Westminster eForum events often take place at awkward moments for the British government: drone conferences just after airports have been shut down; white paper previews when publication has been postponed; ethics discussions the morning after Parliament has been illegally prorogued, and so on. As such, they offer a superb opportunity to hear Whitehall representatives and their colleagues from business, academia, and the third sector wrestling with the urge to be indiscreet.
And so it was that the latest eForum last week on UK data protection regulation took place just as noises from Downing Street suggested that the UK may pursue a No Deal Brexit during or after the 2020 transition period. No deal on trade would also mean no deal on data hosting, processing, transfer, privacy, and protection – as would regulatory divergence. Eighty percent of UK organisations have data in the EU, 81% of the economy is in services that rely on data, and 75% of the UK’s international data flows are to and from Europe. No Deal is demonstrably bad for business if you deal with personal information.
After the eForum took place, the government announced that it plans to have an independent data policy in place by the end of the transition period, and will seek an adequacy decision under both the General Data Protection Regulation (GDPR) and the Law Enforcement Directive. More on that later.
The eForum also came just days after Google announced that it was shifting UK customer data out of the GDPR zone and into the US. Outspoken critic of UK divergence (see my previous report) Patricia Christias, Microsoft UK’s Head of Legal, was asked what she thought of Google’s move. She told me:
Clearly they made their own decision about what they thought they needed to do. So I probably can't comment any further. But we have at our core tenant transparency. Customers should know where their data is. There’s this mindset of ‘your data is in the cloud, it's up in the sky, you can't see it’, but it’s about data centres, those data centres are in countries, and those countries have the rule of law.
For us, our approach to our online services terms is certainly to get that transparency. You would end up with an addendum of hundreds of hundreds of pages [of policy] if you are going to talk about every single loss. We're on the side of talking about lawful mechanisms and transfer.
We’re not all the same.
Noted. For Ruth Boardman, Partner and Joint Head of the International Privacy and Data Protection Group at legal practice Bird & Bird, the UK need not diverge from the core principles of GDPR, but it could amend the Data Protection Act 2018 to reduce its administrative burden and obligations for SMEs.
One way to do this, she suggested, would be to remove the principle that exemptions to GDPR only apply to organisations that process personal data occasionally. However, it was far from clear why company size is relevant in a data economy; any startup or digital-native SME might process vast amounts of sensitive personal information.
A more radical update, she said, would be to make it easier for healthcare specialists to use confidential patient data in developing new treatments via machine learning and artificial intelligence. In this way, the care system could be transformed from a reactive regime to a preventative one.
That would be in line with Whitehall’s aims for the technology, but again there are difficulties. First, confidential is as confidential does. And second, is that healthcare provider the NHS, working for the taxpayers who fund it? Or might it be a tax-avoiding US Big Tech platform, monetising data to make its offshore shareholders wealthy?
One response to that might be, if it leads to cures for heart disease and cancer, do the business ethics matter? To which the answer is: like big pharma before it, that would depend if profit is put before patients’ lives, especially if their data helped find the cure but they have been priced out of ever receiving it.
The eForum also took place shortly after the EU issued new proposed guidance on data and AI policy. That set out a vision of creating a single, agile market for every kind of data, with privacy and interoperability at its core – a data market of half a billion people that the UK has just walked out of. (Imagine the patient data that a healthcare AI startup might have had access to!)
With some US states and companies edging towards adopting privacy and trust as competitive differentiators, it’s the wrong time for the UK to amp up the rhetoric about regulatory divergence; the global trend is towards GDPR, not away from it. The UK has also long been a bridge between the US and Europe. Why set fire to it? Nevertheless, the conference zeroed in on how Britain might keep GDPR, modify it, or abandon it completely for reasons unknown (to appease President Trump in a trade deal, perhaps).
For Mark Thompson, Global Privacy Lead at KPMG, tortuous animal metaphors were the order of the day. In his view, GDPR has divided organisations into a menagerie of different data governance approaches: the emus, with heads buried in the sand (shouldn’t that be ostriches?); the donkeys, who “kind of understand” data protection, but think it’s a cybersecurity problem (just say asses, Mark, it’s fine); the armadillos, who shield themselves with documentation that the company never reads; the cheetahs, who swiftly picked up on Article 30, but not much else; the lions (hurrah!) who think they’re supreme at data security, but still get hit with whopping fines; and the wily foxes who step back, focus on risk, consider their businesses, and put their customers first (bless).
To stretch the metaphor further than Thompson would like, the problem is that some in Whitehall enjoy getting on their policy high horses, galloping into ditches, and tearing foxes to shreds – in this case, via the medium of anti-EU rhetoric and other statements that alarm business leaders.
Either way, GDPR has forced every organisation to change, he said, “from the leaders all the way down to the cleaners on the floor in data centers”. Don’t worry Mark; soon there won’t be any more cleaners.
For Dyann Heward Mills, founder and CEO of outsourced DPO provider HewardMills, the Data Protection Officer and GDPR stand at the core of building trust, which is vital to surviving in the digital world. She said:
The role is hugely important in terms of demonstrating accountability. You do have to be the bearer of bad news at times and report breaches to the supervising authority, and you've got to know what you're doing in those situations. You are also the interface with consumers and employees, and you need a multitude of skills – language capability and legal skills as well. It's very difficult for a single individual within an organisation to be able to carry all that out effectively.
Hence GDPR has spelled opportunity for data governance and protection experts with impressive commercial acumen, such as Heward Mills, who can help organisations to use data well while keeping in line with the law.
But weren’t the regulations designed to help build a European technology powerhouse in answer to US and Chinese dominance, rather than give lawyers something to celebrate? As Dawn Monaghan, Head of Information Governance Policy at NHSX, the unit driving digital transformation in the UK health service, observed, complexity causes paralysis. What organisations need is a simplified, joined-up, embedded approach to best practice in information governance.
This ought to be where the Information Commissioner’s Office (ICO) steps in. At last year’s eForum on GDPR, Jonathan Bamford, Director of Strategic Policy (Domestic) at the ICO, said:
The simple truth is that, in a global regulatory environment, we really need to cooperate. [...] Things that affect people here are no respecters of national boundaries. Some people think that there’s going to be some magic data adequacy agreement coming from the European Commission [by the original proposed Brexit date in 2019]. I don’t think that’s going to happen, and the European Commission and the UK government don’t think that’s going to happen. So you really do need to think about that.
Fast forward to 2020, and there is still no agreement in place and a real prospect of the UK again pursuing a No Deal Brexit. While the government said at this year’s eForum that it remains committed to signing a data adequacy arrangement by the end of the year, our increasingly belligerent politics may put paid to that.
Until then, the intention to permit data to continue flowing between the UK and countries in the European Economic Area (EEA) is there, but transfers of personal information from the EEA to the UK will be affected until a specific agreement is put in place.
So could the ICO offer any clarity and solace to delegates this year, or at least a blunt assessment of where the UK stands? Steve Wood, Executive Director of Regulatory Strategy, took the podium, but seemed oddly unfocused – perhaps thanks to sharing the stage with a DCMS representative who had clearly been briefed to say nothing (see my previous report for more on that).
At this point in the nation’s history, Wood perhaps had little choice but to spend 10 minutes explaining that the ICO will carry on doing what the ICO does so well – even if a zombie apocalypse is happening just outside the window and the streets are full of screaming people, explosions, and shuffling corpses. He said:
The ICO’s approach in tackling these challenges is to focus on proportionate regulation over the coming years. You can still expect to see the ICO offer guidance, advice, and support to help organisations get compliance right first time. Those are the best mechanisms for getting regulation right. But making sure we do take action against the biggest risks and harms.
At the heart of good data protection regulation is an effective and flexible model of accountability, which can scale and work in many different scenarios and contexts, and sizes of organisations. The ICO will continue to promote an accountability model for compliance.
In short, nothing to see here, move along. But Wood did offer a hint of directional thinking, and once again those hard-pressed SMEs and the allure of AI were both in the frame:
Most organisations want to get things right first time, and they need simple tools to integrate compliance into their day-to-day activity, especially small to medium-sized businesses or small public bodies. Not all of these will have dedicated Data Protection Officers.
We're transforming the ICO to develop a large, dedicated team providing support for SMEs to better understand the needs of the sector and develop new tools and advice, and support their implementation of GDPR. Effective regulation also relies on a network of partnerships and effective knowledge sharing, a mixture of creative ideas about how we tackle fundamental data protection issues.
As the digital ecosystem becomes more complex [...] we need to be sensitive to the needs of different sectors, and be able to complement the activities of other regulators. So we're increasingly working closely with others, such as the Financial Conduct Authority and the Competition and Markets Authority, and we see common challenges relating to online communications, the use of artificial intelligence, and questions of choice and competition online.
As a regulator we're committed to collaboration and working in partnership and delivering the right guidance to help organisations actually use AI in practice, both in the private and public sectors. The other area where we're particularly focusing our efforts, is to do more to promote privacy by design, to work out practical ways to make this happen on the ground, to ensure that privacy and data protection safeguards are built in from the start of the design process.
Good news. In some ways, GDPR was itself intended to guarantee a form of privacy by design, and to encourage innovation, not tie it up in red tape – despite the anti-regulation rhetoric of some in UK government. The challenge facing Whitehall now is how to tear up regulations in pursuit of that ideology, while not destroying the nation of small – and large – businesses that it claims to support.