UK privacy chief denies conflict of interest in new role

The UK’s outgoing information commissioner Elizabeth Denham is set to join global law firm Baker McKenzie, which previously defended Facebook against privacy enforcement by her office.

Denham joined the Information Commissioner’s Office (ICO) in 2016, where she oversaw the introduction of the General Data Protection Regulation (GDPR) in May 2018, and is due to be replaced by current New Zealand privacy commissioner John Edwards.

According to a press release from Baker McKenzie, Denham will join the firm’s London office from January 2022 as part of its global data and technology team, where she will work as a consultant to advise its clients on data protection best practice, strategy and wider technology regulation trends.

Baker McKenzie’s chair of global data privacy and security business unit, Brian Hengesbaugh, said Denham’s appointment was a “real coup” for the firm: “No stranger to grappling with some of the thorniest issues in the field of technology and how our data is used and accessed, Elizabeth’s appointment will bring yet greater strength and depth to this core area of focus for the firm.”

However, Denham’s exit from her regulatory role straight into a private sector job representing the companies she used to oversee the behaviour of has led some to decry the revolving door between regulators and industry.

Andrew Pakes, deputy general secretary and research director at union Prospect, said: “The revolving door between regulator and business speaks volumes about the lack of transparency in the world of Big Tech. It simply should not be possible for someone to be regulating one day and then potentially advising someone how to avoid that regulation the next.

“Big tech already has the firepower to out lobby unions, community and civic rights organisations, especially at such a sensitive time around data and AI [artificial intelligence] regulation.”

He added that incoming commissioner Edwards has a “huge challenge” ahead, and that data rights at work should be prioritised under his tenure.

“AI is increasingly being used in the workplace and regulation is in danger of lagging far behind. We cannot simply have a free-for-all on data and technology rights with workers paying the price. By working with trade unions and workers on these issues, the new commissioner has the opportunity to create a fair and equitable environment that works for both businesses and workers,” he said.

Estelle Massé, global data protection lead at global human rights organisation Access Now, noted that the announcement of Denham’s new job comes just two days after she formally left the ICO on 30 November 2021.

“The timeline of the move raises serious questions of independence and possible conflicts of interest. Was the commissioner in talks with Baker McKenzie for a job while investigating some of the companies the law firm represents, including Facebook? Was the ICO staff notified of possible conflicts of interest and what measures were taken to avoid them? The former commissioner and ICO should answer these questions,” she said.

“The disproportionate power of giant tech companies is not only reflected in how their platforms operate, but in the amount of lobbying they do and the resources they have to hire talents and people of power.

“This case shows how crucial ensuring the independence of data protection authorities is. There should be clear rules and processes around positions that commissioners and DPA staff can move to limit conflicts of interest.”

Speaking to the BBC in October 2021, Denham said that the sheer scale of technology companies and the vast resources at their disposal often leads to regulators being overwhelmed and therefore slow to take action.

“The other thing that I’ve learned in this job is that big tech not only has lobbying power, but it has really deep pockets,” she said. “So when it comes to litigating, these companies are definitely willing to litigate against public authorities like my office. [Their] deep pockets means that there is an inequity of arms when we are tackling these.”

Asked if her move to Baker McKenzie will contribute to the “inequity of arms”, Denham disagreed: “One of the things that excites me about the opportunity is being able to bring that regulator’s perspective to the law’s firm clients so that they can make informed decisions knowing what someone with my background thinks about the compliance and product design challenges that they are facing. This is particularly the case for the law firm’s clients’ compliance with the Age Appropriate Design Code, and advising on privacy and security by design.”

She added that her work with Baker McKenzie is part-time, and that she has accepted two civil society roles – one in the UK and one in Canada – which will be announced in the new year.

“My plan is for a portfolio career to continue to do policy work that supports people’s rights in the UK, North America and elsewhere,” she said.

In response to whether she sees a conflict of interest, Denham said: “No. I understand why this question is being asked, and it is completely valid. Both I and Baker McKenzie are very conscious of the need to respect my previous regulatory role and responsibilities, as well as all confidentiality and professional obligations that arise from them. All of this has been considered and planned for appropriately.

“In addition to the legal obligations placed on any serving former commissioners by the Data Protection Act 2018 (section 132), my work will not involve any contact with or representations to the former office for a period of at least one year.”

The ICO has said that since its employees are not civil servants or ministers, Denham did not need approval from the UK’s Advisory Committee on Business Appointments to join her new employer.

“Once they have left their role, there are no restrictions on the work the former commissioner can undertake,” said an ICO spokesperson. “The ICO also has strict policies governing the declaration of any interests. No conflict of interest has been identified with regard to this role.

“The information commissioner, and all their staff, are also required by law to maintain the confidentiality of the information they receive as part of their job. This applies both during and after employment at the ICO.”

In response to questions from Computer Weekly about Denham’s role, Baker McKenzie said in a similar statement to Denham that any potential for a conflict of interest has been considered and planned for appropriately.

The firm also confirmed to Computer Weekly that Denham will be barred from contact with or representations to her former office for at least a year: “Baker McKenzie has a firm commitment to good governance and the rule of law, which is one of the reasons why we are so excited to have Elizabeth join us and bring that regulator’s perspective to our team.

“In addition to the legal obligations placed on any serving former commissioners by the Data Protection Act 2018, Elizabeth’s work will not involve any contact with or representations to her former office for a period of at least one year.”