Elizabeth Denham, UK Information Commissioner and outgoing Chair of the Global Privacy Assembly, delivered the following speech at the 43rd Global Privacy Assembly conference, hosted digitally by INAI, Mexico.
I’m here to discuss convergence and international standards. I want to talk about three foundations for convergence that already exist. And then I want to talk about three ways we can build on those foundations in the future.
First, let’s briefly discuss why convergence has a role to play.
Our digital world is international. Data flows around the world in a heartbeat. I open up my phone, check an app, and in a moment my data travels around the globe. Services like geolocation and cloud computing all rely on international data flows.
But the checks and balances on this data are domestic.
That brings problems.
It can mean that when a multinational company doesn’t follow the rules, or when there is an international data breach, the ability for regulators to work together across jurisdictions can be limited, as we try to match up our differing legal systems and approaches.
It can mean that businesses have to follow several sets of rules to reach a single customer base, spread across jurisdictions. Or that people are unsure what their protections are, or where to turn for help.
And it can mean a system for international data flows based on assessments of how other nations’ laws measure up to our own, no matter how many flaws we may be willing to acknowledge in our own systems.
The result is an international problem that could be costing economies around the world billions of dollars.
Convergence – through common standards and better architecture between our laws, could reduce those problems. But how do we achieve that? That is what I want to discuss today.
Before I begin discussing the foundations for convergence that already exist, and how we can build on them, allow me a brief tangent.
We were, of course, originally scheduled to be discussing this topic in person, in Mexico City. I’ve been fortunate enough to attend a number of GPA and ICDPPC conferences, and been lucky enough to see some incredible parts of the world as a consequence – including Mexico back in 2011. And much as I love London, it isn’t the same as enjoying Mexican hospitality.
So while we can’t travel to Mexico, I’ve tried to bring a little of Mexico to us today. I’ve themed my speech today around some of the incredible historic sights the country has to offer. I hope one day I can again experience these sites in person.
Building on the foundations of convergence
Let’s begin with my next slide, the Pyramid of the Sun at Teotihuacan. A step pyramid built around 1,800 years ago, it is 75 metres high and more than 200 metres across.
Having climbed to the top myself, I can tell you that’s high.
It was built from two and half million tonnes of stone and earth, with each tier rested securely on the wider tier below.
This is how our moves towards greater international convergence must be constructed, if we are to reach the heights we aspire to. We must build on the carefully constructed work already completed.
The GPA has been central to the work in this area. The Assembly exists to bring together data protection and privacy authorities from around the world, and that international collaboration is the very first foundation of any convergence. What’s more, work by a GPA working group to analyse ten global frameworks from across the world showed strong commonalities. In particular, there were overlaps in the core principles and data subject rights, and also in requirements for independent supervisory bodies.
Those findings should perhaps come as no surprise. The development of data protection legislation in the last decade has seen a model of building ‘best of breed’ laws, with the newest privacy laws, such as those in Brazil and California, standing firmly on the shoulders of other existing laws.
That’s a sensible approach, as common features across laws bring a greater ability to share expertise and even work together on investigations, as well as increasing the potential for free flow of data between countries.
That free flow of data was a central motivation for the recent meeting of G7 data protection and privacy authorities, another part of the pyramid we can build upon. The meeting grew from the ambition of ‘data free flows with trust’, a central part of the 2019 G20 in Japan. We discussed at our G7 meeting how we could better work together on topics like AI, cookies and national security. The focus was on where we could commit to making progress that would have a positive impact for each of us domestically.
It is clear that we have a considerably wide base with which to build further convergence. I’ve not touched on the Council for Europe’s work in this area, for instance. But it is clear too that our work only goes so far. There are no easy answers here – if there were, we would already have taken them.
Respecting cultural differences
I’ll move now to my next historic sight of Mexico, and the UNESCO protected Cozumel reef. The reef is part of the second largest system in the world, which is home to more than a thousand marine species, living side by side.
That respect for one another’s cultures and approaches is another key foundation for convergence.
I think this is an important point. Historically, convergence has too often been seen as a shorthand for ‘why don’t you converge with my approach, or my law’. And that hasn’t worked.
Convergence has to be a meeting in the middle, and I think there’s a much better appreciation of that now. Our countries all have different legal structures, different administrative setups, and different cultures built on different histories.
Convergence must not mean leaving those differences behind. Instead, it needs to be about finding ways to join together these differences, and to weave a meaningful safety net of protections that work globally.
As an aside, that respect for another’s cultures has been one of the real impressive aspects of our conference this week.
For someone who has worked in data protection as long as I have, hearing so many bright minds engaged in discussing privacy is so positive. There has always been expertise in this field, but the diversity of knowledge now is what stands out. We have the brightest minds in academia, business, in law and in the regulatory and policy space all wanting to work on privacy issues. And we have the international diversity too – the Global Privacy Assembly really does bring voices together from all parts of the world. That diversity gives us so much collective wisdom.
Our response to the pandemic
Which brings me on to the third foundation of convergence
This is the Hospital de Jesus Nazareno in Mexico City. It is said to be the oldest hospital on the continent, and to have been built at the behest of controversial Spanish Conquistador Hernán Cortés.
It remains in operation today, and like most hospitals around the world, has spent the past couple of years facing the challenges of the COVID-19 pandemic.
The pandemic has brought a great number of challenges to our community.
But it has shown the value of privacy too, and how we benefit from our shared expertise.
I saw this first hand in the UK. When the UK government wanted to develop a contact tracing app, it considered data protection at an early stage, and it consulted with my office. The government understood that answering the questions we posed on transparency, legality and fairness would help to develop an app trusted by more people.
The advice my office provided government was informed by conversations we had with colleagues across the Global Privacy Assembly network. Regulators across the world were facing similar challenges, and we all benefited from the shared wisdom of the Assembly.
Crucially – and this goes back to my conference opening yesterday – I saw our community asking the right questions. Do we understand how people feel? And how can we make sure our input is providing practical value?
When I look now through the ICO’s opinion on contact tracing apps, and through the GPA’s Compendium of Best Practices, I think the benefits of focussing on those two questions shines through. Privacy remained relevant.
And if you’ll allow me just a moment’s reflection, I believe the success of our community’s response to COVID-19 was built on the modernisation of the GPA.
We are now a year round assembly, able to respond quickly to challenges that arise between conferences, such as the COVID-19.
We are more collaborative than ever, able to share our expertise and to speak with one voice, as we did when we emphasised the importance of continued protections for people’s data rights during the pandemic.
And we are more outward facing than ever before, working with so many of you, including the likes of the OECD, the UN and the WHO, to make sure the advice we offered through the pandemic is rooted in practical benefit.
Our teamwork, across the privacy community, showed that we can work together, no matter our differing laws and cultures.
The pandemic showed how convergence could work.
Building common principles
But it showed too that we still have further to travel, if we are to truly benefit from the potential of convergence.
I will now set out the three areas where our experience shows that more must be done, to build on the foundations of convergence already in place.
The Kukulcán is a step pyramid in the south of Mexico. Across its four sides, the pyramid has a total of 365 steps, one for each day of the Mayan year.
Early separation of the year into formal calendars gave a framework for Mayan society, and was important for trade, agriculture and religion.
As we look to the next stage of international convergence, we need to find our own framework. We need recognisable common principles that can translate across borders.
Aspects like transparency and fairness are not specific to a single law or regulatory approach, and so can act as a bridge to better international collaboration and cooperation.
This is work that is already underway within the GPA. Our Global Frameworks and Standards Working Group has focused this year on key principles that members can agree on, touching on aspects including the independence of data protection authority, international transfer mechanisms and government access to data. The latter has resulted in a resolution we’ll discuss in the closed session later this week.
The Council of Europe’s work around C108 and C108+ has also looked to set common principles. And there is potential too for further exploration of how codes and certifications, including those led by business and trade groups, could assist in this area.
But it is clear that there is room for further progress.
Architecture to join our laws
Let’s move to our next sight.
The Copper Canyon is a network of canyons covering 65,000 square kilometres. The Canyons are linked by the Chihuahua al Pacifico, a railway passing over 37 bridges and through 86 tunnels.
The architecture needed to join the different canyons is a neat analogy for the second area where we need to build on the foundations for convergence.
It is accepted that the flow of data, from individual to organisation, from organisation to organisation, from country to country, is integral to digital innovation.
It is accepted – I hope – that such data flows rely on the public trust earned through sensible data protection regulation.
And yet we continue to consider those protections domestically.
We do have systems to transfer data internationally, of course. CBPRs enable data flows in parts of the world, while elsewhere adequacy agreements have their place.
But it remains the case that we are working with a series of bridges, rather than a single railroad.
What we need is better architecture to join together our world, and to allow different laws to work side by side. We need a railroad through the canyons.
A new approach
Which brings me to our final Mexican historic site. The Temple of San Agustin is a 16th century church. A beautiful white stone building built as a convent, with an eye-catching bell tower and historic murals.
But it is also abandoned. The convent was built near a lake, and flooding in the 17th and 18th century kept washing away the friars’ work. Eventually, they gave up fighting the waters, and moved away.
There is a lesson there for today. We are all proud of our domestic laws, built with good intentions. But if the waters of international digital innovation keep washing away our work, at what point do we need to move to a new approach?
It is my view that there is a real urgency to this work. The pace of acceleration in digital uptake, and the increasing use of data in innovation brings those flood waters ever closer.
We are not making quick enough progress in our response. Talk of convergence has, for too long, stalled around a sense of us needing to pick a favoured legislative approach or scheme, and insist it is extended to all four corners of the world. As our community spends time focusing on faults with one another’s regime, businesses are left with unwieldy processes that increasingly make privacy and data protection feel like too heavy a burden.
To put is simply, we risk all of our good work being washed away.
It is my own view that fresh thinking is needed. What is needed is a Bretton Woods for data, repeating the 1944 conference that brought together 730 delegates from almost 50 countries to consider how the world could rebuild from war. Delegates came from diverse cultures, and brought diverse ideas, but with a united understanding: the old system had failed, and a new one, built on international cooperation, was needed.
A Bretton Woods conference could provide the melting pot of ideas needed to take this forward, something I have spoken about recently at Oxford University.
That could be in the shape of a global data protection accord. An accord that found common ground between nation’s data protection regimes would enable member nations to better work together, and could allow for the transfer of low risk data to countries who were fellow members.
But that’s only one idea – we need more ideas, and more discussion.
I know the data protection community stands ready to be part of the solution. I see that in my work with the GPA. I see the ambition when I talk with my G7 colleagues.
But that challenge must now go further.
The challenge must go to governments and international organisations like OECD, Council of Europe and WTO, bodies with the convening power to make a Bretton Woods conference for data happen.
And then the challenge must go further afield. Data is such a broad, cross societal issue that impacts every facet of our lives. And so the solutions must come from the bright minds across society from think tanks, academia, from civil society, from businesses and from the people whose trust so much relies on.
I want to be clear. My view is that finding a solution here – building on our existing foundations, and finding a way for international convergence – is achievable. We can make this happen.
But we must decide to do this. As a community, regulators, business, civil society, and especially policy makers, must commit to making it happen.
- That will mean compromise.
- It will mean conversation.
- It will mean accepting that there is not a perfect solution.
If we get it right, there is no limit to how high we can build our pyramid.