So farewell then, Christopher Graham, the outgoing Information Commissioner after 7 years in the seat; and welcome Elizabeth Denham, presently Information and Privacy Commissioner of British Columbia - but confirmed this week as the government's preferred choice for the new UK head regulator in the fields of data protection, freedom of information and environmental information.
Although the transition has been long-scheduled – Graham’s stint has already been extended by two years, the maximum permissible under the Protection of Freedoms Act 2012 – it is nonetheless the most notable move by the Department of Culture, Media and Sport since DCMS took over responsibility for the ICO from the Ministry of Justice in September 2015. Denham is the first Canadian to be Information Commissioner in the UK, but not in fact the first Elizabeth (Elizabeth France was the first person to take the present title, having been the incumbent Data Protection Registrar when the 1998 Act came into force). The reign of Elizabeth II is slated to last five years (as was Graham's initially); so what will her tenure hold?
The most imposing pile sitting in her in-tray will be oversight of the implementation of the General Data Protection Regulation (GDPR), and bringing the ICO's various guidance notes into line with it over the next two years. If the pattern continues from how the ICO has chosen to interpret the 1998 Act – namely a strict reading which sometimes seems more hawkish than the legislation intended – then practitioners and organisations may be forgiven for reserving judgment on the practical effect of the GDPR until we see the express ICO Guidance on how it expects UK data controllers to apply the new law. This, after all, will be the yardstick by which most everyday interpretation and implementation of the GDPR will be measured – not to mention its enforcement.
It seems likely that getting the UK "GDPR-ready" will be on the agenda regardless of Brexit: with the GDPR due to be adopted shortly, the UK has undertaken this direction of travel already and – whatever action a newly-sovereign Parliament might take on existing or pending legislation – it may well opt to bring the UK in line data-wise with its trading partners in Europe, helping to facilitate any transitional period. It is interesting therefore that DCMS has selected someone from outside Europe to take up the role although, as Graham has noted, Denham brings experience from a similar jurisdiction to the UK.
By her own account, "promoting information rights" has been Denham's top priority in her most recent role in British Columbia. She has also served in a national position, as Assistant Privacy Commissioner of Canada between 2007 and 2010. In this role, according to her official profile, "she led a ground-breaking investigation into the privacy practices of Facebook which resulted in changes to the social networking site – changes that were implemented on a global basis." It also notes that her discussions with Google "prompted improvements to the company's street level imaging service in Canada."
Commentators have noted Denham's willingness to challenge government both on freedom of information and data security/privacy issues. A columnist for the Vancouver Sun described her as "one of the most effective of all the independent watchdogs on government conduct". She is a self-confessed "proponent of open government and open data" and one of her most significant reports led to police charges against a former ministerial aide. The Vancouver Sun piece noted that, "Even though Denham embarrassed the Liberals [the governing party] on both privacy and access to information, she also earned their respect."
Her appointment at the ICO is subject to a pre-scrutiny hearing by the House of Commons' Culture, Media and Sport Select Committee and formal approval by Her Majesty The Queen before she can take up the role in the summer.
And what of Christopher Graham? His reign has been characterised by a steady increase in enforcement activity and in particular the level of fines in two areas, namely data security breaches and direct marketing contraventions. In the latter area in particular he has set himself somewhat at odds with the embattled charity and fundraising sectors, with some feeling his office had changed course over a longstanding ‘unspoken’ position that charity fundraising was a special case (“It is a matter of some disappointment that the Institute of Fundraising appeared to be resisting the reality that the direct marketing guidance did apply to the charity sector," he announced in October last year). Graham also caused a small stir by expressing doubts about one of the key recommendations of the Etherington Review on charity self-regulation (namely, a “fundraising preference service” opting out of cold calling, similar to that already available for telephone numbers but lacking the statutory backing presently provided by the PEC Regulations).
It will be interesting to see if Elizabeth Denham takes up the same cudgels or adopts a fresh approach to this and other sectors. Graham, for his part, has acclaimed her as an “inspired choice” and “effective upholder of information rights” with “independence of judgment and toughness of character”. In short, someone he may feel is in his own image – but who, by reputation, perhaps retains the capacity to surprise us.
If you require further information on anything covered in this briefing please contact Owen O'Rorke (owen.o'[email protected]; 020 3375 7348) or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, April 2016