Privacy Chat with the UK’s Information Commissioner’s Office

Two weeks ago, I was lucky enough to attend a “Privacy Chat with the UK’s Information Commissioner’s Office” sponsored by IAPP SF Knowledge Net Chapter . It was such a pleasure to meetElizabeth Denham, UK, Information Commissioner (ICO )and Simon McDougall, UK, Executive Director, Technology Policy and Innovation (ICO). Below is my quick summary of what was discussed. 

Simon McDougall opened the discussion with the fact that ICO’smain purpose of traveling to Bay Area is to understand how technology is affecting the lives of people around the world; andto find the best channels and ways to maintain close ties with privacy professionals. ICO’s representatives said that they need to make significant changes in the way they do things. Privacy regulators often feel appalled at what is going on, which is not productive. 

ICO is passionate about technology and innovation. If they cannot stay ahead of the curve with regard to technological innovation, they acknowledge that they should at least know what is happening and engage with it. The office wants to stay updated on how data and the private sector use consumer information and influence things at the right stage. 

ICO 2020 Privacy Issues:

Privacy and Kids

ICO is working hard on what it means to design privacy services for kids. It is worth noting that children are a priority for privacy regulators in the UK. ICO has published the important Age Appropriate Design Code, which is a part of a government push in order to create ‘world-leading’ standards for kids when they are online.

Keep in mind that ICO is aware of the fact that UK lawmakers have grown very concerned regarding the ‘datafication’ of kids when they go online. These children may be too young to consent legally to tracking or profiling under the current European data protection law.

The ICO’s code comprises 15 standards of what the organization calls “age-appropriate design.” According to ICO, it reflects a “risk-based approach,” such as stipulating that the setting must be ‘high privacy’ by default. Moreover, no one can share the kid’s data unless there is a valid reason to do so. 

Anyone that designs or develops online services will need to consider whether the Code applies, including services such as apps, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites that offer goods or services over the internet. If your service is likely to be used by anyone under the age of 18, the Code will apply.

The Code will be laid in front of Parliament this Spring, and if approved, the organisations will have 12 months to update their practices before the Code comes into full effect. The ICO expects this to be by autumn 2021.

Tech and Law Enforcement

Some of the other priorities for the ICO are the introduction of new technologies in law enforcement. They have issued their initial GDPR opinion on facial recognition technology by police departments. Elizabeth Denham wrote in a blog post that ICO’s “opinion makes clear that there are well-defined data protection rules which police forces need to follow before and during deployment of LFR… The opinion recognises the high statutory threshold that must be met to justify the use of LFR.”ICO intends to provide more detailed guidance on what is required for police and other law enforcement agencies in a near future.

Adtech and Real Time Bidding 

In broad terms, adtech means the different advertising technologies, which analyze and process personal data to serve online advertising to individuals. “Real-time bidding (RTB) is a means by which advertising inventoryis bought and sold on a per-impressions basis, via programmatic instantaneous auction, similar to financial markets. With real-time bidding, advertising buyers bid on an impression and, if the bid is won, the buyer's ad is instantly displayed on the publisher's site.” (Wikipedia)

RTB is a big regulatory priority mentioned in the Commissioner’s Technology Strategy for 2018-2021. ICO is considering the business model of real-time bidding in the country and trying to figure out the responsibilities of the advertisers. One of the ICO’s main concerns is the lack of clarity regarding consent and an appropriate lawful basis for processing of personal data. Other issues concern special categories of data, transparency andmultiple parties receiving information about a user when actually only one will ‘win’ the bid.The ICO is giving the industry a few months to work on the above issues and will enforce formal ICO’s regulatory action in some instances. 

Balancing Privacy and Technology

ICO tries to protect people’s privacy but at the same time, foster technological innovations. The Office supports and facilitates innovation in technology as well as exciting new uses of data while ensuring that an individual’s privacy and legal rights are safe. They have always said that privacy and innovation are not mutually exclusive and there does not need to be an either-or choice between the two. They are trying to come up with a set of principles that all the regulators, such as those in the transportation or healthcare sector, can use in the UK to regulate innovation.

Privacy Sandbox

ICO has more privacy help and resources on a per capita basis than any other privacy office. They are also striving to grow and they just doubled their staff to meet the challenges of a changing privacy landscape and to stay ahead of the curve.  

ICO is the first privacy institution to kick off "Privacy Sandbox", a new service which supports organizations which are developing innovative products and services using personal data with a clear public benefit.  Currently privacy Sandbox has about 100 people operating the phones, giving advice and providing guidance to small businesses and individuals. They are leveraging professionals with AI expertise and are using forensic investigators and economists to utilize a variety of skills to keep up with the innovation and changes in technology. 

One of the advantages that the UK has with GDPR is that they already had a stringent law in place. For the UK, GDPR was not a "huge deal". It became a powerful tool to fine organziations. GDPR made data protection a dinnertime conversation, which was a bit surprising. This is contrary to what Americans believe and this is opposite to CCPA. 

The Bottom Line

Data privacy and data security are a valuable and a tricky goal to attain for many companies. Yet, at the same time, we have to make sure that our policies and procedures do not stop the technologies and innovations that can improve our lives in the long run. The challenge for us is designing an adaptive policy environment that can address both exploitation and deception while giving ample space for innovation and competitors to flourish. It is worth mentioning that common law is one feasible and attractive remedy. And that is not all; governments also need to play important roles in educating both firms as well as consumers on the best practices. 

At the end of the day, privacy and innovation do not have to be at odds. And they are important to a future that offers both protection and growth for consumers and companies.