Science & Technology Committee: The Big Data Dilemma: Information Commissioner

<p/>My questions to the Information Commissioner are set out below:

<p/>Valerie Vaz: You and some of my colleagues have touched on the regulations that are being looked at. For the record, where are we with the regulations? Presumably, you have been involved in them and in a number of issues coming up. I mentioned some of them earlier: the right to be forgotten and the reference to 5% of turnover, which I think would be helpful to you in the case of some of the bigger companies. Where are you on some of the main enactments that they are looking at?


<p/>Christopher Graham: Our position is that it is a bit of a curate’s egg—good in parts. The bits we like are where there are enhanced and relevant powers and rights for data subjects and data portability—very often access to data in digital form. We heard about the midata project. That is being legislated for. Data portability is really more relevant than the right to be forgotten. It is not really a right to be forgotten; it is a right to be de-listed, if you like, or a right to be a little more anonymous so that in certain circumstances you cannot have searches on your name that produce all sorts of outdated and irrelevant information, or spent convictions which may be outdated and irrelevant. We like the stronger fining powers for data protection authorities. As to whether it is up to 5% of global turnover, we will see. What I do not like is the lack of discretion I would have as a data protection authority. It is no good the text saying that, in the event of this, this and this happening, the data protection authority shall impose a fine of up to such and such. Better regulation is about having discretion and deciding which tools to employ. I am told that what it actually means is that you would only have to fine €1. Well, excuse me. It is not worth going through all the legal rumpty-too to fine €1. Credit us with a bit of common sense and leave it to data protection authorities to decide on the best tools to use in order to secure compliance. That is an example of the way in which the regulation in its various forms is rather over-specced. It is as if every good practice example has been thrown into the pot and then legislated for. We won’t be able to move for all these very specific obligations that are a bit box-ticking. I am hoping that over the next few months it will lighten up a bit.


<p/>We know that the ICO will have to change. I do not want it to have to change to be just a circumlocution office, if you like, for the new regulation. We also remain to be convinced that the detail of the one-stop shop has been thought through. A one-stop shop is a great idea if you have cases being pursued across all the member states in different ways. That is a waste of everybody’s time and it is an annoyance for the big players. If you are to have a one-stop shop, have it, but a one-stop-shop that then has to involve all the data protection authorities with rights to appeal in all the national courts is what I have described as a one-stop shop with a branch in every town. It is really not worth having.


<p/>We recognise that it is a game changer and will be a huge task for the ICO. We have a major task to inform industry and public authorities how they will have to change to comply. That will fall to my successor, not me. It is very important that Whitehall gets on with the business of pressing the starting button on the recruitment of my successor, because I run out of road at midnight on 28 June next year. We need the next Information Commissioner to be identified as soon as possible. There is a task for somebody over Christmas.




Valerie Vaz: That is very sad to hear, because you have been an exemplary information commissioner. I know your term was extended. Do you think the role will change once the new regulations come in? You touched on updating the DPA 1998. Presumably, new legislation will have to be made to incorporate where we are on the technology.


Christopher Graham: Yes. We are readying the ICO for having to move in a different way, but a different way to deliver the same result, which is upholding information rights on behalf of citizens and consumers, making sure that public authorities can do things sufficiently and that industry can thrive, but all sticking to the rules so that the wonderful potential of the digital economy works for all parties and delivers results, and is not based on trickery and the clever guys doing down the ignorant and the big guy doing down the little guy. The Information Commissioner is there to hold the ring. We will do it in a different way and with increased powers. I hope we will do it with increased resources. By abolishing the obligation to notify under the Data Protection Act, the new regulation poses a little problem for me, because that is £18 million of income down the tubes. We have to think of a different way of funding the regulator in fairly short order, which is another thing to think about over Christmas. There is lots to be done, but we are not daunted. We are raring to go at the ICO; we just want the starting gun to be fired on all this new stuff.




Valerie Vaz: Do you see a new DPA?


Christopher Graham: There will have to be. The Data Protection Act will have to be amended to take on board the requirements of the regulation, because the regulation will apply. It does not have to be transposed in the same way, but our law will have to flex to accommodate the fact that there is a regulation that applies in all member states. Increasingly, we are dealing with cross-border phenomena. We have to make things work within the European Union and we have to make things work with colleagues right across the globe. There is no point my raging in the UK against some American outfit unless we have good relations with the Federal Trade Commission and other partners. It will be a different job, but a different job delivering the same increasingly important objective of making sure that there is a level playing field and that the fundamental right to data protection and privacy is secured.