Elizabeth Denham’s speech at The 19th Annual Privacy and Security Conference - 7 February 2018.
Thank you Richard for the introduction. It is lovely to be back in Victoria, if only for a short visit. I would like to thank Greg Spievek and his very capable team for again putting on this conference – which is in its 19th year.
It’s a wonderful event and I am honoured to have attended for eight of the last nine years. I am also grateful to the organisers for including me on the panel later today to honour my good friend Joe Alhadeff. Joe was a global leader in data policy, an ambassador for the digital economy - and one of the smartest strategists I have met, in this field or any other. Audacious, visionary, loyal and supportive of his many friends - we miss you Joe.
In June of last year I was honoured to address the University of Alberta, where I shared my impressions of my first year as UK Information Commissioner.
Now, approaching my second anniversary in the job, it’s great to be able to say that some things have definitely changed for the better in the last year:
- I’m more comfortable with driving on the left-hand side of the road, and look right before I step from the curb.
- I now know how to react when every morning I’m greeted with “Y’all Right?”. (Not a general inquiry about the state of my health!)
- I’m much better at reading a room and have come to appreciate that the British are both masters of understatement, and the most direct people on the planet. They reject all effusive language with the exception of the word “brilliant”.
The second year on the job has also been about building important relationships.
Only a few days ago I was discharging my duties as a judge for the 2017 UK Press Awards and separately meeting the CEO of the Charities Commission, speaking to the Institute of Directors, and Tech UK. But even after more than eighteen months in the job, there are still aspects of British life that give me pause.
- The intensity of the public spotlight and public scrutiny.
- That a small number of media magnates wield so much influence; newspapers are still very influential in setting public opinion, and
- that I still get asked what part of the United States I am from – and what I think of President Trump – by people who should know better!
And of course, I have an unexpected front row seat to one of the largest upheavals in the modern political history of the UK, as it decouples from the European Union.
Being an outsider there creates both challenges and advantages as Information Commissioner, given a time of great transition and soul searching among Britons. And perhaps because these are ‘my people’ in both the familial and jurisdictional senses of the word, I am reminded daily about the magnitude and complexities of the responsibilities with which I am charged.
But I am not alone in dealing with these challenges. I have a wonderful network of colleagues and friends.
My staff have gone above and beyond to make me feel at home. From my offices in Manchester, Cardiff, Edinburgh, Belfast and London, they’ve shown great kindness, and have taken every opportunity to share the finer aspects of British life, from hiking to haggis, culture to cake.
I also have access to a valuable extended network of compatriots who only ask which part of B.C. I am from.
The Canadian High Commissioner Janice Charette hosted me at a tech event at Canada House, and I have recently joined a business ex-pat group in London for a regular fix of the Canadian accent.
And when I see Moya Greene, Chief Executive at the Royal Mail, Stephen Toope, Vice Chancellor of the University of Cambridge, and of course Mark Carney, Governor of the Bank of England, I think it’s fair to say that Canadians are punching above our weight in public life in UK positions.
I don’t think that this is an accident.
Canadians and British people have a shared parliamentary and legal tradition. Similar principles underpin our access and privacy laws.
And we are proud to have the Queen’s profile on our bank notes.
But it goes deeper than that. Canadians are well respected in the UK. Canadian public servants are seen as having a very high level of integrity and a strong work ethic.
We are known as collaborative and respectful of differences, working together to find common ground and common solutions. (And we are ever so polite!)
We are bridge builders. We successfully connect two very different cultures – the USA to the south and Europe to the east.
In 2016 when I took the job I was challenged with dealing with the biggest change to UK data protection laws in over 20 years.
Getting ready for the European Union’s General Data Protection Regulation - the GDPR - requires a major change programme in approaches to data protection both for my office and for the country as a whole.
Implementing the GDPR was enough of a challenge.
When I was settling in to my new job, I often thought about something my Scottish grandmother used to say:
“Strangers should be strangers for a little while”
In other words; step back, listen and observe, and don’t make assumptions about your new culture.
I’ll be honest: part of me wishes that I had the time to take a step a little further back!
But, just days before I boarded the plane to England, over 17 million people voted for the UK to leave the European Union, and 16 million voted to remain.
So now I have to bridge a new series of divides: in my own office, in the UK, and with colleagues across the world.
Those splits can run very deep – Brexit is a deeply painful and emotional issue for many.
But a fresh challenge can be invigorating!
I now liken my role to changing the wheel on a moving car, whilst going around a roundabout, with the added possibility that the car will catch fire!
And as much as I enjoy the challenge, I also appreciate the relief that a little certainty can bring.
Which is why I would like to talk about some of the “knowns” and “unknowns” in the current situation.
What we know is that:
The GDPR has been passed by the EU and will have direct effect in all Member States, including the UK – in May of this year.
The UK government has recently introduced a new Data Protection Bill, which complements the GDPR, making detailed provisions where the GDPR is general – issues related to age of consent for children, and the balance between privacy and freedom of expression. But it goes further than that – the UK’s Data Protection Bill also covers areas like law enforcement and rules for intelligence agencies which are outside the scope of the GDPR.
In terms of the decoupling between UK and the EU – agreement has been reached on some of the fundamentals – the divorce bill, the rights of EU and UK citizens who have made lives in each other’s territories, and principles of how to avoid a hard border with Ireland after the UK leaves the bloc. There is also agreement that there will be a transition period – 2 or possibly more years necessary to untangle a 40 year regulatory regime. During the transition period, to avoid a cliff edge harmful for business and citizens, the intent is to maintain the regulatory regimes – from data protection to aviation, food standards and the environment.
There is uncertainty over the legal arrangements in the transition period and the repercussions of this unprecedented process, but one certainty (relevant to this audience) is that the European Union will continue to advance the standards of protection for the personal data of people in the EU, and the UK has committed to maintain these high standards.
The second phase of the Brexit negotiations – over the next year, should shed light into the substantial terms of the new relationship.
I am personally pleased with the way the UK Government and Parliament have taken data protection seriously as the country prepares to leave the EU. The government has prioritised the issue of data protection and data flows in the negotiations because data underpins the digital economy, trade and security. Both government and parliament support me in my efforts to maintain our close links with continental Europe, Canada, Asia Pacific and other regions.
But final agreements, are some way off.
Perhaps the most significant “unknown” from my point of view is the exact nature of that final agreement, and our continuing relationship with our commissioner colleagues across Europe. Is the ICO going to have a seat on the European Data Protection Board (which coordinates the work of Europe’s DPAs – with voting rights) or will we be an observer without voting rights like Norway or Iceland; or denied a seat all together?
Is the UK going to be a partner, helping to set policy, or will we have the status of a third country – like Canada or Japan?
That’s one for the politicians – but for decades, we’ve had common values and the UK influenced and contributed to data protection policies, including the GDPR. The ICO is the largest Data Protection Authority in Europe and contributes heavily to the work of the Article 29 Working Party. When it comes to rights such as the right to privacy and data protection, we will continue to pursue common strategies.
I expect to maintain substantial dialogue and work with my EU colleagues during the transition period and after exit.
When it comes to the arrangements post Brexit for international data transfers, there is no doubt that achieving an adequacy finding from the European Commission is the simplest route to continued frictionless flow of data between the EU and the UK.
And there is equally no doubt that having domestic laws that achieve a high standard of data protection commensurate to the EU will be a significant advantage in an adequacy assessment.
As Commissioner, my job is to advise government and parliament on law reform that ensures uninterrupted data flows to the rest of the world - that maintains high standards of data protection for consumers, and legal certainty for business.
I am banging the drum for this holy trinity of outcomes.
There must be no exit from high standards of data protection, a view that the government has adopted as a necessary basis for tech innovation.
What does all this mean for Canada?
As one of the first jurisdictions to receive an adequacy finding by the European Commission, Canada is deemed to have an essentially equivalent law regarding measures for the private sector to protect data flows from Europe.
The EU Commission has given itself until 2020 to decide which core elements of the GDPR they want to see in other countries’ laws, and what that means for countries already deemed to be adequate.
What we do know is that the European Commission will be looking at a third country’s laws and their administration in the round. They will also be looking at the data practices of a country’s security agencies.
As someone who is immersed on a daily basis with the terms in the GDPR, I am deeply aware of the higher standards set by the new law – including the standard of consent, new rights for individuals, new accountability provisions and enhanced enforcement.
I believe it’s time the Canadian government has a serious look at existing data protection laws, which are falling behind the curve internationally. Current and former Canadian commissioners have called for reform to the law to address the data driven economy – with appropriate remedies for individuals.
The UK has made a firm decision to maintain the GDPR after Brexit and I believe that Canada would be well served to raise its own standards – both for ensuring consumers’ trust in the digital economy, and mitigating the risk to Canada’s adequacy from an EU perspective.
Whatever the European Commission ultimately determines, and for the foreseeable future, those states who receive its designation of adequacy win a decided advantage for their companies who operate on a global stage.
Tragically, the greatest disruption in personal terms for my office came from the terrorist attack in Manchester last May which killed 22 concert-goers and injured hundreds more. The attack was close to our main office – the arena was a place where my local staff experienced music and games and sport.
Some of my staff had been at the Ariana Grande concert that night with their kids.
We mourned the losses, acknowledged our fears, and stood with the people of Manchester. We ensured support for staff and brought in counsellors to help staff learn how to talk to kids about violence and terrorism.
There is such resilience there – and the Brits have an enormous capacity for carrying on, with openness and courage and kindness.
As do we, when similarly tested.
Such deplorable events provide a grim background to the constant tension between security and liberty.
I want lastly, in my plain-spoken and western Canadian enunciation, to accentuate the ways my daily efforts make privacy and access stronger values in society.
I have been a frequent flyer giving evidence to Parliamentary Committees – just two weeks ago at the Science and Technology Committee’s hearings on algorithmic decision making.
We are deep into a complex investigation of the use of data analytics for political purposes – looking at how personal information was used to target people in political campaigns, particularly focused on the EU referendum campaign. We are concerned about the behind the scenes algorithms, data matching and profiling. Our probe includes the role of data companies, campaigns and political parties, social media platforms and data brokers. I expect our report to be published in the coming months.
On the management side - I have fought, successfully, for a significant change to my office’s funding model and pay structure – an essential upgrade which should allow us to attract and retain the brightest and best.
We have launched an active secondment programme which has brought an influx of new talent into my office. Some of you may know that Michael McEvoy from the B.C. Office is currently working with me at the ICO on a significant investigation. Drew – thank you for your generous support and for releasing Michael for the past few months!
My team has worked tirelessly for the importance of data protection and security to be recognised – quite challenging in the highly charged politics of this time.
We Canadians in the UK are trusted friends, respected advisors, and bridge builders.
And now, in these uncertain times, our friends in the UK and the rest of Europe need that more than ever.