By Andrew Cohen
Amid the world’s vanishing privacy—and growing anxiety about it—Elizabeth Denham is a welcome presence.
While the United Kingdom’s Information Commissioner stressed the seriousness of data protection challenges in her recent talk to a packed lecture hall of Berkeley Law students, she also shared meaningful triumphs and promising projects. A towering figure in privacy policy, Denham oversees data protection compliance and the promotion of sound practices across the U.K. and chairs the Global Privacy Assembly.
Her talk, part of the Law & Tech Speaker Series sponsored by the Berkeley Center for Law & Technology and Berkeley Technology Law Journal, probed how to balance the importance of developing global norms with honoring countries’ cultural integrity.
“The complexity of privacy today links to vital matters like international trade, kids’ well-being online, and the fairness of our democratic institutions and elections,” she said. “If we come to the wrong finding in how we address privacy, it can really upset the balance in the justice system. It’s as important as that.”
The night before, Denham addressed the Commonwealth Club of San Francisco in a talk moderated by Berkeley Law faculty member and privacy expert Chris Hoofnagle. The audio is available here.
A leading voice
Denham’s many awards include the Queen Elizabeth II Diamond Jubilee Medal for her work in British Columbia, where she spent six years as the province’s information and privacy commissioner. In 2018, she topped DataIQ 100’s list of most influential data and analytics practitioners in U.K. organizations.
Her office recently issued intentions to issue significant fines to Marriott and British Airways for violations under Europe’s General Data Protection Regulation (GDPR). Denham sees “more convergence rather than divergence” on privacy matters, and views the GDPR as a “greatest hits” compilation of data protections from around the world.
“It really takes people who care,” she said of regulatory success. “Politicians have to care, regulators need the resources and courage to take on this work, but it won’t go well if the next generation has a giant shrug toward data privacy.”
A strong advocate for regulating facial recognition technology, algorithms that allocate healthcare, and online targeted ads, Denham has also levied massive fines for electoral interference.
Last year, one news headline asked: “Is Elizabeth Denham the Only Person Powerful Enough to Take on Facebook?” The article discussed “how a privacy regulator from British Columbia forced Silicon Valley to change the way it uses your personal data,” and her UK office’s “sweeping prosecutorial powers.”
Facebook was fined 500,000 pounds, the maximum allowed at the time, for its role in the Cambridge Analytica scandal of 2018. Denham’s office found that Facebook did not protect its users’ information, enabling the consulting firm Cambridge Analytica—now out of business—to glean personal data from millions of Facebook profiles and use it for targeted political advertising.
“That was a watershed moment, when it became public and we saw how many voters and potential voters have no knowledge about how their data is being used to micro-target them,” she said. “I think it’s the first time people took notice and said there’s real harm being done here to democracy.”
Protecting children online
Denham’s office just published a code of standards, after extensive consultation with parents and children, on how to bake privacy into the initial design of services accessed by children—requiring companies to innovate around privacy rather than solely data collection.
“The Internet was not designed for children, but they live online,” she said. “In the offline world, we don’t think twice about having film ratings, car seats, and many other safety measures. Why don’t we have some of those same rules online?”
Another report in the works highlights the data protection concerns of U.K. police increasingly seizing the mobile phones of suspects—and victims—and downloading all their information.
“Right now, that’s our whole lives,” Denham said. “Our social life, our professional life … we walk around with data that could be incriminating to us. I understand from a police and prosecutor viewpoint that we need to have all data that could be relevant, but this practice could be a chill for victims coming forward to report sexual assault.”
Urging the students in attendance to appreciate their power, Denham noted that in 2008 a group of law students brought a 70-page complaint to the federal privacy commissioner in Ottawa about Facebook’s application model. Though prevailing Canadaian law had no enforcement powers, it led to a regulator issuing the first finding about Facebook’s platform and data collection practices that Denham saw as “a big reveal that led to other investigations.”
“We won’t get away from domestic laws that reflect the culture of the given country, but I think we can get to a baseline of standards worldwide,” she said. “I’d like to see that in my lifetime.”