Keynote speech to the Esop Centre’s Employee Share Plans & Trustees Conference 2022, Friday, 13 May 2022, at the Pomme d’Or Hotel, St Helier, Jersey.
It has been a strange couple of years, but it is good to be back in person. Covid has caused major changes in the way we live and work. Before March 2020, how many of us were familiar with considering our home as our place of work. We are social animals, not designed to live and work apart, socialising only through a screen, that Covid and lockdowns brought. Our social and working lives are now very different to what we were used to, as we have learned to adapt and evolve. Unlike much of the animal kingdom we have done very well to avoid extinction – that may sound overdramatic, but at least the fear of extinction was real, probably not helped by the constant rolling out of the latest statistics which we came to rely on quite heavily.
While, in this information age, we are bombarded with all the negative aspects to the pandemic, there is a flip-side, namely the technology that has allowed us to have a much easier ride through the pandemic, enabling us to act, react and behave according to the very latest information available; keeping us connected in a socially distanced world. While the pandemic has been pretty bad for most, we have had positives provided by the technology that surrounds us. For instance, it has brought faster development and processing of vaccines. Improved connectivity has enabling remote working. New business opportunities have arisen e.g. printing companies offering personalised face masks; restaurants offering “cook at home” services. And this is true too, for social aspects e.g. on-line fitness classes and greater focus on personal wellbeing.
The same can be said of emerging threats. Part of our nature is to learn quickly and turn that threat into an opportunity. I have often heard technology such as AI referred to as threats, particularly in the context of privacy. This is compounded by media scare mongering that AI will take away jobs and “the world will be run by robots”. We all know that that’s not true and like the pandemic, this isn’t the first time humanity has had to face the challenges of new technology. The key is to establish exactly what those technologies can be used for, for the benefit of human kind. How can efficiencies be achieved through technology; how can embracing these changes mean using human resources for more important things; how can new tech be utilised for compliance with regulation, leaving humans to focus on creativity and strategy. And how can data be used more effectively and how can it be shared for the benefit of society as a whole. It’s all about being innovative and finding the opportunities that exist behind threats and using for the public good instead of resisting inevitable change and risk being left behind by your competitors.
That resistance is based on a lack of trust and confidence, perhaps brought about by lack of knowledge of the tech or even the regulatory framework that you work within. If you are not a technology expert then understanding that complex world can be really challenging, but we all need to get to grips with both the impacts of new and emerging technologies on our personal lives as well as leverage the benefits of those if we are to survive in an ever-competing world.
This is why we see more businesses going through a digital transformation, as they adapt their working practice, drive efficiencies and move with the changing times.
But for us as regulators on an international playing field, we also need to make sense of what the world would look like in the next 30 years. Our office is constantly horizon scanning, using a global network of colleagues, to identify potential threats to our personal privacy, but also potential opportunities for Jersey.
One example is participation in a ground-breaking project with Digital Jersey, local government and colleagues from the finance and tech sectors, to look at feasibility of data stewardship services in Jersey and the market opportunities that those services bring. Shortly, a pilot project will be launched which relies on cyclists collecting journey data with a view to improving traffic flows and road conditions. This example shows how important it is to have an eye on the future so that you can manage risks and turn them into, sometimes lucrative opportunities for the benefit of society.
But, on the other side, there will always be bad actors who want to take advantage for their own illegitimate gain, e.g. with cyber-attacks. Cyber security is one part of a suite of controls your organisation must have to protect itself from external threats to the information you hold. And with the current situation, with the Ukraine crisis, the risk of cyber-attack is at its highest for some time.
Cyber-attacks and their threat will of course need to be avoided at all costs, but their existence can also provide some significant learning opportunities for your business. For example, how strong are your risk management frameworks? How well do your mitigation measures work? Have you learned the lessons from an attack? Or better still, have you learned the lessons from regularly testing your cyber response strategies? Do you cascade the basics through your organisation, so your staff know the difference between a phishing attack and malware and ransomware and what they look like? Or what to do if their password has been compromised? These are basic measures, but it all helps.
Threats and opportunities will always exist in our everyday work, and those threats and opportunities will involve data at some level.
The Jersey Office of the Information Commissioner is there to protect your personal information. It is my job to ensure that we are on top of the latest developments and can see far enough into the distance to identify those risks and guide you so that you can counter those threats and create opportunities for business. And we can enforce against those who deliberately misuse the information you hold, or treat it poorly, those bad actors that were referred to.
This is why, in the globalised world we spend a lot of time talking with our international colleagues to ensure Jersey has a voice on the world stage. For example, we are members of the Global Privacy Assembly which comprises more than 130 data protection authorities across the world. And we have a presence on most of the working groups that sit underneath that Global Privacy Assembly, covering topics such as international enforcement cooperation; ethics and data protection in AI; digital education; the role of protection in international development aid; humanitarian aid and crisis management. And recently we became chair of the working group on data sharing for the public good. We are also members of AFAPDP which is an association of French speaking data protection authorities. We are members of the Global Privacy Enforcement Network; the International Association of Privacy Professionals and the British Isles and Irish Data Protection Association. One thing that has become clear is that there is a great need for us to work closely with our international colleagues, so we have good relations with other countries. And you might think that “little old Jersey” wouldn’t have much of an effect when sitting among the big players, but we find that in the data protection community, it doesn’t matter how big or small you are, your voice is seen as equal. Again, it is about creating opportunities.
While we are talking about our international position in terms of data protection and particularly the regulation of personal information, it is also important to remember that Jersey is a “third country”, outside of the European Union. That means that in order to preserve data flows between Jersey and Europe, our data protection laws must be deemed by the European Commission to provide an adequate level of protection of the rights and freedoms of individuals in respect of their personal data. Jersey is one of only 14 countries that has this coveted adequacy status from the EC. Given our position as an off-shore international finance centre, the free movement of data between Jersey and the EU is critical. Without it our finance industry would not be able to work in the same way as it currently does, and our economy would certainly suffer.
But it is not just about the finance industry, Jersey trades with Europe in other sectors too, and where there are trade routes, there will also be data flows. So, protecting privacy is vitally important for trade as well, and affects all sectors of our business environment. Jersey has been an adequate jurisdiction since 2007, and along with the other 13 adequate jurisdictions, we are currently going through a post GDPR adequacy assessment. I can assure you that the result won’t be anything other than a positive assessment, such is the strength of Jersey’s legislation. But we must not be complacent, we need to continue to work hard to maintain that adequacy.
The subject of adequacy is critical to Jersey when it comes to international data flows. You may ask, why is adequacy so important, and why are international data transfers such a hot topic at the moment? Data flows across borders are essential across the globe. They underpin digital trade, which cannot operate without them. The global economy is becoming increasingly dependent on digital services. They generate huge amounts of data (Linklaters’ research suggested by the end of last year 60 percent of the worlds’ GDP would be digitised, resulting in increased trade in digital services between countries with commercial values into billions of dollars each year). It is clear to see that digitisation is here to stay and we‘ll need to be well prepared for that.
With that in mind, businesses are reliant on data transfers for much of their business operation and Jersey is no exception. In the not too distant past, it would have been largely restricted to technology companies and professional services, but in today’s world we can expect to see most business sectors, especially the SMEs placing an increased reliance on transfers of personal data, enabling them to be successful businesses, and allowing them to compete on a global scale by offering more for less. This is great news for the customer as well, as business costs can be kept lower, through better access to cloud services for example. For larger and multi-national businesses, data transfers will be critical for their day to day activities. So, in order to manage supply chains, you need to be able to rely on uninterrupted flows of goods, services, capital and data. Our adequacy status, therefore, is essential for our economy. The small island of Jersey, which prides itself on the strength of its regulation, not just in data protection, but as an established finance centre too, has witnessed a massive sea change in how data is moved and how it is used. Its data protection laws have mirrored those in Europe in order to protect its trade position, and have developed significantly over the past 35 years. The reason for that is the value of personal data has increased exponentially. Thanks to rapid technological advancement, the ease of movement of data has improved greatly. The availability and accessibility of data has improved significantly, and with that the controls required to protect data have also strengthened as risks associated with data transfers increase.
But there is much more to think about when it comes to laws set by foreign governments. You need to consider intangible aspects, such as trust, coming into play. Differing national cultures have an effect. Domestic cultures within businesses have an impact. How do you begin to impose controls and obligations on a country where cultural differences create barriers to compliance? How do you look to gain consistency across jurisdictions? And how do you do this without compromising accountability, or disrupting or restricting businesses by creating huge administrative burdens? All difficult challenges and questions for data authorities to grapple with.
The complexity of regulation around data transfers is also a major concern, not just for businesses, also for the regulators who have to apply the law. Consistency and ease of application across borders is essential, but as it stands, restrictions due to regulation means a cost to businesses, mainly through reduction in imports and exports, but also cost to customers through increased prices, and a cost to the regulators in terms of additional resources and expertise required to regulate and apply the law.
With the UK leaving the EU, the UK has implemented its own adequacy regime to preserve the free flow of data between the UK and other jurisdictions. This means that there are now potentially two adequacy findings needed to preserve data flows, and it is not inconceivable that other countries might follow in the near future.
Up until the Schrems II decision of the CJEU in 2020, there had also been a mechanism known as the Privacy Shield, which allowed for the free flow of data between the EU and the US. However, this mechanism was invalidated and currently there is no equivalent in place, making transfers to the US more problematic. (Though we are assured there is a solution on the horizon).
What this means is that other EU models have to come into play and have to be utilised if we are to allow those data transfers to take place. Things like standard contractual clauses provide reassurance for data transfers, but again it is criticised as being complicated, unwieldly, and in some cases impossible to comply with, particularly for an SME with limited resources.
What is clear is that we need to embrace innovation. We need to encourage trust, and we need to ensure that free movement of data to enable businesses to flourish and succeed. Simple principles; simple guidance; fulsome explanations of data usage; realistic policy objectives; and consistency across all borders would be extremely helpful.
And the same can be said of the public as well. Simple guidance that can be easily understood; encouragement to embrace innovation, and full transparency around data use would be a benefit to them.
So how about a globally recognised standard where the rules are the same whether you are transferring to Europe, the US or another third country. Is there a way where globally common interpretation and guidance can be reached? Or is this just a fantastical utopia, that is too ambitious to even think about? These are the kind of questions that authorities are facing at the moment.
But would it not provide a benefit to all if we had a consistent ethical data sharing framework which incorporated data protection principles? It would also help with flexibility where the data sharing is for the public good. This would help with ease of compliance and better understanding of how different legislative frameworks interconnect. The EU GDPR is currently seen as the gold standard of legislative protection, and it is not difficult to see why, as Europe has been driving the development of data protection law since before the first directive in 1995. Other jurisdictions also base their own laws around the European model. Much of the language is the same; essential overarching concepts of fairness, transparency and accountability are all the same.
But I do worry, as a regulator, that we might be restricting ourselves unnecessarily, by not taking notice of other areas of data protection law such as those in Asia and across the Atlantic in California. Are we asking any questions about what is the gold standard now? Why are we even looking at who’s got the best framework? We have a global privacy assembly which recognises that data protection is not just a European issue. In a globalised world where international trade is essential and data protection laws are all commonly aimed at protecting people, is it not now time to look beyond one approach and one continent, and instead for the next data protection gold standard, try and make it a global one, addressing those cultural differences and finding a balance between rules and principle based legislative regimes?
My own view is that if we want to affect big change in the way data protection is regulated, then we have to think much broader than we are now.
As a regulator, I have seen our role change from being a focus on data protection compliance, which it always will be, but much more to a focus on issues with societal impacts. Data protection is about people after all, and we must not, under any circumstances, lose sight of that.
That is why, in our organisation, we have adopted a position where we want to create a culture in Jersey, where privacy becomes instinctive to our islanders. That means that the responsibility for protecting personal information doesn’t only sit with the organisations that you give your information to, nor just us as a regulator, it also sits with all of you as individuals. We want you to place more of a value on your privacy. We want you to think about what you might be willing to trade before signing up to a company’s products and services. We want you to consider your personal privacy as a natural part of your day to day lives.
To put that into context, think about when you leave your house, you lock your front door to protect what’s inside. When you travel you might get an insurance policy to protect against consequences of having an accident when you are away from home. If involved in contact sports etc, you would put on protective clothing. On a motorbike or bicycle you wear a crash helmet to protect your head should you fall. In a car you wear a seat belt to protect you should you be involved in an accident. Our lives are precious things and most of us would take at least the most basic steps to protect ourselves whenever there is a risk.
Remarkably, very few of us take steps to protect ourselves when it comes to the privacy of our information – the single biggest asset any of us own; the single biggest risk to our private lives, to our reputation, to our integrity and to our humility.
I ask myself, why don’t people seem to care about their privacy, or respond, when asked that question: “I’ve got nothing to hide” or “I don’t care”, when in truth we all have something to hide, we all have something that we would rather not be made public. Think about your medical details, for example. So it is about time that the power imbalance between the individual and the corporate changed. It is my mission under my tenure to try and make that happen.
Privacy and innovation must work side by side, or should not be at the sacrifice of one for the other. Not if we want to see true progress for the benefit of all. Maintaining fairness will build trust. Transparency will increase understanding and trust. Accountability leads to trust. And with the trust of the people, we can fully embrace innovation for the benefit of society, while maintaining those rights to privacy.
To sum up: it is critical that ‘little Jersey’ continues to have a voice on the global stage, and my office is committed to ensuring that our islanders are afforded the very highest standards of data protection for this generation and the next.
But the legislation can’t do it alone; it needs all of us, in this amazing community, to play our part – from us as regulators, our business community, our technologists, our innovators, our politicians, our island leaders, and most importantly, you as individuals. Because privacy and data protection is, after all, about you.
As Jersey Information Commissioner Paul Vane is responsible for promoting awareness of the law, its principles, and the obligations upon controllers and processors as well as the rights of individuals. Paul has extensive experience in the regulatory and law enforcement environment and held the position of Deputy Commissioner between 2004 and 2021. In 2018, as Acting Information Commissioner, he led the Jersey Office of the Information Commissioner through a landmark transition when the GDPR came into effect. Previous roles include Compliance Manager and Policy & Legal Manager at the Jersey Financial Services Commission, where, among other things, he was responsible for ensuring that financial services businesses were compliant with Jersey’s financial services law; and Police Officer for the States of Jersey Police.