Facebook political data probe: £2.5m. Powers for the ICO: Priceless
UK watchdog denies project distracted from day-to-day enforcement
The millions spent on investigating the Facebook data harvesting scandal was worth it because it allowed the Information Commissioner's Office to secure greater powers, Elizabeth Denham has said.
Denham, who has been information commissioner since 2016, said that without that case the ICO would not have been granted streamlined warrants or be able to conduct no-notice inspections on organisations.
Speaking at an Institute for Government event, Denham repeatedly sought to emphasise her organisation's central role in internet regulation.
For instance, when asked about increasing interest in imposing wider regulations on tech giants, particularly about hate or harmful online content, Denham said: "You can't take the ICO out of the online harms discussion."
When asked if she saw the ICO as the main online platform regulator, she pointed out that her organisation is able to take action across borders.
"We do have the ability to reach across borders, which no other regulator in the UK has right now," she said. "We have extra-territorial reach to investigate in Silicon Valley and we've had the experience of doing that in Facebook/Cambridge Analytica."
Denham came under fire during that investigation last year, being described as publicity hungry as she made regular appearances on TV and radio, and opted for a series of high-profile international speaking events.
As reported by The Register, as of October 2018 that probe – which is ostensibly about the broader use of data in political campaigning but has the Cambridge Analytica scandal at its heart – had cost the ICO some £2.5m.
However, in response to a question from El Reg, Denham suggested the scale of the probe – which saw the ICO have to deal with 700TB of data – was the only way to secure the greater powers the regulator wanted.
"What we learned from that investigation was hugely valuable, because it was that case that allowed us to go to government and parliament and ask for new powers to be a fit for purpose digital regulator," she said.
"So our ability to freeze data in the cloud, to conduct no-notice inspections, for us to get streamlined warrants – we would not have been given those extra powers except for that extraordinary case, which I think is not going to be that extraordinary in the future."
Denham did say that she wasn't happy with the "long tail of litigation" that would be left in the wake of the work, as Facebook is appealing the £500,000 fine the ICO handed down.
The commish also denied the resources dedicated to the project, both in terms of money and staff – from April 2018, 30 full-time and six part-time staff were involved – had detracted or distracted from its other work.
"To those who say that that case has distracted us from the day-to-day complaints that we get from citizens and consumers – it hasn't," she said.
"Because we actually are dealing with 100 per cent more complaints than we were two years ago. We're crunching through those complaints. Every data protection authority across the EU is seeing a massive increase in digital complaints."
Denham also hinted about upcoming enforcement actions, saying there were "three or four pretty big cases in the pipeline". The French data protection authority already won headlines for the first multimillion GDPR penalty, a €50m fine for Google, but Denham has often said that handing out an order to stop data processing would have a greater impact on a firm than a cash payout.
But beyond this, Denham also made it clear she wants to change the ICO's approach to enforcement with more large-scale, in-depth and proactive work.
"You will see the ICO take a different approach to its regulatory remit, because waiting for individual complaints to come in through the door is not going to allow us to get ahead of those very large, system-wide issues like ad tech," she said.
In addition to ad tech, the ICO has also launched broader probes into facial recognition, the way the police deal with data collected from rape victims' phones and is midway through work into the Metropolitan Police's Gangs Matrix.
However, critics who think the regulator is trying to get its finger into too many pies are unlikely to welcome the move, especially those who think it has lost sight of the non-data protection strand of its work – enforcing Freedom of Information rules.
There has, though, been a recent flurry of activity from the ICO on information rights this year, as the ICO laid a report (PDF) before parliament that called for FoI rules to extend to public sector contractors.
At the event, Denham said that a third of public service data isn't available because it is held by organisations that aren't covered by the rules – meaning the law no longer achieves what it was designed to.
But the push to expand the remit of the law comes as government departments are increasingly likely to shirk their duties. According to IfG analyses, record numbers of FoI requests are being refused and many take their sweet time to reply.
In the first three months of 2018, 45 per cent were refused in full – this was also the 11th consecutive quarter where less than half were granted in full – while the Home Office has taken more than two years to deal with some requests.
Many would no doubt prefer the ICO holds the public bodies' feet to the fire for such behaviour, using the powers it already has to enforce FoI – rather than seeking to extend the rules. ®
Sponsored: Becoming a Pragmatic Security Leader