The UK will have a new data protection authority this summer after the Parliament’s Culture, Media and Sport Committee formally approved Elizabeth Denham as the next Information Commissioner. Denham, who currently serves as British Columbia, Canada’s Information and Privacy Commissioner, will replace Christopher Graham when his term is up in June. 

The appointment will need approval by the queen for finalization and the new term will commence on June 28.

"First a Canadian as Governor of the Bank of England; now the UK is getting a Canadian to lead the ICO!" former Information Commissioner Richard Thomas told The Privacy Advisor. "Liz Denham has earned respect within privacy and freedom of information communities around the world. I wish her well.'

Denham appeared before the committee Wednesday and answered a string of tough questions from committee members for over an hour. Since Denham is not a British citizen, many of the questions focused on her understanding of British and EU data protection and freedom of information laws. She also faced questions about how she would deal with nuisance calls – a persistent issue in the UK – her analysis of the controversial UK Investigatory Powers Bill, the agency’s enforcement powers, the challenges of moving to a new country, managing a staff 10 times the size of her current one, and how she would tackle funding issues for the agency.

“Committee members who may have seen my CV will have noticed I have a history of moving to more challenging positions in the last 20 years,” she told the committee. She said being Information Commissioner would “be her life’s work” and that the “tech savvy” agency casts “a long shadow across the world.” 

Evincing a measured tone throughout the hearing, Denham said she expects the UK to use some of the flexibility in the upcoming General Data Protection Regulation for a “practical application of the law.”

Denham expressed support for the new fining powers that will come with the GDPR. She said she welcomed the four-percent fines of a company’s global turnover: “There are serious issues that threaten consumer confidence on the Internet. People are increasingly troubled by data breaches, so the new fines are appropriate.” 

She also highlighted the importance of enforcing the bad actors in the digital space. “It’s my attitude on enforcement that you start from a place where you educate, share best practices, audit, then move on to companies with a bad attitude,” she said. “Clearing them out or getting them to responsibly process personal information is healthy and necessary for the digital economy.” She also noted that, often, big companies rely on their trusted brand name and are usually willing to comply. It’s the smaller, shadier businesses, those that do not have a brand at stake, that are the issue.

"It’s my attitude on enforcement that you start from a place where you educate, share best practices, audit, then move on to companies with a bad attitude," said Denham.

Though the ICO has fining powers, there is question about how much money it receives from its enforcement actions as affected firms often liquidate and disappear instead of paying the fine. These bad actors are often overseas. Denham conceded that it’s a “complicated problem,” but one that is improving, with new international agreements among data protection authorities.

Denham was also asked about fining directors of companies that have been breached. “You’re implying you would not be loath to apply high fines and full enforcement capabilities as required, including fining directors,” Committee Chairman Jesse Norman asked. “As a creature given statute and power, that’s exactly what I’d do,” she responded.

Denham is no stranger to regulating big tech businesses either. “I’m battle tested as a commissioner,” she explained. “I have never shrunk away from an important issue. I led the first investigation into Facebook. I knocked on their door when they had 300 million users in 2008. We were a small office in Canada investigating Facebook.” She also described her work on the Google Street View case. “I took on Google,” she said. “It was a serious investigation that took us down to Google’s lab so we could witness the destruction of Canadians’ data. We were the only DPA to do that. I have crossed swords with some of the largest tech companies.”

"I have crossed swords with some of the largest tech companies," she said.

She said since that time, both companies have put controls in place that weren’t there eight years ago. “Both have come to a place where even though they make money on the collection of personal information, they are more careful and in tune with what people expect.” But, she also expressed concerns that they’re becoming monopolies. “They’re so important to everyone’s lives, we have to constantly watch them. I’d like to keep the door open and ask for regular briefings from these companies to understand what is coming next,” she added.

Funding for the agency will also be a challenge, particularly since the GDPR will alter a major source of the agency’s revenue stream. Denham noted that the ICO has received 18 million pounds from notification fees, but when the GDPR goes into effect in 2018, that revenue stream will go away. “This is going to be one of my first priorities, how to get a new funding framework in place,” she said.

Denham was also queried on her opinion of the controversial IP Bill currently being hammered out in Parliament, particularly the data retention mechanism. “My view," she said, "is that it creates a honey pot. There’s a lot of data that needs to be retained, so it’s going to have to be secure." She also noted countries around the world are dealing with how to balance national security with privacy.

The committee pressed Denham during the hearing on last year's Talk Talk data breach and the Motorman incident in 2003. She said she didn’t know the details of the cases, but said she backed liability placed on directors of companies for data breaches and contraventions of the law. She said that would bring boards of directors to the table. “That’s where we’re going to get change,” she said.

“I’ve been a strong leader and manager and have been successful in managing budgets, recruiting actual staff, building team."

Denham faced questions about Freedom of Information requests as well and what she would do about government officials using non-traditional communications – such as social media – to communicate government business. For her, the issue is around the communication itself, and not the technology used. “If a public official is communicating government business, then that record is subject to FOI,” she said. Denham also said that social media accounts should be opened if that is the case, noting, however, that wouldn’t mean such accounts would be released: “We would be careful not to invade people’s privacy as much as possible. That’s one of the great things about being a DPA and privacy commissioner. In order for FOI to work, we need people to respect the letter and spirit of the law.”

By transferring to the ICO, Denham will have a staff 10 times larger than her current BC staff. “I believe I’m up to the task,” she said. “I’ve been a strong leader and manager and have been successful in managing budgets, recruiting actual staff, building team. I will bring that same skill set, by building in direct reports, making sure everyone understands the vision, check back with staff, review work, and create face-to-face meetings."

Denham also said she will need to get to know the public’s concerns. “I don’t underestimate the issues that matter to the public here,” she said. “I have the pulse of the Canadian public, but don’t necessarily have it here, but I’m a quick learner.”