Elizabeth Denham, information commissioner for the UK, sits in her office on the top floor of a bland low-rise tucked in back of a drizzly car park in Wilmslow, just south of Manchester. Unassuming in a simple sheath dress, she has a habit of pushing a pair of rectangular spectacles up the bridge of her nose as she talks. It is a librarian’s gesture, which is fitting: the Vancouver-born Denham worked for years as a professional archivist in Victoria, BC, before moving into what she now describes as the “sleepy, technical” world of data regulation back in the 1990s. Since then, the information and tech worlds have become utterly unrecognizable, and Denham has become arguably the most powerful data regulator on the planet.
Charged with protecting the UK’s data, Denham is responsible for ensuring that corporations and political parties are transparent in their use of personal information. Her office also has sweeping prosecutorial powers: Denham has the ability to seize servers with little notice, shut down companies, issue subpoenas, investigate political parties, and levy significant monetary fines. For corporations, the ceiling on those fines was recently lifted to 4 percent of global revenue—a dollar figure that’s currently in the low billions for Facebook and Google. “It’s a big beast of a job,” she says. “But what I care about most, at the end of the day, is the fair and ethical use of data.”
Denham was recruited for the role in late 2015, after serving in several privacy commissions in Canada, just a few months before the UK voted to leave the European Union. She laughs ruefully at the memory. “Everyone said, ‘Yeah there’s this referendum vote, but don’t worry, it’s going to be status quo.’”
Her investigations have made waves around the world. Most recently, the one into Cambridge Analytica, the data-mining firm backed by US billionaire Robert Mercer, which, with the help of Facebook, was found to have illegally misused the personal data of millions of Americans and Britons in the course of both Trump’s presidential campaign and the Vote Leave Brexit campaign struck a nerve. Denham, you might say, is Mark Zuckerberg’s worst nightmare.
She guides me over to a wall of her office that is decorated with framed original newspaper caricatures depicting her past career exploits. One shows Denham as a swashbuckling sheriff kicking open a saloon door on what looks to be a corrupt game of poker. In another, she’s a skirt-suited Old Testament David brazenly wielding a slingshot against Goliath, who is wearing a blue tunic emblazoned with the letters FB. It’s dated 2010, during the aftermath of Denham’s first major report on Facebook, which she completed during her tenure as Canada’s assistant privacy commissioner in Ottawa.
That landmark investigation would in many ways foreshadow the extraordinary arc of Denham’s subsequent career. It was published when most of the public still viewed big social-media platforms as, in Denham’s words, “friendly Silicon Valley companies all about making friends and connecting.” What she anticipated and reported on with urgent clarity then has now proved broadly true: the advertising model by which the big-data companies eventually planned to turn a profit is one that risked compromising the privacy and personal data of millions of people. She recommended that Facebook be legally required to be far more transparent with users about the ways in which their data could be potentially used and passed to third parties. The world would be a different place had we listened to Denham back then. Instead, she began her regulatory career as a kind of Cassandra, the Greek oracle who could see the future but was cruelly fated to be disbelieved.
In Canada, Denham’s hands were tied: with the notable exception of BC’s, our privacy and information commissioners have no enforceable powers. “That’s why I like being where I am now,” she says, settling herself at a boardroom table. “To actually see people prosecuted.” Denham tells me that one floor down from where we sit, analysts are still sifting through no less than 700 terabytes of data the information Commissioner’s Office (ICO) seized last year in its raid of Cambridge Analytica. That’s the equivalent of 52 billion pages of documents. Given that the consultancy was working on many as-yet-undisclosed political campaigns around the world, this data cache has the potential to be explosive on a global scale. “We have regulators calling us up all the time saying, ‘What have you found out about Argentina?’ ‘What have you found out about Australia?’”
On the subject of Canada, she’s particularly scathing. For the most part, our privacy laws still don’t extend to political parties or charitable organizations: if you called up, say, the Liberal Party of Canada and asked it to disclose all the personal information it has collected on you and how it’s using that data to target you as a voter, it would have every legal right to ignore you. In the UK, that’s not the case. “Canada is really behind on this stuff,” she says. “Especially now that we know what can happen.”
Charlie Angus, an NDP MP and vice-chair of the House of Commons standing committee on access to information, privacy, and ethics, has long been a fan of Denham’s work both at home and now abroad. Like her, he has pushed for an update and toughening of Canada’s privacy laws. “Watching her in the UK with her order-making powers,” he says, “has been a marvel.” Denham is still investigating the data-processing practices of all the UK’s major political parties. She also has a team compiling a research report on the best way to safely regulate apps for children without curtailing learning and creativity.
Denham began her career as a professional archivist, the kind of high-level librarian who asks visitors to put on cheesecloth gloves to ensure the safe care of antique maps. This was back in the era of card catalogues and microfiche, when protecting and caring for information was a hands-on job. But, in the 1990s, federal and provincial governments were developing new freedom-of-information and privacy laws, and Denham suddenly found herself an accidental handmaiden to history. “It was a natural transition for me because I was dealing with records and making them available, moderating the access to records, and mediating between the depositors and researchers.” In the early aughts, she took a job with the Alberta privacy commissioner as the head of enforcement for the private sector. It was there she discovered her love of hunting down bad guys—or, as she might put it, the importance of upholding human rights and transparency.
Denham followed that up with a stint as assistant privacy commissioner of Canada (it was in that position that she authored that prescient report foretelling the dangers of an unregulated Facebook), after which she was appointed privacy commissioner of BC. She was mulling over the possibility of a second term there when the UK called.
Before assuming her appointment in July 2016, Denham was grilled by British parliamentarians in a mandatory scrutiny hearing, an experience she describes as “intense—and perhaps not as respectful as it could have been.” At one point, a male MP she declines to name asked her what sort of animal best described her management style, given that she came from “an island full of strange animals” somewhere off the west coast of Canada. “I realized later I should have said killer whale,” she says. “But I just said, ‘I’m not going to pick an animal.’”
The role was a huge promotion. Denham went from managing a staff of forty in Victoria to managing 750 people spread across five different branches: the ICO also has offices in London, Cardiff, Edinburgh, and Belfast in addition to the one near Manchester. “As a woman from Canada with a librarian background, I wasn’t necessarily someone people would think was a natural for the job.” Perhaps not, but Denham’s record since 2016 speaks for itself. In Britain, she’s become a fixture in the press and is regularly called to Parliament to testify on everything from facial-recognition technology to content regulation. Late last year, the Queen conferred on her a Commander of the Order of the British Empire. (Denham plans to take her mother as her date to the Buckingham Palace ceremony.)
In the fifteen years since Denham went into data regulation, the digital world has been remade, and what was once a largely overlooked matter—the domain of telemarketers and census bureaus—has become one of the chief public-policy concerns facing governments around the world. Today, information regulators grapple daily with the basic legal and moral questions of what it means to be human. Denham’s mandate, to uphold information rights in the public interest, is often directly at odds with an increasing number of seemingly malign forces conspiring to undermine the values of liberal democracy and the rules-based international order.
But what really preoccupies Denham’s conscience—the thing that actually keeps her up at night—is the desire to understand and get out ahead of whatever is coming next. Our cultural blind spot, she believes, is our inability to grasp and grapple with the inevitable emergence of artificial intelligence and other sophisticated data-processing and surveillance tools. “There’s a risk that AI could undermine all our laws and everything we are as a society if we just look at it with big sparkly eyes,” she says.
So how do we safely regulate a world in which war machines operate autonomous weaponry and cars drive themselves? How do we anticipate and, when necessary, mitigate the effects of AI on everything from journalism to government to jobs? “There are really big questions right now that are going to make the issues we’ve faced with information technology look like kindergarten problems,” she says.
Denham rises and shakes my hand before settling back into her chair. Turning back to look at her, I find myself unexpectedly hopeful; I tell her I found our conversation quite comforting. She laughs and shrugs like she gets that all the time. “I bet it’s just the Canadian accent.”