The UK Government this week announced that they intend to propose Elizabeth Denham as the new Information Commissioner.
The Information Commissioner leads the Information Commissioner’s Office (the ICO) the data protection and freedom of information regulator for the UK. Denham is currently the Information & Privacy Commissioner in British Columbia, Canada. She will step down from that position when her term ends on 6 July.
Track record
Denham has had 6 years as Commissioner in British Columbia and has been a robust critic of some of the provincial government’s data handling practices. She has also worked on issues like the privacy aspects of social media and the technology used to read car licence plates (two subjects which have also been looked at by the ICO). Our friends in Canada tell us she is highly regarded there and that she has done a good job – for example Stephen Midgley, Vice President, Global Marketing at Absolute, a recognized authority on data management matters described her as “well respected”. The current Information Commissioner, Christopher Graham, has also welcomed her appointment saying that she is “an inspired choice”.
The implications for Canada
Denham’s appointment is part of a small trend of regulators being appointed from other jurisdictions. Mark Carney made a similar move from Canada in 2013 to become Governor of the Bank of England and there have been others before him including John Fingleton who moved from the Irish Competition Authority to the Office of Fair Trading (now the CMA) in 2005. Denham’s appointment however comes at a critical time for the ICO with the coming into force during her term of the GDPR. Her appointment is also likely to be good news for Canada too since there is likely to be a review of Canada’s adequacy status in EU data protection law, which effectively gives Canada special status for data transfers. This adequacy status is a key advantage for many Canadian businesses over their US counterparts.. An adequacy review is anticipated as part of the current data transfer changes following the birth of Privacy Shield and adequacy review following the death of safe harbor (more details here). Adequacy decisions generally are likely to be the subject of some debate in light of the Schrems decision when the new GDPR regime comes in. Having a regulator around the table who has knowledge of Canada’s data protection laws at a provincial and federal level is likely to help.
Next steps
Denham’s appointment is now subject to approval by a parliamentary committee and then the Queen. If approved she will serve for five years. One thing that remains to be seen is how much power and independence this new Information Commissioner will have. The UK Government recently changed the reporting lines for the Information Commissioner into central Government in a move that some saw as an attempt to exert more control. There are also rumours of another Government department trying to eat into the powers of the ICO and to have more of a role in dealing with security breaches, again a regime which is in a state of flux given the changed security breach requirements of GDPR and the forthcoming cyber security directive. The robustness Denham has shown to the provincial government in British Columbia is likely to be needed in her new role.
The picture of Elizabeth Denham is © Crown copyright and is used by kind permission of DCMS.
For more information contact Jonathan Armstrong at Cordery in London whose focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com
