Delivered on 24 May 2022
Thank you, Ambassador, for those words of welcome.
Kia ora kotou katoa.
Welcome to you all and thank you so much for coming out.
I have been the UK’s information Commissioner for nearly five months now and this is my first opportunity to address colleagues and stakeholders on continental soil.
It is very humbling to run my eye down the list of RSVPs and to note the presence of so many of my DPA colleagues with whom I, and my office have worked so closely over the years. Thank you for coming out.
To see also the representatives of academia and civil society, who are so important in holding us as regulators to account and as advocates for those unable or ill-equipped to speak up for their own interests.
And the regulated community, those innovators who bring us the wonders of technology, who have done so much for the productivity of our economies.
I greet you here at a time of conflict – conflict so barbaric and cruel that it forces a reappraisal of one's sense of perspective for one’s own domain, as several of us discussed at a dinner function last night.
But even setting aside the horrors of the war on Ukraine we are in the midst of conflict here, in Brussels as the aftermath of that painful divorce, of Brexit continues to ripple across both sides of the Channel.
As a recent arrival from as far away as it is possible to get from Brussels and London the extent of the very human experience of hurt and loss and grief that I have witnessed both in the EU and in the UK has surprised me. From New Zealand, Brexit looked like a bitter family dispute within the UK, but a more abstract and clinical practice of statecraft as between the EU and the UK.
Having arrived here I see it is much more. There is genuine deep personal hurt amongst politicians, and officials and in pockets of the community both in the UK and in Europe about the conduct and attitude and position of the other.
As an independent statutory officer, with a mandate from the British Parliament to act in the best interests of the people of the United Kingdom it is clear to me that doing so means putting aside or getting past those enmities and working together with my European colleagues, and with industry to ensure the people of the United Kingdom, and of Europe enjoy a high standard of privacy and data protection.
I’ll briefly touch on three areas in which that cooperation and mutual respect can provide win/win outcomes for both populations, and beyond.
Law reform
There is law reform coming in the UK. You will hear politicians speak of the need to secure a Brexit dividend, and rhetoric describing the benefits of being free of the red tape of European regulation.
We are yet to see the proposals in black and white after the consultation period, but I can assure you that I, and my staff, have worked closely with officials and Ministers to ensure that all that is good about the GDPR is not traded away for hypothetical gains.
Decision makers in the UK are well aware of the value of retaining the European Commission’s adequacy determination, and the costs of losing it. I am confident that what will emerge from the reform process will reassure Europeans that Europeans data in the UK will continue to enjoy the same high standard of protection that it does within the EU.
I urge you to look beyond any political rhetoric, and stress test the proposal against a criteria of risk to EU interests, and I am sure when you do so you will find it holds up.
Avoid divergence
Regardless of the presentation of the law, we now have two systems for data regulation in Europe. The EU way, and the UK way. I have said publicly, that the ICO should be in a position to deliver more timely decisions, to be more “fleet of foot” in enforcing rights and obligations and providing clarity to industry about the application of the law. I believe that to be the case.
But in delivering that benefit, I have heard from industry that I should take care to avoid unnecessary divergence in approach. I hear and acknowledge that. Just last week, I was hearing from UK Finance (trade body), and they could not be clearer with this message.
The mechanisms for consistency in the application of the GDPR are no longer formally available to us, and we no longer have a seat at the EDPB. I think that is regrettable, and I urge the Commission and the EDPB to recognise the importance of allowing independent regulators to work collectively regardless of the state of relations between our political masters.
In the absence of those multilateral opportunities, I will continue to work bilaterally with my European colleagues, and to formalise our arrangements with memorandums of understanding of the sort we already have in place with Australia, New Zealand, the Philippines and Singapore.
Data flows
The second area requiring our collective application is international data flows. This is an area crowded with expensive proxies, which impose significant cost on industry and governments, but which provide dubious benefits to those they are intended to protect. By proxies, I mean standard contractual clauses, binding corporate rules, individualised adequacy determinations, accreditation programmes like APEC’s CBPRs.
They are proxies for the recognition of some of the most fundamental duties any state owes its citizens, the duty to protect them. And a recognition that in order to discharge that duty, organs of the state, being its security and intelligence arms from time to time need lawful, proportionate access to personal information.
If there is one thing the crisis in Ukraine gives us, it is the opportunity to define ourselves a grouping of rule of law respecting western liberal democracies who share common values and a commitment to a set of principles under which that first duty can be discharged. Once we do that, we will pave the way for more frictionless data flows, what Shinzo Abe called “Data Free Flows With Trust”, which will bring enormous economic benefits to all nations involved.
But that must happen at state-to-state level. Progress is being made at the OECD, and I look forward to seeing that work mature. Until then we need to keep working on the least bad options, and to that end I welcome the work of the DCMS International Data Transfer Expert Council.
Enforcement cooperation
Finally, this world of globalised digital industry requires coordinated enforcement. Coordinated across DPAs, such as in the case of the Clearview facial recognition case I concluded yesterday. That was an investigation conducted in collaboration with my Australian counterpart.
But also coordinated across disciplines. It is increasingly important that regulators concerned with different aspects of the digital ecosystem are able to work together to achieve optimal outcomes for consumers.
The Digital Regulatory Cooperation Form in the UK brings together the Competition Markets Authority, the Financial Conduct Authority and Ofcom, the content regulator to ensure a joined-up approach to digital regulation. It is through initiatives like the DRCF that we will be able to get AdTech regulatory solutions that keep privacy wins like Apple’s Ad tracking transparency and Google’s third-party cookie retirement without sacrificing them to competition imperatives.
There will be many other examples such as when we work with Ofcom to safeguard children’s digital safety by the coordinated application of the ICO’s Kids Code, and the Online Safety Act, which will hold platforms to account for content.
To return to my opening theme, in the maelstrom of conflict and politics, it is important that regulators like me retain a laser focus on what is in the best interests of, and is going to make the greatest difference to, the communities we serve, and allocate our time, resources, and regulatory tools accordingly. That’s what I’ll be doing and if I reach out to you and seek your assistance or engagement, you can be assured, that that is all that is on my mind.
Thank you again for coming. Please enjoy a drink in this wonderful hall.