LONDON — When Elizabeth Denham became the U.K.’s privacy regulator in 2016, data protection was hardly the hot-button topic it is today.
Fast-forward 18 months, and the world has changed. Denham is now in the eye of a storm over allegations that roughly 50 million Facebook users had personal data harvested without their consent by a British-based researcher connected to Cambridge Analytica, a political research firm with ties to Donald Trump’s 2016 presidential campaign.
The scandal — in which both Facebook and Cambridge Analytica deny wrongdoing — is exposing Denham and her previously little-known U.K. data protection agency to an unprecedented level of scrutiny, as lawmakers wonder whether she has the resources, power and political backing to take on a privacy investigation involving one of the world’s biggest tech companies.
Denham’s Information Commissioner’s Office (ICO) is now leading the global investigation into whether Cambridge Analytica — which used data from Facebook to try to help U.S. President Donald Trump get elected — ran afoul of Britain’s tough data protection standards. As of Thursday, she had yet to obtain a warrant to seek information from the firm.
“The ICO finds itself well positioned to be seen as an influential regulator” — Eduardo Ustaran, Hogan Lovells law firm
Industry executives, British lawmakers and other countries’ privacy regulators expect the ICO’s response to the recent scandal will shape how other watchdogs, including the U.S. Federal Trade Commission, which has launched a separate probe into the allegations, will handle misuses of personal data.
It also will shape perceptions about how serious the U.K. is about data protection — a vital prerequisite to a post-Brexit deal to keep data worth billions of pounds in trade flowing with the European Union, United States and others.
“The ICO finds itself well positioned to be seen as an influential regulator,” said Eduardo Ustaran, co-director of the global privacy and cybersecurity practice at Hogan Lovells, a law firm in London. “It’s a very firm and powerful regulator, which will only bark once and then will bite.”
Lack of powers
Denham, a Canadian who previously ran British Columbia’s data protection authority, has carved out a reputation as an active enforcer.
In the fallout from the U.K.’s referendum on leaving the European Union, she began an investigation into how data may have been used to sway potential voters during the 2016 vote. The most recent revelations linked to Facebook and Cambridge Analytica, the ICO confirmed, will be included in that existing probe, which is expected to report back to U.K. lawmakers by late spring.
Traffic passes the shared building that houses the offices of Cambridge Analytica in central London on March 21, 2018 | Daniel Leal-Olivas/AFP via Getty Images
“With big data, cloud computing and analytics, old-fashioned data collection has shifted significantly and maybe without taking voters with it,” Denham told the British parliament in January. “More data is available to political parties, but it’s unclear how they can use it.”
But Denham’s ability to investigate Facebook and Cambridge Analytica hinges on her ability to gather evidence — an area where she has run into roadblocks. Before media revelations outlined over the weekend how Cambridge Analytica had used a Cambridge University researcher to gather information on U.S. citizens through an app download onto people’s smartphones, Denham had issued a “demand for access” — a warrant with notice — to Cambridge Analytica.
It was not answered by the company. Denham announced Monday, after the story regained prominence, that she was seeking a warrant to obtain the information and access to evidence. Now, her request has been delayed until Friday after a High Court judge sought an adjournment.
The bureaucratic hurdles meant that she was forced to stop Facebook carrying out its own audit of Cambridge Analytica’s premises earlier this week. The move would “potentially compromise a regulatory investigation,” she said.
Brendan O’Hara, a Scottish National Party MP and member of digital select committee, which has been probing the use of data in election campaigning as part of its “fake news” inquiry, said that Denham was doing her best to gather information. But, he added, the U.K. regulator lacked sufficient powers to obtain a rapid search warrant.
Denham has issued eight fines in the first three quarters of the financial year ending in April | Chris J Ratcliffe/Getty Images
“I think that the the U.K. has to recognize the world in which we now live in and we have to be a bit more fleet of foot in terms of getting emergency warrants for the information commissioner in circumstances such as this,” he said.
At a recent hearing of the fake news inquiry, Denham herself warned that organizations that refuse to cooperate could “buy themselves out of compliance with an investigation” through a fine. “I actually want the information in an inquisitorial investigation,” she said.
Reputation to live up to
As Britain’s chief data protection officer, Denham has shown a willingness to impose fines on companies found in breach of privacy rules. John Whittingdale, the U.K. culture secretary responsible for her appointment, said that she had been picked because she had demonstrated she was “prepared to take a tough line where necessary” in her previous job in Canada.
“I think certainly we felt we needed somebody who we felt would be a bit more proactive and was capable of taking more of a public role and be able to explain and defend the role of the information commission, take quite a strong line in enforcing data protection rules,” he said.
So far, Denham has issued eight fines in the first three quarters of the financial year ending in April, including a hefty penalty against TalkTalk, a local mobile phone carrier, for failing to protect people’s digital information.
Lawyers and EU officials also praised Denham for taking a “pragmatic” approach to enforcement.
In her first annual report, published last year, she also boasted of having issued more penalties for breaches of the Privacy and Electronic Communications Regulations, British privacy legislation, than ever before. In total, the ICO issued 16 civil monetary penalties totaling £1.6 million for serious breaches of the data protection principles across both public and private sectors, according to regulatory filings.
Such willingness to fine companies for breaking British and European data protection rules, which are some of the toughest anywhere in the world, has won her plaudits from others in Europe. Willem Debeuckelaere, the Belgian data protection chief, for instance, said that Denham was a “strong woman, someone you can actually get things done with.”
“She’s very efficient, very clear, and clearly raises the bar,” he added.
A senior figure in the U.K. tech industry, who spoke on the condition of anonymity because he was not authorized to speak publicly about his organization’s dealings with the regulator, agreed that there was “quite a lot of steel there.”
Facebook CEO Mark Zuckerberg in Menlo Park, California | Josh Edelson/AFP via Getty Images
“She is very highly regarded by policymakers, by her fellow data protection community across Europe and internationally, and also by the industry,” the person added.
Lawyers and EU officials also praised Denham for taking a “pragmatic” approach to enforcement, which they contrasted with at times overly aggressive practices by other authorities. O’Hara, the British lawmaker, said it was essential the U.K. was not seen as “part of the Wild West of data regulation and data protection,” warning that the U.K. must be seen to be “adhering to the gold standard in terms of data protection.”
David vs. Goliath
But Denham now faces one of the biggest tests of her career.
While it remains unclear if Facebook or Cambridge Analytic breached the U.K.’s privacy standards, the ICO — which has 527 employees for all its functions — may not have the financial resources to cope with the global investigation, particularly as it is struggling to hold onto employees now leaving in droves for higher salaries in the private sector.
Currently, the British regulator has 10 people working on its existing investigation into how data may have been misused in the Brexit referendum, according to statements by Denham to British politicians.
A poster of Cambridge Analytica’s CEO Alexander Nix at the firm’s office in London | Daniel Leal-Olivas/AFP via Getty Images
Maurice Frankel, a director at the Campaign for Freedom of Information, an advocacy group, said that the upcoming revamp to Europe’s data protection standards, known as the General Data Protection Regulation, and the U.K.’s own Data Protection Bill, which is currently going through the U.K. parliament, meant that Denham’s office also is under particular pressure before the May 25 deadline, when all of this new legislation comes into force.
“In comparison to Facebook and Google and so on, the information commissioner is a very small organization,” Frankel said. “Although they have the legal powers, they are very heavily outgunned in terms of the resources and the funding for legal costs available to some of the people on the other side of the fence.”
Laurens Cerulus contributed reporting.