I was recently given the opportunity to meet with the former Information Commissioner Richard Thomas, now a strategy advisor to the Centre for Information Policy Leadership (CIPL) at law firm Hunton & Williams.
After his time at the Information Commissioner's Office (ICO) came to an end earlier this year and he was replaced by Christopher Graham, Thomas reappeared at the privacy think tank in October.
Meeting him at the company offices in the city, Thomas told me the centre had been in operation for around nine years, and he had been aware of it during his time as commissioner, and had collated on a code of practice this year on privacy notices on how best to communicate with the public.
Bridget Treacy, who leads the privacy and global sourcing practice for Hunton & Williams, is an executive member of the CIPL, explained that the centre was born in the US and operates as a policy group and think tank 'that focuses on policy issues'.
Treacy said: “The objective is to try and anticipate issues and to look about five years out and to try and influence now how those issues might pan out. There is a programme of policy making that the Americans use, but it is very much liasing with policy makers, legislators, regulators and with large companies to try and identify issues and then to formulate solutions around the issues that are likely to arise. It is a very creative process.”
One of the issues, according to Treacy, is that the centre has had a US focus in the past, and the addition of Thomas will give the CIPL a more European footprint, which is timely given the growing focus on the need to find practical solutions to facilitate international data flows from Europe.
Thomas claimed that there was a similar regulation model on data protection across Europe and in countries such as Canada, Australia, New Zealand and Hong Kong, but the big gap according to Thomas is between the US and the rest of the world, and the two big differences are that the US does not have a comprehensive privacy law, and nor is there a single regulator as you get in most other countries.
So I asked Thomas if an information commissioner model is something he could see spinning off into the US from the rest of the world?
Thomas said: “I don't think that the US has the appetite for the foreseeable future for a dedicated privacy regulator with the width of responsibility you find elsewhere in the world - it is simply not in their culture, it is not legally not politically the way they do things.
“A single commissioner in the US is that it is not on the horizon, in my opinion, the Federal Trade Commission has been pulled into privacy regulation over the past five to six years. They are becoming more and more active and recently the new chairman announced what they called the privacy re-think and they are holding some roundtable discussions before and after Christmas to discuss privacy issues.”
So moving back to the CIPL, I asked Thomas and Treacy if its intention is to drive government(s) on issue(s) and lobby for policy? She responded by clearly claiming that the purpose of the CIPL is not to lobby but to work on an educational basis with legislators.
Thomas said: “What you want a think tank to do is to contribute ideas, contribute analysis and identify problems and I wouldn't be anywhere near this place if I thought they were saying ‘let's cut privacy laws, let's cut them back' - it is not that at all, it is about let's find privacy laws that work in practise that safeguard individuals' rights, that serve the purposes of the companies and organisations and respect civil society."
“My philosophy is not just getting the law right, it is a matter of behaving properly in your own self interest. I used the phrase 'enlightened self interest' because there are many benefits, tangible and intangible, to getting privacy right.”
So if its intention is not to enforce or lobby for policy, is it trying to enhance and improve existing laws? Thomas claimed that it was important for legislation to be less burdensome but to be made more internationally compatible.
Thomas said: “Data flows around the world now on imaginable scales and one of the problems with the European Data Protection Directive was that it was designed at a time when data didn't flow like that, it is what I call a mainframe directive. I stood up about two years ago and said that it was not fit for its purpose and I was quite critical of the European directive and it is moving towards reform.
“As well as looking for solutions that are less burdensome, we are trying to make the law more internationally compatible. It is no use complying with all of the data in Europe and finding that your data is in the US where there are completely different rules, that is a nightmare for everybody.”
Treacy said that while the centre is not lobbying, it has a strategy of achieving better laws and trying to ensure that regulation is workable. Treacy said: “The principles of good data protection are implemented in a way that companies can comply with and are realistic.
"Our new project on accountability, to which Richard will contribute, seeks to find common ground and a global solution to data protection regulation and governance.” Explaining the accountability project, Thomas noted that this was not a new concept, but that the concept is new within the civil law jurisdictions. He admitted that there 'has been some difficulty with the translation of the issue. The easiest explanation is that it is about an organisation demonstrating that it is committed to get data protection right.'
Explaining the accountability project, Thomas noted that this was not a new concept, but that the concept is new within the civil law jurisdictions. He admitted that there 'has been some difficulty with the translation of the issue. The easiest explanation is that it is about an organisation demonstrating that it is committed to get data protection right.'
Thomas said: “You have got to have the right process and the right policies and that is where the lawyers come in. You have got to have proper internal oversight – you cannot leave it to your IT department or to your lawyers alone, you cannot leave it to your HR department. You have got to have someone overseeing it all, in a co-ordinated way, and to ensure that the people handling the data know what is required of them. ”
The first phase of the CIPL's exploration of accountability was named 'the Galway project'. Thomas explained that the project has spanned more than 12 months and is now moving into a second phase to create practical mechanisms to bring to life the conceptual thinking.
One challenge for the centre will be to find instruments and mechanisms to translate the concept of accountability into practice. As part of this objective, Thomas said that he would contribute new thinking on ‘binding corporate rules'.
He explained that this is a company code that provides a framework of rules for a company to follow European rules on a worldwide basis. Thomas said that this was 'a good idea, but rather cumbersome and takes a long time', so his vision is to bring together the principles of accountability and produce some ideas for reform in the binding corporate rules process to make it a bit faster, a bit cheaper and a lot easier for all concerned.
Thomas later claimed that binding corporate rules has got to be tailor made for each company and the basic thinking that I have been advocating for four or five years is a good one but it is still damaged by being rather cumbersome and rather slow, so he is planning to spend the next few months looking at ways to make it easier to get through.
Treacy said: “The need for this is that the European data protection framework essentially prohibits the transfer of personal data from Europe and with this you can satisfy some requirements.”
Thomas confirmed this, stating that unless a company has a framework in place, it is quite easy for a less reputable company to send someone's details away.
The second part of this interview, looking at Thomas' thoughts on data loss and protection, education and punishment, will be published later this week.