WHO replaces Elizabeth Denham and WHAT is next for Adequacy?
In the first episode of the Padcast Season 2, I will be talking to Rosemary Jay about her journey to become one of the UK’s most respected privacy lawyers and thought leaders. In a privacy career spanning over 30 years, we will hear how Rosemary joined the Data Protection Registrar (now the ICO) as Head of Legal in 1987 and went on to write a series of acclaimed Data Protection Law & Practice books, all while working on cutting-edge privacy matters in international law firms.
Episode highlights include:
Anthony Brown: [00:00:02] Hello there. I’m Anthony Brown, and a very warm welcome back to season two of the Privacy and Data Talks padcast. I must say it’s great to be back. And today I’ve got a bit of a special episode to kick things off as we’ve got a very special guest for episode one. So I’m no doubt many of you in the privacy community will be well aware of Rosemary Jay , she’s a name familiar to to anyone who’s been around, I guess, in this community for the last few years. In fact, Rosemary has been recognized as one of the leading privacy and data protection lawyers in the UK for over 30 years. She’s now a senior consultant attorney at leading international law firm Hunton Andrews Kurth, where she advises on high level privacy, data protection and confidentiality issues. And it’s got to be said. Rosemary had an amazing career that dates back to the late 1980s when she was head of legal at the Data Protection Registrar, which will be more commonly known to all of us now as the ICO or the Information Commissioner’s Office. Subsequently, Rosemary spent over 20 years as a partner in leading international law firms. And well, I must say it’s a privilege to have you on. Rosemary, how are you and how are things going in this third lockdown?
Rosemary Jay: [00:01:33] Oh, well, thank you very much for inviting me, Anthony, and I’m looking forward to chatting to you and that glowing introduction, which I’m not sure that I deserve, but that things are going absolutely fine and I’m due to have my first vaccine tomorrow. But I’m I’m always busy. I still do some consultancy work with the firm that I also have an allotment and a garden, so plenty plenty to do.
Anthony Brown: [00:02:04] Well, I’m sure you have had to have, well, either had extremely good waterproofs or be very brave to have gone into the garden or the allotment over the last couple of weeks because I’m sure there’ll be listeners outside the UK. But for anyone listening, as you probably guessed, it’s been a pretty grim sort of end of January and February weather wise here for us, but I’m glad to hear you’ve got your your jab tomorrow, Rosemary. That’s excellent. We’re making good progress, aren’t we? So we’re all keeping our fingers crossed that we’re yeah, coming towards in the final furlong. So I think first question for you is probably quite an obvious one, really for anyone who’s been in and around the privacy community for such a period of time. You were involved in privacy and data protection, and it’s many years ago long before it became fashionable, as it is now. And so, you know, it begs the question, let’s throw it back to this sort of late 80s. Why did you get involved in privacy and data protection
Rosemary Jay: [00:03:12] For the same reason that lots of women take jobs? So I was working in local government and I live in a village which is just 10 minutes away from Wilmslow, where the ICO’s headquarters still are. And I was working in local government and this job came up in Wilmslow. Ten minutes, five minutes from home, the supermarket during your lunch hour and our eldest was a toddler at that stage. So I boned up on data protection. And by the time I got that interview, Anthony, I was committed to the values of privacy. And what my surprise. They, you know, they gave me the job and it was a fantastic opportunity, a fantastic office to join. It was a very, very small group. When I was there, they had the first international conference of privacy regulators and commissioners, and I think there were 20 people attending. Wow. Yeah. So it was it was very different. But it was a fantastic opportunity for me and such an interesting area to have worked in ever since.
Anthony Brown: [00:04:29] Absolutely. Blimey, well, I love your candidness around that because I’m sure many people would have thought, Yeah, you know, I was as soon as I’d finished my O-levels or I just had this draw to privacy and data protection. But it sounds like it was more of a sort of practical reasoning around the time. So, so you were a lawyer. You’d qualified as a lawyer already and you were working in local government as a lawyer. And then and then, yeah. So I guess, you know, still in the sort of public servant sort of arena it was it was, well, you were a shoo in. Weren’t you just down the road? It was absolutely perfect. So there was only about 20 people working there at that time. Did you say?
Rosemary Jay: [00:05:12] No, there were. I was talking about the Data Protection Commissioner.
Anthony Brown: [00:05:16] Sorry, the conference
Rosemary Jay: [00:05:17] Yeah, right. Okay. Yeah, that was very small. But there were only it was only a small office. Yes, I suppose I could go back and sort of count, but we did have a registration you used to have to register now. This was the early days of registration. So actually it had it is it used to have quite a big registration function and that was kind of the biggest block of activity. But the block of people who worked on policy issues was actually quite a small number, and I was the only lawyer for the first couple of years until we recruited, we started to recruit a legal team as the work developed
Anthony Brown: [00:05:59] So gosh, I can only imagine the how different the sort of issues the ICO dealing with in present day compared to the sort of stuff you would have been dealing with there. I guess the fundamental elements of the privacy and what you’re trying to achieve is very similar, but obviously with the technological explosion, and that’s really sort of changed how things are done and looked at.
Rosemary Jay: [00:06:26] Anthony can see me because we’re we’re on a zoom. Yes. Nobody else can. But what I just picked up here is actually a piece of guidance. Its guidance Note 19 from 08/88. So that was August 1988. It’s called fair obtaining notification, and it’s all about obtaining information fairly and giving the first guidance really that I think came out from a regulator in Europe in detail around this issue. And it reads very, very, you know, it could be contemporary almost, you know, in order to obtain information fairly, it can be expected the person from whom the information is obtained will need to be notified as to certain matters. But it was radical. Actually, this is actually an original. No one can see it, but I have promised to give it to a friend because it’s he’s going to cherish it, apparently keep it.
Anthony Brown: [00:07:31] Wouldn’t it be amazing if you had a time machine, you could go back to some of those early conferences and then snapshot it compared to some of these enormous, you know, the IAPP conferences, you know, you’re lucky. Sometimes you can get a ticket or certainly access into some of the rooms where certain some of the certain speakers are in. You know, it’s crazy, really. And I mean, you’ve you’ve basically been on that journey, haven’t you, for many years? You’ve seen it all sort of grow up around you. And I mean, I know you mentioned you’re still doing consulting work, of course. But alongside that, and I think many people know you for this Rosemary, you’ve well, you’ve recently released the fifth edition of your data protection law and practice book. So it was published towards the end of last year by Sweet. And Maxwell, in fact, saw quite a bit of LinkedIn activity around the time it came out from not from yourself, because I know you’re much more modest than that, but people sharing it and saying, Oh look, I’ve got an early Christmas present and all this sort of stuff, so I’ve got to ask you whilst we are on the topic, and I know you are sort of you don’t want to rattle on or talk about your book too much, but I’ve got to ask you, so this is the fifth edition. When was the first edition released and how would you go about producing such a comprehensive piece of work?
Rosemary Jay: [00:09:00] Well, the first edition was 1999, so a friend of mine who because it’s the fifth edition of friend, accuses me of having written the same book for 20 years. And she says, I’ve known you for 20 years. You’ve been writing that same book all the time, but I get no indication it’s changed. And I when I started actually because a friend had got had got this commission to do a shortish book and she wanted me to do some chapters. And I started doing my chapters. I thought that’s fine and and started doing them. And then she got pulled off into some really big litigation and sort of her chapters got well, they didn’t really get done in the end. So in fact, I wrote the bulk of it and then was then was helped out by a very, very nicely by Angus Hamilton. So the first couple of editions were J and Hamilton, although I wrote the bulk of it. And then Angus was doing other things, and I just sort of carried on it. It has changed hugely over the years because the area has changed. But I write it sort of chapter by chapter in the sense that I really try and focus on one specific area and make that as comprehensive as possible. So, for example, and some things fall into relatively neat, something like research you can look at and really focus on some things conflate into one and another and then it’s a question of going through and going through and checking it’s consistent and that, you know, you’ve used the same terminology and so on and so forth. And as the book has grown, I’ve had help with writing specific chapters, so usually from people who I’ve worked with over the years. So William Malcolm who is now at Google does the transfer chapter and Sue Cullen, who I also worked with, does the FOI chapter, and I think it’s just a question of putting one foot in front of the other. You just get to you just have to accept that it will take a ridiculous amount of time. You would make more money stacking shelves. And but there is a tremendous pleasure in doing it when when you finished kind of thing, you look at it and you think, Yes, I managed that, I perhaps people like that. I also like walking. I quite like long walks. And I did the moonwalk a few years ago with my daughter and daughter in law, and I did it. And you do 26 miles overnight, and there’s a kind of satisfaction in, you know, just achieving something like that.
Anthony Brown: [00:12:06] Absolutely. I wondered what you’re going to say then I thought, you want to talk about Michael Jackson and doing the moonwalk and all that sort of stuff for a minute.
Rosemary Jay: [00:12:12] It’s a charity walk
Anthony Brown: [00:12:16] Well, a couple of things on that. I mean, firstly, how smart was your colleague/friend who suddenly had this big piece of litigation to focus on? And you wrote the bulk of the book, but maybe again, you know, that was fate. It was just so happened that it led you on a path. And 22 years later, the fifth edition has just come out. Is there going to be another edition, a sixth edition, do you think?
Rosemary Jay: [00:12:41] Well, if there is, I don’t think I’ll be writing much of it.
Anthony Brown: [00:12:46] Now you haven’t seen much fun in the garden and the allotment. I guess so. Well, I mean, and you know, I know lots of lawyers, both in house and in practice, actually who who have relied on it and read it and think a lot of it. So I guess on behalf of them, thank you. Thank you for all of your work and efforts. You know, it’s it’s a massive piece and probably a bit of pressure on your shoulders as well when you come to write that sort of thing. So you kind of under the microscope, so. So thank you on behalf of the community. Speaking about the community, the we’ve got well, the last few years have been it’s always a big year in privacy and data protection, and this year is no different. We’ve just we’ve obviously Brexit has been finalized and there’s big, you know, there’s big movements potentially down the road this year with Elizabeth Denham potentially standing down. I understood that she was and then I think there was some people saying she may not. And so be interesting to get your view on that. But sort of looking ahead from an outsider these days, obviously, you’re not at the the ICO. Of course you’ve been for many years, but how do you see when Liz Denham leaves things evolving from an ICO perspective? And do you think they’ll go down a sort of different route with the way they communicate with people or different sort of, you know, what do you think a successor will be looking to do the direction of travel?
Rosemary Jay: [00:14:18] And now I thought that Liz Denham was staying until later in the year, but is obviously coming to the end of her term. But when I think one of the things you have to remember is that the commissioner’s office does not just deal with data protection. It deals with FOI. And I think when we look at it from a data protection perspective, we see it just through that prism that this is privacy data protection work. But actually, the commissioner who moves into that role has to look at both sides of the work of the office. And I think that FOI actually will perhaps be more of a challenge than we recognize. I think we’ve seen a decrease in transparency from this government. I mean, if you think just of that, if you remember the Intelligence and Security Committee report on Russian influence on Brexit, it didn’t actually see the light of day until June July this last year, 2020. And I think there is pressure on FOI. So the commissioner has to be balanced around those, those two sides of his or her work in terms of data protection. I can’t see that things like the advisory work, the policy work is going to undergo some massive change. It’s a big organization. You know, it’s on a steady course. And I would imagine that there would have to be quite a lot of thinking before the ship. You know, before you turn a big ship around and you have to work out what your direction needs to be, where I think the new commissioner will be able to kind of move in and make a change will be in the international role post-Brexit because of course, the commissioner will no longer be a member of the EDP, isn’t a member of the European Data Protection Board now. But equally, there is a huge growth internationally in data protection legal instruments. Some of them are based on GDPR, but not all are based on GDPR, and data protection has moved from being a kind of a European. I don’t know European issue, European focus to actually being a global issue and affecting huge numbers of countries, huge numbers of regulators. There is a kind of European sense that, you know, Europe carries the sacred flame of data protection, but I don’t think that that actually should continue to be the case. I think we somehow have to recognize that we live in a bigger world and that other approaches and other cultures. Actually, we need to pay more attention to them, it’s not just we don’t own data protection in Europe. And I think that the new commissioner will actually have a role there, potentially to help build those bridges, to help generate new thinking, to help establish a better global sense of data protection and and how it works internationally and not just in the blocks of this is the way APEC does it. This is the way Europe does it to move us towards a more consistent global role. So it can be a fantastic, interesting challenge. I think that side of it.
Anthony Brown: [00:18:04] Absolutely. And any any predictions for who you could see potentially coming on board to replace Liz Denham.
Rosemary Jay: [00:18:13] No, I don’t have, and I think they have tended to look outside the data protection community. Sometimes so Chris Graham, if you recall, Chris, came from a journalistic background from a different sort of background, and that can be very useful. It can bring a fresh pair of eyes. No, this is it’s Canadian and has brought a different perspective from an international view. So one never knows until the field is open. But if there’s anyone listening who thinks this could be the job for them, at some point it’s going to come up in the next 12 months.
Anthony Brown: [00:18:52] Absolutely. And it’ll be interesting to see, you know, perhaps with the, you know, the landscape of technology and everything. I mean, it was heading in the same direction anyway, but it’s only been fast forwarded, as we know in the last year since the pandemic began. It’ll be interesting if they’re actually going to go for somebody with, you know, a technology background as well or where tech meets privacy or, you know, that sort of angle. I think if it was me, I’d be thinking along those lines. I think it’s crucial to keep things in, you know, in that direction and have somebody take a helicopter view of, you know, all of that landscape. But we shall see. We shall see.
Rosemary Jay: [00:19:28] Actually, can I just pick up on that? Because that is a really interesting thought, though the first registrar on Eric Howe actually came from what was then the National Computing Centre and did bring that element to the party list. Liz came from a public sector civil service background. So we have seen as new commissioners have been appointed that actually at the time, different skill sets have been pulled in from different areas, and I think your point that says actually now maybe looking around those who are appointing say. We should perhaps look towards tech or we should look towards business, might well be might well be a good way of looking at it.
Anthony Brown: [00:20:19] Yeah, absolutely. And let’s face it as well, you know, with the power of the big, you know, tech companies, increasingly governments that we’re seeing in Australia at the moment and and you know, the sort of bodies like the ICO, you know, they’re going to have to be tough. They’re going to have to be strong, they’re going to have to be good at playing poker at times and all this sort of stuff. I mean, it’s just I mean, it’s it’s I’ve said before, it’s kind of great. Grab the popcorn time, isn’t it, because it’s all you’ve got Apple and Facebook facing off. Excuse the pun there. But you know, there’s all these sort of things going on and they’re all filtering in as well, of course, to only increase the general public’s awareness of privacy. So I think all of these things can only be a big thing, a good thing. Sorry, I think we’re seeing slowly but surely, particularly in the last 12 months, because of the tools and the communication platforms and the social media that people are using, that they’re becoming more and more privacy aware by the day. And therefore it can only be good for us all because businesses are becoming aware of this. And there’s all this, all these face offs in the press. So I was going to ask you Rosemary about the adequacy decision and what your sense or views were on how things are going to perhaps pan out this year with that. But actually, as we speak, as we record this podcast, there has been a bit of an update in the last 24 48 hours and it is looking like a decision. A draft decision is imminent. So, you know, what are your views on the adequacy piece?
Rosemary Jay: [00:22:02] Yeah, I’m assuming that everyone listening will know what we mean by adequacy. But should I just say that would be a decision by the European Commission, not by individual countries, but by the Commission for the whole of Europe? That data can flow freely from Europe into the UK, so it’s a Brexit issue, a bit like the border control issues. And to do that, they can make a decision that says yes, the law in the UK is adequate is equivalent to European. Well, technically, I think it should be regarded as such. We have implemented GDPR as ever. The UK has implemented it rigorously. I don’t think we’d gold plated it by any stretch of the imagination, but we are very conscientious about our work on it and the the issue has been being considered by Europe. So the way that it works is the commission issues a draft decision that says yay or nay. It’s adequate either for business or for law enforcement or for both. And then the European Data Protection Board gives a formal opinion on it. So that is a board composed of all the regulators in Europe and what’s happened, what we’ve heard on the. I think we got a political update. I think it was in the FT when you were noting that the draft decision is coming out of the commission this week, possibly today. And that will then go to the European Data Protection Board, who will give a formal opinion. And then the European Commission will take account of that opinion in reaching a final decision as to whether or not to grant adequacy. And we just have to wait now and see what the board, what the views of the board are. I would imagine there’ll be some reservations among some members of the board.
Rosemary Jay: [00:24:05] There is a kind of folklore sense in some European jurisdictions that the UK and Ireland as well don’t sort of do data protection properly. I mean, it is completely without foundation. The UK has the biggest regulator and incredibly active regulator. Ireland is a very conscientious regulator as well, but it has been a persistent sort of myth. I mean, I can remember this and very quickly. Years and years ago, I was actually still at the registrar’s office. A colleague and I went to Germany to visit the data protection authorities, because we were interested in how they enforced their regulations, how they enforce data protection over there. And we went to one I. Well, no, say which one it was, and we went in the meeting we were treated to at the beginning, a kind of half hour diatribe, I can only call it that about how much better German data protection was than than the UK the way the UK did it. Now it might just have been that individual, but we then said, Well, that’s all very interesting. We’re interested in how you enforce, and we got out our charts and tables of the enforcement, action and prosecutions and a sort of silence fell. And we said, you know, how do you enforce and really, they haven’t actually really done much enforcement now accepting it was early days and that was a small authority and perhaps being a bit unfair. But there is that kind of sense. So it is possible, I think, that, you know, there will be some, some negative response from the EDPB, but equally, it’s a big group and hopefully that will balance out and we’ll get a helpful opinion.
Anthony Brown: [00:26:04] Yeah, because we got till June. That’s correct. That was the sort of agreement. So so they’re making good time at the moment, aren’t they? Were February so good. And it can only be good news, of course, for, well, for all of us, really. But you know, certainly UK business and the, you know, sort of security or law enforcement bodies in the UK. So. As we know, and we’ve discussed this before, and because I loved hearing about your journey, Rosemary, and it’s fascinating talking to you and there’s only a handful of you, I kind of call you the originals, really. There’s, you know, I won’t name them, but there’s a few people that have been around for the period of time you have and have really been on this incredible journey. Now, obviously, over the last few years, we’ve we’ve seen that actually within privacy, there’s lots of new developing areas for perhaps lawyers or even or non-lawyers as well to specialize in. You know, it’s a real multi-functional area now, which is really exciting. Increasingly, you’re seeing, particularly in larger businesses, teams with a real spread of different specialists. I just wanted to sort of get your thoughts on if you’re talking now, and I’m sure there’ll be many of them listening, sort of trainee lawyers, junior privacy pros, the like. You know, they’re looking at the moment thinking this AI, the ethics piece, product counselling, you know, lots of different stuff to focus on. Is there a specific area you would be advising those individuals at the moment to really sort of focus their efforts on? Or would you would you be advising them to keep it broader?
Rosemary Jay: [00:27:50] I would advise to keep it broader once you are starting off, unless you already know that what you want is the big money or the glittering prizes, and you’re going to go for a, you know, Magic Circle law firm and you want to make partner within certain. If you if you kind of know that, then I think you probably need to just sit down and make the list and go for it. But lots of people, when they’re starting out, don’t have that sense. They’re looking for something that’s interesting, something that they’re good at, something that fits with their lifestyle. So I think you need to be open minded actually in your early years. I mean, I took my first job in data protection because I could get to the supermarket at lunchtime. You know, people are not always motivated by the glittering prizes kind of thing. And and what suits one person doesn’t suit another so the person who makes a good litigator might actually not be comfortable sitting doing contracts all day. The person who is happy drafting might not be happy with litigation. I like advising kind of at the cutting edge of stuff because I like that thinking something through from first principles and trying to work out how the rules apply to something new. But not everyone is comfortable with that. You know, a lot of people like like to sit in a more, you know, a place that they feel more solid. And so I’d suggest going for a wide range of experience and aiming to go to a firm where you can develop different skills and you can get a sense of. Where your particular interests lie and what is going to fit best with you, and I think they’re all those realistic things about, you know, do you want to work till eight o’clock every night or do you want to be able to go home? You know, and it’s a trade off. I think it’s very often a trade off about what suits you. So I would keep an open mind. I think the most important thing is work hard and work properly when you are going to do it properly.
Anthony Brown: [00:30:06] Yeah. Well, you’re obviously a case in point to anyone that you, I’m sure, had absolutely no idea when you joined the ICO in its previous name and form that you would have done what you’ve done over the last, you know, sort of a couple of decades, you know, I’m sure you’ve gone with it. No doubt you all those attributes you mentioned working hard and learning all the time, all that sort of stuff will stand people, obviously in good stead. And I think, you know, in my line of work, of course, you know, as a headhunter, I it’s quite rare that you’ll speak to, you know, a junior individual and that absolutely crystal clear about where they want to go. Quite often, if you do speak to those people you think you do think, Wow, you know, you’ve got a big future, you’re so clear you’ve you know, you’ve obviously been clear in your mind from probably a teenager. And you know, those individuals are going to have a, you know, super impressive career. But as you said, quite often they trade off facets of their personal life, their private life and all that sort of stuff. So it’s all horses for courses, isn’t it? At the end of the day, so. So final question for you, Rosemary, in your glittering career in privacy, what would you say ….. For anyone who can’t see Rosemary now, she’s kind of rolling her eyes at me because I’m embarrassing her now. But what would you say has been the most enjoyable, satisfying, exciting piece of work, perhaps that you’ve been involved in? You can pick any of those terms, I guess.
Rosemary Jay: [00:31:50] The one that I actually enjoyed most. And. It’s probably not the most significant, but when I was at Pinsents and I wasn’t a partner of for 20 years, I should say I was only partly for a few years, really. But one of the things that we did was we worked with a company called Video Arts, and we produced an e-learning program. It was actually FOI, but it was a series of little scenarios that the actors did. And then there were learning questions, and then there was the resource with that with guidance and it linked to the legislation. So we sort of designed it. But one of the things that I did was to help write these little scenarios. And I mean, I love writing. I don’t think you would ever, you know, write a textbook like that if you didn’t actually enjoy, you know, putting it together and explaining things and working them out. But I also like writing little stories kind of thing and and it was incredibly enjoyable. It was very different from anything else I’d ever done. I suppose we were working with a different group of people and it was, you know, separate from kind of legal advice. So if you said, what did I actually enjoy? Actually, I really enjoyed that. I mean, some of the most satisfying work has been advising on particular issues or some litigation when I was at the registrar’s office, but I’ll choose the enjoyable.
Anthony Brown: [00:33:19] Fantastic. And it just goes to show, doesn’t it? You know, the breadth of stuff you’ve worked on, and no doubt much of it particularly well. I was going to say particularly, but certainly in the last few years with the tech explosion, you know, it’s been cutting edge stuff. And outside of all of that, you’ve chosen something. And remember something from your career that actually gave you the most enjoyment. So I think that’s that’s a message or a lesson to anyone listening. You’ve got to enjoy your work. So, Rosemary, it’s been it’s been fascinating and a privilege to have you on the padcast. I do hope our listeners have enjoyed it and we’ll take stuff away with them. If you haven’t already do have a look for Rosemary’s book, I’m sure she’d be appreciative of you having a read. But anyway, thank you all. And Rosemary, it. Thank you so much again for your time. And of course, we will speak very soon. Take care for now.
Rosemary Jay: [00:34:23] Thank you very much
Anthony Brown: [00:34:24] Thanks very much. Bye now.
Rosemary Jay: [00:34:26] Bye bye.
