sdecoret - stock.adobe.com
The UK’s outgoing information commissioner Elizabeth Denham is set to join global law firm Baker McKenzie, which previously defended Facebook against privacy enforcement by her office.
Denham joined the Information Commissioner’s Office (ICO) in 2016, where she oversaw the introduction of the General Data Protection Regulation (GDPR) in May 2018, and is due to be replaced by current New Zealand privacy commissioner John Edwards.
According to a press release from Baker McKenzie, Denham will join the firm’s London office from January 2022 as part of its global data and technology team, where she will work as a consultant to advise its clients on data protection best practice, strategy and wider technology regulation trends.
Baker McKenzie’s chair of global data privacy and security business unit, Brian Hengesbaugh, said Denham’s appointment was a “real coup” for the firm: “No stranger to grappling with some of the thorniest issues in the field of technology and how our data is used and accessed, Elizabeth’s appointment will bring yet greater strength and depth to this core area of focus for the firm.”
However, Denham’s exit from her regulatory role straight into a private sector job representing the companies she used to oversee the behaviour of has led some to decry the revolving door between regulators and industry.
Andrew Pakes, deputy general secretary and research director at union Prospect, said: “The revolving door between regulator and business speaks volumes about the lack of transparency in the world of Big Tech. It simply should not be possible for someone to be regulating one day and then potentially advising someone how to avoid that regulation the next.
“Big tech already has the firepower to out lobby unions, community and civic rights organisations, especially at such a sensitive time around data and AI [artificial intelligence] regulation.”
He added that incoming commissioner Edwards has a “huge challenge” ahead, and that data rights at work should be prioritised under his tenure.
“AI is increasingly being used in the workplace and regulation is in danger of lagging far behind. We cannot simply have a free-for-all on data and technology rights with workers paying the price. By working with trade unions and workers on these issues, the new commissioner has the opportunity to create a fair and equitable environment that works for both businesses and workers,” he said.
Estelle Massé, global data protection lead at global human rights organisation Access Now, noted that the announcement of Denham’s new job comes just two days after she formally left the ICO on 30 November 2021.
“The timeline of the move raises serious questions of independence and possible conflicts of interest. Was the commissioner in talks with Baker McKenzie for a job while investigating some of the companies the law firm represents, including Facebook? Was the ICO staff notified of possible conflicts of interest and what measures were taken to avoid them? The former commissioner and ICO should answer these questions,” she said.
“The disproportionate power of giant tech companies is not only reflected in how their platforms operate, but in the amount of lobbying they do and the resources they have to hire talents and people of power.
“This case shows how crucial ensuring the independence of data protection authorities is. There should be clear rules and processes around positions that commissioners and DPA staff can move to limit conflicts of interest.”
Speaking to the BBC in October 2021, Denham said that the sheer scale of technology companies and the vast resources at their disposal often leads to regulators being overwhelmed and therefore slow to take action.
“The other thing that I’ve learned in this job is that big tech not only has lobbying power, but it has really deep pockets,” she said. “So when it comes to litigating, these companies are definitely willing to litigate against public authorities like my office. [Their] deep pockets means that there is an inequity of arms when we are tackling these.”
Asked if her move to Baker McKenzie will contribute to the “inequity of arms”, Denham disagreed: “One of the things that excites me about the opportunity is being able to bring that regulator’s perspective to the law’s firm clients so that they can make informed decisions knowing what someone with my background thinks about the compliance and product design challenges that they are facing. This is particularly the case for the law firm’s clients’ compliance with the Age Appropriate Design Code, and advising on privacy and security by design.”
She added that her work with Baker McKenzie is part-time, and that she has accepted two civil society roles – one in the UK and one in Canada – which will be announced in the new year.
“My plan is for a portfolio career to continue to do policy work that supports people’s rights in the UK, North America and elsewhere,” she said.
In response to whether she sees a conflict of interest, Denham said: “No. I understand why this question is being asked, and it is completely valid. Both I and Baker McKenzie are very conscious of the need to respect my previous regulatory role and responsibilities, as well as all confidentiality and professional obligations that arise from them. All of this has been considered and planned for appropriately.
“In addition to the legal obligations placed on any serving former commissioners by the Data Protection Act 2018 (section 132), my work will not involve any contact with or representations to the former office for a period of at least one year.”
The ICO has said that since its employees are not civil servants or ministers, Denham did not need approval from the UK’s Advisory Committee on Business Appointments to join her new employer.
“Once they have left their role, there are no restrictions on the work the former commissioner can undertake,” said an ICO spokesperson. “The ICO also has strict policies governing the declaration of any interests. No conflict of interest has been identified with regard to this role.
“The information commissioner, and all their staff, are also required by law to maintain the confidentiality of the information they receive as part of their job. This applies both during and after employment at the ICO.”
In response to questions from Computer Weekly about Denham’s role, Baker McKenzie said in a similar statement to Denham that any potential for a conflict of interest has been considered and planned for appropriately.
The firm also confirmed to Computer Weekly that Denham will be barred from contact with or representations to her former office for at least a year: “Baker McKenzie has a firm commitment to good governance and the rule of law, which is one of the reasons why we are so excited to have Elizabeth join us and bring that regulator’s perspective to our team.
“In addition to the legal obligations placed on any serving former commissioners by the Data Protection Act 2018, Elizabeth’s work will not involve any contact with or representations to her former office for a period of at least one year.”
Baker McKenzie and Facebook vs the ICO
Facebook was previously represented Baker McKenzie when, under Denham’s oversight, the ICO took enforcement action against the company in a case that ultimately ended in a confidential settlement.
In that case, the ICO originally imposed its maximum penalty of £500,000 on Facebook in October 2018 for serious breaches of data protection law related to Cambridge Analytica, after finding that Facebook “processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had”.
Denham said at the time: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
A year later, in October 2019, Facebook settled with the ICO, agreeing to pay the £500,000 penalty, but not accepting liability.
In a statement at the time, the ICO said Denham “considers that this agreement best serves the interests of all UK data subjects who are Facebook users”.
But addressing the UK’s Parliamentary Sub-committee on Online Harms and Disinformation in January 2021, Denham revealed that a secret arrangement between her office and Facebook prevented her from publicly answering whether or not Facebook had contacted the ICO about completing an “app audit” – something Facebook CEO Mark Zuckerberg had publicly committed to before a US senate committee in April 2018.
“I think I could answer that question with you and the committee in private,” Denham told MP Kevin Brennan when asked whether or not the ICO was contacted about the audit.
There was no mention of this arrangement when details of the deal between ICO and Facebook were initially announced in October 2019, but Facebook, under the terms of the agreement, did obtain permission to “retain documents disclosed by the ICO during the appeal for other purposes, including furthering its own investigation into issues around Cambridge Analytica”.
Asked why this decision was reached, Denham said she is not permitted by law to comment, and further noted that Facebook was “issued with the highest penalty that the law at the time entitled the ICO to impose”.
Baker McKenzie and big tech
In October 2021, an investigation by the International Consortium of Investigative Journalists (ICIJ) based on the Pandora Papers found that Baker McKenzie – which employs around 4,700 lawyers across 46 countries with revenues of $3.1bn – has helped a number of multinational corporations to avoid taxes and scrutiny through the use of shell companies, trusts, and offshore tax havens.
This includes big tech firms Apple, which it helped find a tax haven, and Facebook, which its lawyers helped route billions of dollars in profits to low-tax destination Ireland.
In December 2020, it was reported that Facebook paid just £28.5m in UK corporation tax in 2019, despite reaching a record £1.04bn in gross profit that same year.
Baker McKenzie told the American Lawyer THAT it strongly disagreed with ICIJ’s reporting, which it claimed was “highly selective, contains inaccuracies and is speculative in nature”.
A spokesperson added: “Baker McKenzie is built on the principles of integrity, transparency, professionalism and adherence to the highest standards of ethics. We advise clients around the world on matters of law, and strictly comply with the law in every jurisdiction in which we operate.”
Asked to comment on the ICIJ investigation, Baker McKenzie provided a link to a webpage about its global tax practice.
Read more about UK data protection regulation
- The UK’s Information Commissioner’s Office has launched a consultation on the use of personal data by employers, including in workplace monitoring technologies, which will be used to update its existing Employment Practices guidance.
- Biometrics and surveillance camera commissioner Fraser Sampson has panned the UK government’s proposed plan to absorb the functions of those roles under the remit of the information commissioner.
- Proposed data gathering powers for UK police could override existing data protection rules, damage citizens’ trust in essential public services and further entrench discriminatory policing practices.