SBphotos - stock.adobe.com
The allegations around Cambridge Analytica and Facebook, and the discussion it has sparked around the world, is an opportunity to focus on privacy, according to UK information commissioner Elizabeth Denham.
“The debates that are talking place in the US and UK about how to ensure data protection rights are in place, the data analytics investigation that is under way in our office, and the interest among international regulators are all effecting change around the world,” she told the IAPP Data Protection Intensive conference in London.
Denham said she also senses a shift in the posture of industry as regards privacy regulation in the US. “It is clear to everyone that data protection is essential for our democracy,” she said, pointing out that this was the reason the Information Commissioner’s Office (ICO) had launched its investigation into the use of personal data and data analytics in political campaigns.
“The Cambridge Analytica-Facebook allegations are only one line of inquiry in our investigation, but of course it was heightened in February with whistleblowers and witnesses coming forward,” she said. “In all, we are looking at 30 organisations – social media platforms, data companies, campaigns and political parties – to pull back the curtain on the use of personal data in modern political campaigns.”
Denham said the investigation report will describe the realities of data-driven political campaigning and examine matters such as whether the rules are clear and how personal data use is enabling the micro-targeting of adverts and campaigns, as well as what public policy changes the ICO recommends.
“Speculation is rife, but our investigation will be thorough, independent and focused and we will make our findings and conclusions public,” she said. “If we find that the law has been broken, we will take the necessary enforcement action.”
Turning to the ICO’s regulatory powers, Denham said that as a regulator, the ICO investigates systems “in situ” to see how personal data is actually being used and managed.
“The unique nature of modern data protection regulation is that our role involves understanding the effect of algorithms and analytics,” she said. “We have to look for inter-relatedness between data sets and the effect they have on decisions. We may need to see these effects in short time periods in the context of a fast-moving investigation.”
Under the EU’s General Data Protection Regulation (GDPR), Denham said the ICO will have the power to audit all those who hold, use and share personal data.
“But, in the context of this particular investigation, the GDPR audit power is already being outpaced by technological advances in data analytics,” she said. “I want to see this addressed.
“I am in intense consultation with government, to ensure that, as part of the Data Protection Bill, the ICO has the ability to move more quickly to obtain the information we need to carry out our investigations in the public interest.”
The ICO needs to respect the rights of companies, said Denham, but it also needs streamlined warrant processes with a lower threshold than the current one.
“We need the regime to reflect the reality that data crimes are real crimes,” she said. “As society moves increasingly online, data protection law needs to have the comprehensive reach that people would expect of laws in the physical world.”
According to Denham, the ICO is gearing up to be a “relevant, future-focused regulator”, but once GDPR compliance becomes mandatory in “only 27 working days”, the ICO is expecting more breach reports, more complaints and greater engagement with organisations as they turn to it for advice, she said.
To prepare for this, Denham said she is strengthening her team in both numbers and expertise, which has been enabled in part by a new funding model agreed by parliament, taking the ICO’s current budget of £24m a year to £38m in 2018/2019.
“We are recruiting all levels of staff, including 10 newly created director roles, across the UK —at our offices in Edinburgh, Cardiff, Belfast and London as well as Wilmslow – to give us the capacity, capability and resilience to tackle our developing regulatory brief,” she said. The current ICO headcount of 520 is expect to increase to 700 by 2020, she added.
The ICO has identified three areas of focus – cyber security, artificial intelligence and device tracking, said Denham. “These three areas will inform our guidance, our proactive work, our investigations, audits and advisory services,” she said.
Denham took the opportunity to highlight the ICO’s planned “regulatory sandbox” for organisations to beta test initiatives, supporting innovative digital products and services, while ensuring that the right safeguards are in place.
“We intend to focus on AI applications and will launch the programme in 2019 after this year’s consultation,” she said.
“This technology strategy is based on the strong belief that privacy and innovation go hand and hand. It also allows us to develop our own skills, recruiting and retaining technology expertise and establishing partnerships on tech issues with outside experts, other regulators and international networks.”
Bring in new talent
Denham also mentioned the ICO’s secondment programme, which aims to bring in new talent in the form of legal staff, auditors and international liaison experts.
Turning to the subject of fines under the GDPR, Denham said she has no intention of changing the ICO’s proportionate and pragmatic approach after 25 May.
“My aim is to prevent harm, and to place support and compliance at the heart of our regulatory action,” she said. “Voluntary compliance is the preferred route.
“But we will back this up by tough action where necessary. Hefty fines can, and will, be levied on those organisations that persistently, deliberately or negligently flout the law.
“Report to us, engage with us. Show us effective accountability measures. Doing so will be a factor when we consider any regulatory action.
“And we now have a whole new set of tools to compliance: privacy by default and design, data protection impact assessments, accountability mechanisms, data protection officers. All these things, and more, form an integrated package.”
Further expanding on the topic of fines, Denham said that when the ICO needs to apply a sanction, fines will not always be the most appropriate or effective choice.
“Compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders are often more appropriate tools,” she said.
“None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on reputation and, ultimately, companies’ bottom line.”
Another key point about the GDPR, said Denham, is that organisations will not need to report every single personal data breach to the ICO.
“But where you do need to report, we have made the reporting process simple and effective,” she said, adding that the ICO has implemented a telephone-based breach reporting service that can handle 30,000 reports a year.
“Call our breach reporting line and you’ll get a human response,” she said. “Our focus will be on identifying whether your breach is a reportable one, working with you and calling in whoever else we need to involve, to help you make the right decisions in those key first few days.
“We have built a dedicated team to deal with data breach reporting and we will be extending the hours of the office to manage reporting under the GDPR and NIS directive.”
The Brexit effect
On the topic of Brexit, the impact of the referendum result on 23 June 2016 has occupied much of Denham’s time since taking up her role. “As commissioner, one of my important jobs is to objectively advise government and parliament on law reform that ensures high standards of data protection for UK citizens and consumers, wherever their data resides, uninterrupted data flows to Europe and the rest of the world, and legal certainty for business and law enforcement,” she said.
“Government has explicitly said it values data protection as fundamental to the digital economy and security cooperation. Data protection is a priority area for the Brexit settlement.”
The ICO is currently playing a full role in EU institutions, and is “fully immersed” in creating guidance for the GDPR, she said. “But we are also preparing for the post-Brexit environment in order to ensure that the information rights of UK citizens are not adversely affected.”
Denham added that “unfortunately”, the most significant “unknown” is the exact nature of the ICO’s future relationship with data protection authorities across Europe.
“During two recent speeches, the prime minister has made the case for an ongoing role for the ICO – whether that’s a seat on the European Data Protection Board with voting rights or some other form of relationship, the government and the EU can decide,” she said.
“The ICO is deeply committed and embedded in the EU regulatory community. And that is the message I’ve been giving to parliamentarians when giving evidence to committees looking at the implications of Brexit.”
The UK government has made good on its commitments to fully implement the GDPR and clearly appreciates the importance of high standards of data protection, said Denham.
“I think the government should be commended for their commitment and effort in this regard. And, through our expert advice to the government, and our strong engagement with the Article 29 Working Party, we are striving to ensure that the priorities I identified become reality,” she said.
Increasing the public’s trust and confidence in the way their data is handled is a very high priority for all privacy professionals, said Denham.
“I think the recent revelations in the media have fired up the data protection debate,” she said. “And so they should. Across the world, people are beginning to wake up to the importance of personal data, and it is up to us – as regulator and those striving to comply with the law – to keep that fire burning. If we fearlessly and tirelessly apply the principles that the ICO and the IAPP hold dear, we can build people’s trust and confidence, because their data matters.”