Go to the profile of janelucy
janelucy

Our new ICO Commissioner wants to be forgotten, will you?

This is a follow up post to an earlier post first published on LinkedIn.

In my last post, “Brexit and CMA final report: What does it mean for consumers?”, I speculated on the interesting challenges ahead for DECC, Ofgem and the ICO with regards to consumer rights and domestic smart meter data, particularly in the light of Brexit.

As if Brexit and the CMA’s report on the state of the energy market weren’t enough game changers, we now no longer have DECC and there is a new ICO Commissioner in place. But before I consider those implications, I can provide some update on the debate between industry and government on smart meter data privacy.

There were essentially two stages for feedback in the review of the Data Access and Privacy Framework (DAPF) being the official consultation responses and a later additional call for evidence of the tension between consumer protection and “commercial interest”. My FOI applications have revealed there hasn’t been a single response to the second call for evidence. It’s hard not to think therefore that the commercial responses in the first stage may have been a knee jerk reaction of energy suppliers in wanting less regulation and more commercial freedom, and the reality is that the evidence to justify that course of action against upholding the rights of privacy, simply don’t exist. Surely, this, combined with Ofgem’s disagreement with DECC, will see consumer rights upheld as the overriding objective. DECC, albeit now BEIS, intends to publish further on this sometime this Summer (actual date pending).

But it’s unlikely to be as simple as that, perhaps unfortunately for Elizabeth Denham, who seems from her pre-appointment hearing with the UK House of Commons Department of Culture, Media and Sport Select Committee to have much catching up to do on her acknowledged learning curve (including a recommendation to watch the “very entertaining” clip of Dido Harding on YouTube). The reason being that Ofgem declined to disclose information relating to them having a different view to DECC as to how the DAPF should proceed under my FOI application, in part due to information relevant to my request having been created for the dominant purpose of seeking legal advice or is itself legal advice… Interesting indeed. The other reason for non-disclosure was due to the information relating to ongoing formulation of government policy. To recap, the PAFP was created in 2012, was due for review by the end of 2015, and now isn’t going to be reviewed before the end of 2018, by which time 60% of all households are expected to have smart meters. Seems a long time for uncertainty, particularly if information subject to FOI applications will also be protected from disclosure in that timeframe…

Obviously my personal intention is that Labrador makes it easy for consumers to exercise their privacy rights and benefit from their data, no matter what stance government and relevant bodies may take. But I’m not arrogant to believe that all consumers will take up our service and for the majority, I guess we will have to wait for BEIS to publish their position later this Summer to consider further.

In the meantime, consider Elizabeth Denham. As the then Assistant Information and Privacy Commissioner for British Columbia (BC), Canada, she took on Facebook over its privacy practices, being the only country to do so despite those practices impacting all users internationally. The outcomes were all focused on empowering users to make informed choices and giving them meaningful control i.e. not only about the principles of data sharing but giving categories to information and requiring consent for specific uses, driven by an opt-in framework. It’s language that sounds familiar to the starting point in the DAPF. Surely, energy suppliers in Great Britain are not so fearful to take on as the 4th most valuable company in the world? Unless of course, Elizabeth Denham finds energy suppliers to be as concerned as Dido Harding about brand impact. Let’s hope she watched that YouTube video after all…

Elizabeth Denham’s starting position is that brand reputation is enough to motivate the big firms and fines are required to motivate the smaller ones. As she is likely to learn, historically that hasn’t exactly been the case in the UK. Just as well then that her appraisal of the GDPR is that “it is a high water mark for data protection around the world” and that the imperative to still trade with the EU will mean it’s a standard all countries will still need to meet, by implication including the UK post Brexit. She is also on record as believing fines up to 4% of turnover are appropriate. The one catch is that she prefers to start in a position of education and guidance, with enforcement only being “when things go very wrong”. I hope she doesn’t fall into what currently feels like DECC/ BEIS and Ofgem thinking that 3 years of standing back hoping that education and brand risk will suffice as an appropriate strategy, before being prepared to reach into her “toolbox” and take real action if necessary. Elizabeth Denham made clear to the UK House of Commons Department of Culture, Media and Sport Select Committee that that is not the image she wishes to present:

“I have crossed swords with some of the largest technology companies and I have not shrunk away or been a shrinking violet, despite my archival origins, to serious abuses of the law. I have the record to prove it, so you can look it up. It is in the public domain.”

It is. But also in the public domain is her apparently having exercised her right to be forgotten in Google searches (google “ICO Elizabeth Denham”). Clearly, it’s impossible to know what content she has asked to be removed. Should we be concerned or reassured that our new ICO Commissioner is indeed an empowered user, knowing and exercising her rights, as we all should? It doesn’t sound like Elizabeth Denham will need the Labrador service at least!