate and verify it - we could find common ground and a basis for international standards.
I said at the start of this speech that governments need to work together to ensure data flows with trust. Citizens have to have that trust. And for me, privacy commissioners also play a major role in building that trust. Part of interoperability is ensuring collaboration amongst commissioners on policy and on enforcement matters.
So what is within our gift to deliver as commissioners? For me there are two main pillars.
First, cooperation on regulatory action – the key things we do as commissioners to keep our citizens safe – enforcement, investigations, audits, complaints handling, and sanctions. In order to work together effectively we have to understand each other’s ways of working and capabilities.
That means trusting each other’s views on issues and cases. What we really need to share is lines of inquiry, our analysis of the issues, and the tactics we are adopting in our investigations. This will minimise duplication of investigatory effort and speed up our inquiries. And for businesses - provide more consistency in how they are being regulated by us.
Commissioners sometimes get too hung up on barriers to cooperation based on secrecy and concerns over whether working together requires personal data transfer. But the challenging investigations we are undertaking require us to find ways to move forward in a coordinated and consistent way together; otherwise in a global economy we will not be able to keep our citizens safe.
The ICDPPC brings together 122 privacy and data protection authorities from across all parts of the globe. As chair, I am committed to bringing our regional insights together and putting focus on enforcement cooperation.
This is a team effort; we need more players signed up to the various instruments available to us - including the ICDPPC arrangement, APEC’s CPEA, and the Council of Europe’s Convention 108+ - which despite the name reaches beyond mainland Europe, as well as local bilateral agreements.
And in Europe, we know we need to take steps to clarify mutual assistance with third countries as mandated by the GDPR.
Now to the second pillar – policy rationalisation. Commissioners need to recognise that for data to flow with trust we need to rationalise our policy effort and coalesce on the real societal risks common to us all.
Last week at APPA, I was struck by how many commissioners have staff working on policy positions and tools for AI, children’s privacy and facial recognition technology. Staff time equals resources, and we should not be reinventing the wheel every time a hot topic arises.
We need a world view. But I am not expecting uniform guidance or approaches in every jurisdiction.
However we have far more in common than that which differs, particularly on the key challenges facing all our societies right now. Therefore we can borrow and amplify each’s other work to the benefit of business and citizens. By doing so we reduce inconsistency across our policy positions while at the same time making the most use of all our limited resources.
I’d like to close with a short story that is about neither laws nor enforcement. This is my first visit to Japan, but not my first experience of your customs and culture.
My grandfather was a chartered engineer. Born in Yorkshire, in the north of England, in 1901, he moved to Canada aged 29, where he ultimately became the senior public official for engineering and infrastructure for the Province of British Columbia. He was in charge of building bridges.
At age 70, he retired from government, and then took up a job with an engineering firm in Tokyo. He enjoyed the culture and the people and history of Japan – and lived and worked and mastered the language for the next decade of his life.
I was reflecting on his career when I was thinking about what I’d say to you today. And I think there’s something in that story that we can take away.
He took an English qualification to Canada. He took Canadian experience to Japan. And in turn he incorporated Japanese work practices into improving his own profession. That those countries had different cultures and regulations and language didn’t matter, because he was able to build people’s trust in his work by demonstrating his expertise. I think that’s an interesting parallel to what we’ve been considering today.
Different aspects of data protection law may be unique to our own jurisdictions. But trust can circumnavigate the world.
It can travel across the Pacific, it can travel across the Atlantic, and it can travel beyond. It can form a basis for international cooperation, trade and data flow.
The question is, can we, as a data protection community, working together, make that journey to build trust possible?
I believe the answer has to be yes. The global privacy community needs to focus on connectivity between our systems.
And there is an opportunity for G20 governments, as Prime Minister Abe has set out – to show leadership to drive it forward — to the benefit of us all.