There’s a lot happening for privacy in the U.K. right now. Its veteran information commissioner is leaving his post, the country is threatening to break up with the EU, and, to really pile on, the General Data Protection Regulation hovers just overhead as both regulators and those to be regulated by it brace for impact.
Despite the tumultuous terrain, the country’s next information commissioner is packing her bags and headed to the office. But she’s bringing a big bag – big enough to house some books on U.K. and EU law, too. That’s because the new commissioner isn’t a U.K. or even an EU local, but rather a Canadian.
Elizabeth Denham, who’s served as B.C.’s information and privacy commissioner since 2010, will take over for outgoing U.K. Commissioner Christopher Graham in July.
“I have a steep learning curve. I won’t underestimate my learning curve,” Denham said of the challenge ahead. “All my experience has been in Canada.”
But she’s quick to add that she’s got a thick portfolio in international policy, including positions on various working groups among regulators globally and her office’s designation as secretariat for Asia-Pacific privacy authorities, which has meant extensive work with colleagues in Singapore and Japan.
Still, though, regulating a culture and a legal framework that’s new to her will of course come with its challenges, she concedes.
“I have a lot of work to do to understand how the citizens of the U.K. view privacy,” she said, “both privacy on the commercial side and privacy on the government side of the equation. There will be social and political differences in the attitudes of citizens and organizations, but I think I’m equipped to do that work."
The U.K. government also believes she’s equipped to do that work. A House of Commons committee confirmed Denham last week. The only approval she’s waiting on now is the Queen's, and, while that may sound daunting, it’s largely a formality.
Denham said the essential work ahead of her includes not only the obvious task of studying EU and U.K. law but also getting to know the nuances and the “shades of gray.” She said there will be social and political differences in the attitudes of citizens and organizations, but she said even across Canada itself that’s true.
“This is just a much bigger pond and a steeper learning curve,” she said. Specifically, she added, “I need to know the influencers,” she said.
While some might say the idea of changing continents would be enough of a challenge in itself, Denham isn’t losing sleep over taking her post as the GDPR comes into force, despite the relative chaos that may present. Rather, she thinks it’s brilliant timing.
“It’s a wonderful opportunity to be in on the ground floor of leading and managing change,” she said. “The U.K. information commissioner is going to be deeply involved in getting ahead of the curve on implementation so the commissioner’s office can advise businesses and government bodies on how to get things right,” she said. "I am welcoming the challenge. I also think there’s no better time to get people and individuals focused on data protection. There’s no better time than when you’re ushering in a new legal regime. So I’m not daunted by that.”
A quick Google search on Denham would indicate she's not afraid of change. She's been highly active in bringing investigations and cases involving new technologies, including body cameras, facial recognition, license plate scanners and spyware, and she's been a staunch advocate for responsible and restrictive data collection in the name of human rights.
But there is an aspect of change the GDPR will bring that Denham admits is a concern, as she mentioned in her confirmation hearing. The GDPR will do away with the ICO’s current funding model; 80 percent of the funding for the ICO came from data processor notification fees. So Denham’s job will be to come up with a new funding plan to support her office of hundreds of employees. She says that will likely involve some other sort of fee mechanism, but that will require governmental and legislative approval.
With her move to the ICO, Denham joins a growing list of regulators who’ve made a career out of regulating in the privacy space. Poland’s data protection commissioner, Wojciech Wiewiórowsk, moved to assistant EDPS; Peter Hustinx moved from regulating the Netherlands to serving as EDPS for a decade.
Denham said becoming a career regulator was never really the plan, but it wasn’t really an option when she started out, either.
“When I was going to university in the 1970s and 1980s, that’s not what I set out to do. There were very few roles in place then,” she said. “My background is around information-management, which I think is a fit for this role because if you’re in information management in archival sciences, as I was, you are in a role where you are facilitating appropriate and ethical access to records. So you can see there’s a connection there.”
Her CV includes stints not only as a regulator in British Columbia but also as assistant privacy commissioner in Ottawa and as director at the Office of the Information and Privacy Commissioner of Alberta. But she has also worked in private practice as a consultant and as a privacy manager in the health sector, so she’s experienced on both sides of the table; she’s been the regulated and the regulator.
She said that’s an important background to have for a career regulator.
As she prepares to pack her bags for the U.K., Denham said she’s thrilled to be taking over for Graham and upholding the ICO’s “strong, positive reputation in the field as being a regulator that’s seen as tech savvy and practical.” That aligns well with her approach, she said.
But Graham didn’t have advice for her as he prepares to hand over the proverbial baton, she said.
“His advice to me was to be myself and that he was going to try not to give me advice,” she said with a laugh. “He’s done a fantastic job.”
If you want to comment on this post, you need to login.