'We need urgency or the EU will make a fool of itself': ICO chief Christopher Graham discusses data protection regulation
Information Commissioner Christopher Graham tells Computing how the upcoming regulation will affect businesses and his own organisation
The EU expects to release its new General Data Protection Regulation later this year – or possibly early in 2016. As a regulation, it will take effect in all 28 EU member states after a two-year transition period, without needing any enabling legislation from state governments.
It is designed to harmonise data protection legislation across Europe, which should make it simpler for companies within and outside the region to comply. However, it will also increase the penalties for breaching data protection law, with up to five per cent of global turnover being posited as the maximum fine (though this figure, and other issues, are still being debated).
The organisation responsible for enforcing the UK's data protection legislation is the Information Commissioner's Office (ICO).
Computing caught up with the man in charge, Information Commissioner Christopher Graham, to see what he thinks of the incoming regulation, and how it will affect the role of his organisation and the wider industry.
[Computing] How do you feel about the state of privacy legislation in the UK right now?
[CG] The basic data protection framework is fine; we don't have problems with the general data protection principles, it's all in the implementation. We have to try to make things work in the face of global companies and technologies delivering global services. I'm hot on finding points of contact and leverage between the UK and US systems to make things work for both citizens and consumers.
For example, we work with the FTC [US privacy regulator the Federal Trade Commission], so that although the law is different [we can still work together]. Even as we stand now, with the EU law in one corner and US in another, we can find points of leverage between systems.
I remember hearing Peter Fleischer from Google a couple of years ago saying what keeps him awake at night is EU regulations and US enforcement. We shamelessly bring in the FTC which can impose eye-watering fines, which has a major effect in protecting privacy – boy, do they make you pay!
We saw a settlement with Snapchat recently, and it will be audited for 20 years on pain of massive fines. The most I can fine anyone currently for the most serious breach is half a million pounds. That may seem quite a lot, but if you're dealing with Google, Facebook or Apple, they don't take too much notice of that, it's neither here nor there. The FTC wouldn't cross the road for half a million pounds or dollars. So there is a lot we can do working together [with the FTC]. We've been involved in an international enforcement co-ordination effort to ensure that a framework is in place to act effectively when issues come to our attention.
For instance, a few months ago there was a Russian website live-streaming from unprotected webcams. It was registered in Australia, the domain name was bought in the US, and it was streaming the very private business of some consumers. The ICO worked together effectively with our counterparts in Canada, the US, Australia, Hong Kong and Macau to get the whole thing stopped.
How will the new EU regulation change the situation?
It hasn't happened quickly enough. We've been up a blind alley for much of the past three or four years with very theoretical debates about rather obtuse fundamental rights, but it's getting more of a move on now. If the regulation is completed by the end of the year, it still won't be implemented until 2017, so it's not exactly quick. We need a sense of urgency or the EU will make a fool of itself.
I also don't like the prescriptive nature of the legislation in terms of process for data protection authorities such as mine. It's not helpful to dictate that I must fine for every breach; I need discretion to take risk and proportionality into account if I'm obliged to fine.
I've been told by the European Commission officially that I only need to fine one euro, but that's ridiculous! We'll be tied up in knots, and organisations will challenge us legally. It's a misapplication of our resources. There ought to be a risk-based approach – we need to put effort into making sure that everyone understands the rules, then jump on those breaches causing the most damage where people are behaving badly.
Firms with a vested interested in weak data protection legislation, such as data broker Acxiom, have been very close to legislators throughout the process. Is that appropriate?
In any Parliament you get a lot of public affairs activity, and it's exactly the same at Westminster. I think it's a bit naïve of the European Parliament to whine, saying "it's not fair". The industry side would say the privacy activists are all over the debate.
We elect MEPs to choose between various courses of action put forward, and I think it's a sign of an immature parliament that they can't cope with being lobbied. That's what democracy is; everyone involved wants to put their case forward. I don't see any evidence of one side having more influence than another. You might say that the draft regulation from Parliament was very much influenced by civil liberties campaigners. So unless there's a corrupt deal going on, I expect MEPs to be grown up and to withstand blandishments.
Do we have adequate enforcement methods for our data protection legislation in the UK? In the US, individuals can sue firms that don't do what they said they would do with personal data. In the UK that's harder. Should we learn from the US system?
EU enforcement may do Google's head in, but a zillion-dollar fine from the FTC worries it far more. We need to tie these things together so we're less casual about using other people's information. So to get a proper sense of what's reasonable from the point of view of the EU citizen, we need to get some teeth into data protection enforcement.
Even if I have power under the new regulations to impose eye-watering fines, the rest of the regulation is so much about obligations on data protection authorities to check whether data controllers have done this or done that, that we'll be less fleet of foot than we are now. My staff will be devoted to endlessly checking data controllers.
The ICO said this was overdoing it some years ago in our evidence to the Justice Committee. We said it's a system that cannot work and which no one will pay for. It's not clear whether any of the EU governments have an appetite to fund data protection authorities to the level necessary to carry out all these new obligations. I'm inclined to say show me the money. If you want to create a massive data protection authority then I might believe it. But I fear they'll pass the legislation and everyone will feel good, but then enforcement will be patchy because the data protection authorities won't be able to see the wood for the trees.
But now we're into the trialogue between the European Parliament, the European Council and the European Commission and lots of these problems can be ironed out. I think the regulation is a bit of a shopping list at the moment, containing every best practice idea that anyone ever had, and that's not quite how you do best practice. I'm sure it will be fine in the end.
Privacy International surveyed its members and found the overwhelming majority hadn't heard of the ICO. How can you help consumers protect their rights if they don't know you exist?
Things are better than they were. The ICO's profile is higher because technology issues are very mainstream now. Our media activity in the past five or so years is infinitely busier in terms of talking to the press than when we started. Day after day and week after week there are important stories about data protection and privacy and technology.
It's our job to work hard on the education side. We are doing big projects in schools with material compliant with the national curriculum teaching young people about rights and obligations and getting them to think so they don't do things online they'll live to regret. And we're encouraging consumers and citizens to protect themselves. Like the webcam issue I mentioned, people were connecting webcams to watch their sleeping baby without setting a password, then being surprised when other people hacked in and watched them. We need to use our enforcement powers to go after the people breaking the rules. And we've ramped up our enforcement department – having been given the power to impose penalties, we're using them to good effect.
We've been going through a change programme to make sure we are as effective as we can be. We've reorganised the way we handle complaints to make sure we can draw the big picture from the pattern of complaints coming in, rather than work away only at individual cases that we can't do much about at present. We can't order compensation for people, we can only give a view on whether compliance is likely or unlikely by the Data Protection Act. But the broader picture is that we can identify when data controllers are doing things wrong, so we can visit and help, or give them a kick up the backside from our enforcement people.
We're also readying the ICO to deal with substantial change when the regulation is finally sorted. Since we don't know quite what it will say, it's a question of getting everyone to accept that we will march in a slightly different direction once it has been agreed.
What do you think about the government's repeated attempts to legitimise mass surveillance via new legislation such as the Investigatory Powers Bill?
We were very concerned when the Snowden revelations indicated that the NSA [US spy organisation the National Security Agency] had been colluding with big tech firms and leaving a backdoor open in various security and encryption products. At the same time, governments are worried about extremism and terrorism, not to mention cyber warfare and industrial espionage, so as fast as I say "adopt strong passwords and use encryption", government agencies are saying "you're making it too hard, we can't see anything".
It would clearly be wrong to rush to make changes to policy on the strength of one or two ghastly terrorist incidents, so we need to think it out calmly. I wrote to the Intelligence and Security Committee [ISC] saying this is my worry, what do we do about having more effective oversight, what's the answer to the encryption question? The committee has still not reported on the important issue of encryption. There needs to be a rational debate about what we do. The solution to the challenge of finding a needle in a haystack cannot be to build a bigger haystack.
When the ISC reported on the Lee Rigby case, it indicated that the authorities had been aware of [the perpetrators], but somehow they'd been stood down. And it was the same in France apparently [with the perpetrators of the Charlie Hebdo killings also having been known to the authorities], so it's a very big price to pay to say none of us have privacy anymore in order to deal with the terrorist threat, when the security authorities don't have the resources to comb through every email there ever was. That's incredible, and it needs sensible debate.
Do you feel firms such as Google are sufficiently honest about what they do with personal data? Are consumers sufficiently aware of what they're getting themselves into when they click through gargantuan terms of service agreements in things such as iTunes and mobile apps?
We're working on this now as the Google privacy policy of a couple of years ago was a game-changer. We're working closely with Google to get it to develop ways of explaining what it does more clearly rather than expecting everyone to read a privacy policy that's longer than Shakespeare's lengthiest work. The company is quite co-operative in terms of coming up with clever ideas to put people in the picture. Consumers are beginning to wake up to this stuff. They don't think well of suppliers who don't treat them as grown-ups.
Telefonica did some research in this area and worked out that customers will not only stay with you, but will engage with you and share more if they're clear what the deal is. In return for this level of information, you get that service. In the early years we weren't asking questions [about free services such as Google Search]. We were like kids in a sweet shop. Now we've learned the hard way.