A friend drew my attention to a recent interview given by the Information Commissioner to the Vancouver Courier. I’m not here to disparage “Canada’s #1 Community Newspaper Site”, but I can’t help thinking that a local paper is a bit of a comedown after the glory days of Ms Denham announcing surprise raids live on Channel 4 news (and then not getting around to doing them for the best part of a week).
The interview itself is classic Denham, with bold claims that “privacy and data protection is now at the intersection of democracy, trade and media freedoms” and crediting herself with acquiring new powers for the ICO, including “the ability to do data inspections and the ability to seize data held in the cloud”. She also claims to have encountered “the most wicked problems I have ever imagined” during her time as Commissioner.
The ICO has been able to apply for warrants and demands for access since the arrival of the 1998 Data Protection Act, and despite her public announcement of the SCL warrant, she had the power to apply for it in secret, and weirdly just decided not to use it. Admittedly, audits weren’t a part of the old DPA, but limited audit powers for government were granted in Chris Graham’s day, and the GDPR required them to be available for all. Denham’s claim about achieving new powers is false.
On the other hand, the “wicked problems” remark is a mystery – Denham’s flagship investigation into Facebook and Cambridge Analytica revealed no more than that Facebook is a data gathering operation with poor transparency, something which everyone knows. It’s not good, but wicked is a stunning overstatement. Importantly, ‘Operation Cederberg’ did not unearth evidence of the brainwashing and manipulation alleged by ‘whistleblowers’ and journalists alike – despite having a massive incentive to demonstrate the role of evil analytics in the Brexit vote, the Commissioner found no evidence that this ever happened. You can read the ICO’s report if you don’t believe me. The subsequent Facebook fine, which collapsed into a no-liability settlement after credible allegations that Denham was guilty of bias and pre-determination, was based on the premise that Facebook deserved punishment for what could have happened, not what did.
Meanwhile, under Denham’s watch, genuinely wicked data breaches like the Home Office’s persecution of vulnerable and often elderly people of the Windrush Generation (based on inaccurate and incomplete data) went unpunished. Denham is still dining out on war stories about Cambridge Analytica, but if she has ever spoken about Windrush, I missed it. This is a scandal, and it’s just one example of serious data protection issues in the UK that Denham has neglected.
In the end, the interview demonstrates a problem that the next Commissioner will have to resolve. The ICO under Liz Denham has been obsessed with issues outside core DP matters. Online harms, politics, data ethics, AI – anything to avoid the nuts and bolts regulation that the UK actually needs. Subject access, data brokers, widespread inaccuracy – all things that Denham’s office doesn’t tackle because they’re not Denham’s pet projects.
Despite earlier denials, the ICO had to admit to the Tribunal in the Boost Tribunal case that resources were shifted away from normal work in order to feed Cederberg. This makes sense given Denham’s public boasts about how big the investigation was. The fact that such an expensive and fruitless probe was undertaken at precisely the time that ICO should have been concentrating on implementing the GDPR probably explains the dearth of meaningful action on the new legislation. Admittedly, ICO threw out some red meat with the proposed BA and Marriott fines, but those have disappeared into a black hole. The ICO delayed completion of them long before Covid-19 made them an absurd idea, and they appear to be locked in a holding pattern, never making it to a landing.
The Commissioner’s lack of interest in the UK is obvious – the first admission that the BA / Marriott fines would be reduced came in a speech Denham gave to a US conference, and there’s still no formal confirmation of this on the ICO’s own website. Denham’s appetite for globetrotting is legendary, whether it’s as chair of the Global Privacy Alliance or in her day job.
In February 2020, Denham and assorted handmaidens like Simon McDougall and Ali Shah enjoyed a jaunt across North America, costing at least £40,000. I’m sure that the ICO would claim that meetings with Google and Twitter are vital to the regulation of data protection in the UK, but this is hot air. The UK has left the EU, and so we have no influence on the main potential avenue for action in Europe. The idea that Silicon Valley is going to change its ways because of an incompetent regulator in a small North Atlantic island group is laughable. That £40,000 could have funded a case officer for a whole year, dealing with complaints made by people in the UK about real DP issues, but instead the ICO burnt it on a trip filled with ego-boosting frippery like IAPP conference appearances and meetings with the NYC Mayor’s office about AI.
I found out about the USA trip via an FOI on What Do They Know. Another more recent WDTK FOI reveals that Denham first gave up on the ICO’s main office, and then on the UK itself. The request is about where Denham is based, and despite the fact that the overwhelming majority of ICO staff are based in Wilmslow, the response reveals that the Commissioner is based in London. Obviously, it’s possible to run an organisation in a different place from the bulk of your staff, but it suggests that conferences in the capital are more important to Denham than the day to day running of her office, and a direct connection to most of her staff.
However, Denham isn’t in London now. The applicant asked whether Denham is in fact now in Canada, and if so, which time-zone she’s in. Needless to say, the UK’s data protection regulator is now in the Canadian Pacific Time zone, a full working day behind the UK. The response does insist that “As an official appointed by the Crown, the Information Commissioner works the hours required to perform the functions of her role and attends all necessary meetings and engagements, irrespective of any time difference” and “The Commissioner is not on a leave of absence and is fulfilling all aspects of her role”. But given that she didn’t fulfil all aspects of her role when in the UK, I find it hard to believe that it’s possible to run an entirely UK-based organisation from the arse-end of another continent.
Of course, we’re in difficult times, and presumably Denham’s family are all in Canada, but this is a sacrifice she was supposed to have been ready to make when she took the job. The final question in the request asks when she will come back, and the answer is “We do not hold recorded information in scope of this element of your request”. This means there have been no written discussions about her return – nothing agreed internally, nothing communicated to the Department for Culture, Media and Sport.
Thousands of A-Level students face uncertainty after an algorithm has changed their future. A new test and trace app is being trialed. The government is launching scheme after scheme based on personal data without conducting Data Protection Impact Assessments. This is the time for leadership. This is a time for the Commissioner to be completely on top of DP regulation in the UK. Instead, at a time of crisis and uncertainty unlike anything in our lifetimes, Elizabeth Denham has abandoned her staff and the country she was supposed to be serving, preferring to hide on the other side of the world with no formal plans to return.