TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Denham talks first 100 days on the job, Brexit's impact Related reading: Cut the cake: Denham prefers reform as a goodbye gift




At the time she spoke in Brussels recently, U.K. Information Commissioner Elizabeth Denham had been on the job for 110 days, but it's already quite clear how different a climate it is from her last post as British Columbia's Information and Privacy Commissioner. For starters, the General Data Protection Regulation is coming into force — though it's unclear whether the U.K. will adopt the GDPR as written for the EU after Brexit. And speaking of Brexit, Denham noted early on in her session at the IAPP Data Protection Congress, during which former EDPS Peter Hustinx asked the questions, that while she likes a challenge, she's operating in a "toxic and somewhat political environment" at present. 

Comparing her experience in Canada with her new reality in the U.K., Denham said the role itself is similar in that she's responsible for promoting the right to know as well as the right to privacy. But she said she's learned some things already. She wishes she'd understood a bit earlier in her career, for example, how helpful the very pragmatic, accessible guidance the ICO has issued over the years is to organizations. Maybe she would have done a bit more of that back in B.C.

Looking back, she said, while Canada has strong administration of its laws, its laws are weak. 

"What that means is that there's a hell of a lot of work that has to go on behind the scenes to be able to influence companies to respect the law and do the right thing," she said. 

"It's a good thing I'm really comfortable with ambiguity." — Elizabeth Denham, ICO

What she learned from that is how to bring industry groups together to help them understand the challenges they face on data protection and privacy and how to mitigate risk. That's the kind of proactive role she plans to bring to the ICO. She said she plans to have more face time with civil society than perhaps the ICO historically has had. The ICO is also kicking off a new grants program to promote research and privacy by design, and it's hiring its first general counsel alongside a chief technology strategist, who will report directly to Denham. 

"Obviously enforcement under the GDPR needs a certain level of scrutiny," she said. 

But then, it's not quite clear how relevant the GDPR will be to the U.K. in the end. Prime Minister Theresa May has said the U.K. will leave the EU, as the vote decided, but there's uncertainty over whether that means a "hard Brexit" or a "soft Brexit," the former meaning the U.K. would abandon EU laws completely and create its own, the latter meaning it would still adhere to the legal framework and therefore the GDPR. 

"It's a good thing I'm really comfortable with ambiguity," Denham said of the uncertainty. Not knowing what the law of the land will be by next year, it's a bit difficult to prioritize and plan. But for now, Denham remains involved in Article 29 subgroup work under the assumption she'll remain a part of the European Data Protection Board. 

But there's a chance, in the case of a hard Brexit, Denham would be, as she phrased it, "benched at the football match," and wouldn't be a part of the EDPB. She says, in that case, the ICO would still have relationships with European counterparts as well as with global leaders. 

"If we have to apply for adequacy, we need to make sure we have oversight of our national security." — Elizabeth Denham, ICO

But a hard Brexit would also mean the U.K. would no longer be under the EU's data-sharing umbrella, and so would need to establish itself as "adequate" before data could be transferred there. And that's going to mean a close look at the state of surveillance.

"If we have to apply for adequacy, we need to make sure we have oversight of our national security," she said.

Even under a soft Brexit, though, there's the significant challenge of that pesky thing called funding to worry about. Currently, about 80 percent of the ICO's funding comes from data processing notification fees. Under the GDPR, that process disappears, so it's up to Denham and her staff to figure out how to fund her office and the 450 staff it employs. 

If Denham's anxious for all the challenges she faces, however, she's got a strong poker face. As Hustinx questioned her on the arguably precarious position she finds herself in, her demeanor mapped more closely to someone discussing her plans for the weekend than how she'll keep the U.K. operating on a global stage. 

But maybe that's just who she is. After all, she said, "I like a challenge."

1 Comment

If you want to comment on this post, you need to login.

  • comment Stuart Ritchie • Nov 22, 2016
    There seems to be a lot of fuss about Brexit and the GDPR. For businesses trading personal data with Europe, the type of Brexit and whether we repeal GDPR makes little difference legally - if they want to trade with (transfer data from/to) foreign jurisdictions they have to comply with the laws of that jurisdiction. That hasn't changed in centuries, so (absent quotas) it's just a commercial costs issue. As to any connection between GDPR and Brexit, the GDPR is already enacted and in any event data protection is such a toxic issue it won't be part of the Brexit negotiations (unless Spain or someone cleverly introduces it precisely in order to kill the negotiations)
    Ironically, if we do a hard Brexit as seems likely, regardless of repeal the data protection compliance standard will be even higher than if we'd stayed in (the "little difference" mentioned) as the UK may forfeit its already-exercised Protocol rights not to opt in to certain articles (actually a good thing because then the GDPR-created legal defences for British executives in the US, Australia etc will be switched on again), plus arguably the UK no longer will be able to get away with any derogations (aka opt-outs, such as treating 13-year-olds as adults, a satirist's dream) that otherwise would have been available. Meanwhile for essential equivalence purposes, it's difficult to see the UK being treated better than the USA when arguably the UK's behavior is generally worse, so even a Privacy Figleaf looks tricky. What goes round, comes round. 
    If that is right, then relevant businesses may expect to have to comply with the GDPR anyway, possibly without the benefit of any UK derogations.