At the time she spoke in Brussels recently, U.K. Information Commissioner Elizabeth Denham had been on the job for 110 days, but it's already quite clear how different a climate it is from her last post as British Columbia's Information and Privacy Commissioner. For starters, the General Data Protection Regulation is coming into force — though it's unclear whether the U.K. will adopt the GDPR as written for the EU after Brexit. And speaking of Brexit, Denham noted early on in her session at the IAPP Data Protection Congress, during which former EDPS Peter Hustinx asked the questions, that while she likes a challenge, she's operating in a "toxic and somewhat political environment" at present.
Comparing her experience in Canada with her new reality in the U.K., Denham said the role itself is similar in that she's responsible for promoting the right to know as well as the right to privacy. But she said she's learned some things already. She wishes she'd understood a bit earlier in her career, for example, how helpful the very pragmatic, accessible guidance the ICO has issued over the years is to organizations. Maybe she would have done a bit more of that back in B.C.
Looking back, she said, while Canada has strong administration of its laws, its laws are weak.
"What that means is that there's a hell of a lot of work that has to go on behind the scenes to be able to influence companies to respect the law and do the right thing," she said.
"It's a good thing I'm really comfortable with ambiguity." — Elizabeth Denham, ICO
What she learned from that is how to bring industry groups together to help them understand the challenges they face on data protection and privacy and how to mitigate risk. That's the kind of proactive role she plans to bring to the ICO. She said she plans to have more face time with civil society than perhaps the ICO historically has had. The ICO is also kicking off a new grants program to promote research and privacy by design, and it's hiring its first general counsel alongside a chief technology strategist, who will report directly to Denham.
"Obviously enforcement under the GDPR needs a certain level of scrutiny," she said.
But then, it's not quite clear how relevant the GDPR will be to the U.K. in the end. Prime Minister Theresa May has said the U.K. will leave the EU, as the vote decided, but there's uncertainty over whether that means a "hard Brexit" or a "soft Brexit," the former meaning the U.K. would abandon EU laws completely and create its own, the latter meaning it would still adhere to the legal framework and therefore the GDPR.
"It's a good thing I'm really comfortable with ambiguity," Denham said of the uncertainty. Not knowing what the law of the land will be by next year, it's a bit difficult to prioritize and plan. But for now, Denham remains involved in Article 29 subgroup work under the assumption she'll remain a part of the European Data Protection Board.
But there's a chance, in the case of a hard Brexit, Denham would be, as she phrased it, "benched at the football match," and wouldn't be a part of the EDPB. She says, in that case, the ICO would still have relationships with European counterparts as well as with global leaders.
"If we have to apply for adequacy, we need to make sure we have oversight of our national security." — Elizabeth Denham, ICO
But a hard Brexit would also mean the U.K. would no longer be under the EU's data-sharing umbrella, and so would need to establish itself as "adequate" before data could be transferred there. And that's going to mean a close look at the state of surveillance.
"If we have to apply for adequacy, we need to make sure we have oversight of our national security," she said.
Even under a soft Brexit, though, there's the significant challenge of that pesky thing called funding to worry about. Currently, about 80 percent of the ICO's funding comes from data processing notification fees. Under the GDPR, that process disappears, so it's up to Denham and her staff to figure out how to fund her office and the 450 staff it employs.
If Denham's anxious for all the challenges she faces, however, she's got a strong poker face. As Hustinx questioned her on the arguably precarious position she finds herself in, her demeanor mapped more closely to someone discussing her plans for the weekend than how she'll keep the U.K. operating on a global stage.
But maybe that's just who she is. After all, she said, "I like a challenge."
If you want to comment on this post, you need to login.