Elizabeth Denham’s appointment was greeted with some real excitement among the data protection elite. It is a somewhat geeky but highly discerning crowd; it had heard of developments in Elizabeth Denham’s former stamping ground of British Columbia and it dared to hope. She is, by all accounts, genuinely gifted, truly expert and committed to the highest standards.
But things have changed since Elizabeth Denham’s appointment. You will have noticed the referendum result. While its impact on FOI is limited (ie I cannot think of any), it has quite a big impact on data protection and will leave Elizabeth Denham with a role that is rather different from the one she probably envisaged. Moreover, if grappling with that was not enough, the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 have added to the ICO’s responsibilities – making Elizabeth Denham the supervisory body for that field.
But I suspect that, important as e-IDAS is, it is the impact of the GDPR that will edge towards the top of the agenda.
The maths of GDPR is easy – it is less than two years from obligatory application. On all but the most outlandish assumptions about the pace of Brexit, the GDPR will be in force while we remain a full member of the EU. (Given what has happened over the last few weeks, making outlandish assumptions might well be a sensible career path but it is not one I intend to pursue.) But it isn’t quite so outlandish to imagine a scenario where we are clear on a Brexit strategy by the time the GDPR is due to come into force and elements within the data industry suggest that, given the limited period for which the GDPR might then have automatic effect, it really isn’t worth bothering with. If some of the ICO’s industry friendly enforcement policies were to be continued, that suggestion might have been seriously considered but one upshot of Brexit is that lax enforcement, both of the current regime and the post-GDPR regime will have to be a thing of the past. If we are out, we will need an unassailable ‘Privacy Shield’ if data rich organisations are to prosper here. And the IP Bill won’t make that easy. Plus it is worth remembering that the EU is not the only international body that cares about data protection – there are many governments that will be ready to throw stones if we build a glasshouse, including those with prominent glasshouses of their own.
Whatever the new Commissioner’s preferences and whatever the Brexit strategy, the UK’s data protection supervisor will have to be entirely above suspicion. Elizabeth Denham will not be a part of the European Data Protection Board post-Brexit and may be on the edge of its decision-making processes prior to it. It doesn’t follow that she will be the victim of a gang of schoolyard bullies but you cannot feel sure that she won’t.
All in all, life is not going to be easy.
I have a suggestion for resolving the difficulties that might arise. Remember that the GDPR is actually in force; it is just that Member States are not yet obliged to apply it. A positive commitment to the GDPR might mean that the UK can take a central, leading role rather than finding itself on the periphery. The radical move to make, trumping any words that can be uttered and showing the most emphatic and most positive commitment, is to bring the GDPR into force in the UK {i}in the next legislative cycle{/i}.
That’s not undermining Brexit (even if one might wish it would). It is acknowledging that data protection needs reform and has already waited too long for it, that we have little realistic choice but to follow those parts of the GDPR that are obligatory and that our many tech-related industries need certainty.
Bringing forward such legislation quickly would be demanding. But, ironically, post-Brexit uncertainties might free up the Parliamentary timetable and make speedy passage of a new Bill possible. A fresh Information Commissioner with energy and no baggage might just be able to swing it. If she aims for something that ambitious, she’ll need and deserve all the luck.