With the backdrop of an apricot-coral sunset from high above San Francisco Bay, Greenberg Traurig was pleased to welcome leaders from the United Kingdom’s Information Commissioner’s Office (ICO), as part of an IAPP S.F. Bay Area Knowledgenet held at the law firm on February 11.
The U.K.’s Information Commissioner, Elizabeth Denham, and ICO Executive Director, Simon McDougall, along with a coterie of their data protection authority senior colleagues, were visiting as part of a fact-finding and information exchange tour.
As Mr. McDougall described it in opening remarks, the ICO came to San Francisco because it is where so much tech power resides. Applications, technology, and concepts affecting the lives of people in the U.K. and elsewhere in many cases originate in the S.F. Bay Area, he noted, and so ICO leaders were taking part in visits with innovative students, consumers, industry officials, trade groups and law firms to be as current as a regulator can be in understanding what is around the corner. He further noted the ICO’s goal of wanting to truly engage with people outside of a bubble, so as to most effectively impact business models and win hearts and minds regarding data protection and governance practices.
Gretchen Ramos, co-chair of Greenberg Traurig’s Data, Privacy & Cybersecurity Group, had the privilege of leading a fireside chat with Commissioner Denham and Mr. McDougall, following the director’s opening remarks focused on advertising technology, real-time bidding (RTB), and related initiatives at the ICO.
What follows are some of the key insights and takeaways from the public discussions throughout the evening, which also featured networking, remarks from the IAPP Knowledgenet chairs, and in-depth privacy discussions.
- Priorities. In terms of priorities for 2020, Commissioner Denham shared her good-humo(u)red view that the GDPR is still a “toddler law,” and so is continuing to develop in key areas such as Data Protection by Design and by Default – including for children, as evidenced in the ICO’s Age-Appropriate Design Code of Practice. Other areas of focus include the intersection of new technology and law enforcement, including facial recognition; opaqueness in ad tech/RTB, including with respect to sharing special categories of personal data; and staffing up to account for new trade relationships in which data is a key component.
- Brexit and the “Two-Stop Shop.” Acknowledging that no longer having a formal voice on the European Data Protection Board (EDPB) as a result of “uncoupling” from the EU is a loss, Commissioner Denham nonetheless emphasized the U.K.’s continued active involvement within Convention 108, the Council of Europe, the OECD, and other regulatory associations. She shared, too, that organizations must be prepared now for a “Two-Stop Shop.” This means that instead of an organization established in multiple EU jurisdictions working primarily with a single supervisory authority as the GDPR envisions (i.e., rather than working with potentially all 28 EU Member States’ regulators for a given matter), in actions that also affect U.K. residents an organization must work with both a lead EU supervisory authority and the U.K. ICO.
- Ad Tech Enforcement. Echoing his January 17, 2020, blog post, “Adtech – the reform of real time bidding has started and will continue,” Mr. McDougall observed that some progress has been made within the advertising technology ecosystem, which the ICO continues to monitor following its June 2019 report. Still, he noted that there are pockets within the industry that have expressed that they do not wish to update their practices in alignment with GDPR principles until after the industry is pushed, which he said could lead to the ICO preparing for thoughtful regulatory action. He added that the ICO remains to be convinced of arguments in favor of using legitimate interests as a lawful basis for processing in RTB.
- California AG & CCPA. Commissioner Denham shared that she would be visiting with the California Attorney General’s Office as part of the ICO’s fact-finding, including in relation to discussions about enforcement of the California Consumer Privacy Act (CCPA).
- Standard Contractual Clauses. In response to a question posed by Ms. Ramos as to whether the ICO planned to issue its own standard contractual clauses, as its supervisory authority counterpart in Denmark has done, the regulators indicated that they currently have no plans to do so. Likewise, they had no news regarding any progress around processor-to-processor SCCs in the EC.
- BCRs and Joint Undertakings. When asked whether the ICO was aware of any “group of undertakings, or group of enterprises engaged in a joint economic activity” participating in talks to seek binding corporate rules (BCRs) under the GDPR, the regulators indicated that if any early conversations have been had on this topic, no formal progress has been made yet to their knowledge.
- Other Topics. Other wide-ranging topics included data protection and nonprofit organizations; ICO efforts around artificial intelligence and machine learning; GDPR certification; accountability frameworks; and the U.K.’s seeking an adequacy determination from the European Commission, which Commissioner Denham said she feels the U.K. has a strong case in favor of, in light of the U.K.’s already robust data protection law in effect.
Stay current on further developments on the Data Privacy Dish blog, or contact the Greenberg Traurig Data, Privacy & Cybersecurity team today to discuss your organization’s privacy program, data governance, and information security-related needs.