Bill Mew: The Data Privacy View from the U.K.
"Brexit is a massive distraction for the government here in the UK."
Welcome to the Masters of Data podcast where we talk to the people in the front lines of the data revolution about how data affects our businesses and our lives.
In two other episodes when we touched on the European general data protection regulation, (GDPR) we talked to two Americans. When I took a trip to Europe, it seemed like the obvious thing to do was to try to find a European and see how they think about it. I found the right guy.
Bill Mew is the founder and owner of Mew Era Consulting and a Cloud Strategist at UKCloud. He is in the middle of the data privacy discussion, both for GDPR, as well as for Brexit, where Britain is leaving the European Union. Turns out, Brexit means a lot for data privacy.
Listening to Bill is like taking a rapid course in data privacy. Bill met me in a little conference room in Moorgate, London, England. Let’s dig in.
Bill Mew’s Journey Into Data Privacy
I appreciate you taking the time. One of the first things I usually ask when people come on this podcast is what’s your journey? How did you get to where you are? What’s your background?
Well, it’s been a fairly random path. I started out as a weapons engineering officer in the Royal Navy. I dealt with missile guidance systems, but I was pensioned out. I was very ill and had to go and find something useful to do. I stayed in the high-tech environment doing a lot of PR and marketing. I ended up spending 16 years at IBM. You may have heard of them?
A couple times.
I rose to be the global head of the financial services sector and corporate communications for IBM. I was the only person in IBM’s 100-year history to lead a sector globally from outside the US. I did it from here in London, steering their largest sector, a 26-billion-dollar-business, which is the big gorilla within the fintech environment.
People make a big deal around fintech, but the business IBM does in that arena is still the largest by some margin. I helped steer them through the financial crisis, which was an interesting year or two of being on the bridge at the time.
I left IBM and did some work for some real cloud specialists, like Compare the Cloud, working as an analyst and journalist, and then I took on a role at UK Cloud, who are the main champions in the UK for cloud technology in the public sector.
I’m trying to transform the way that the government provides services to the public, in order to digitize and to provide truly digital services hosted in the cloud. This means everything from the way that you apply for your driving license to your tax returns. I want to change everything that you could do in order to make the experience better and to improve the efficiency and actually deliver services that are better for less.
The UK’s Technological Ranking
When you say that you reminded me of a couple of conversations I’ve had before. I did consulting for the U.S. government for a long time and found that US government is not always ahead of the technology. A lot of what I’ve heard is actually the UK government is more technologically forward than I would have thought. Is that right?
The UK has taken a big stride in that direction. Francis Maude became cabinet secretary at the time of the coalition government. They desperately needed to save money at that particular time. They latched onto technology as a possible means of doing that. They adopted a cloud-first model and they created the government digital service. This was pioneering in its time. This was the time that UK Cloud was established, and it was there in the right place at the right time and capitalized on that opportunity.
Indeed, only recently, the United Nations did a ranking of various different governments and the UK was deemed to be the number one digital government in the world.
A lot of the work is done in this arena. However, I would argue that some of that progress has stalled more recently. You could say that the government’s focus was on something called Brexit, which I’m sure we’ll come back to talk about.
But, without joking, it is a massive distraction for the government here in the UK. There’s a big argument about whether some of the momentum around digital enablement and digital transformation has actually been lost.
That makes a lot of sense and I definitely want to come back to that.
What GDPR Looks Like
When you and I were talking before, we had a couple of conversations about GDPR. Now we’re after the date and it’s live, what’s your perception of how it’s going and what you’re seeing?
We’ve been preparing for a very long time. There are some people who had a little bit of a shock that suddenly GDPR appeared out of nowhere. Actually, it’s been coming for a very long time and most organizations have been putting a lot of work into preparing.
There was a privacy campaigner called Max Schrems who was behind the original challenge against Facebook on the privacy grounds that brought Safe Harbour to an end and that had to be replaced by Privacy Shield. Max is still very active in this arena and one of the things he was trying to do at the end of last year was to Crowdfund a new NGO called None Of Your Business.
Which you surprised me with before.
I’m not saying “it’s none of your business,” that is the name of the organization. We wanted to get this organization off the ground because there are DPAs or regulators in all different European countries, and in the UK that is the Information Commissioner’s office. But those organizations have limited resources and a limited focus. They’re going to focus on the major transgressions and policy in the different countries, but they’re not massively resourced.
If you want to have someone to champion the rights of the individuals in the country and possibly challenge the way that some of the technology giants are behaving, you need a slightly different approach and you need some Pan-European class action organization to take cases forward.
We brought None Of Your Business together to try and hold the major global organizations to account. One of the first legal challenges following the introduction of GDPR was by None Of Your Business and Max in the organization, trying to bring a case forward against Facebook and Google.
Back in December of last year, they were struggling to get the Crowdfunding off the ground, so I stepped in and helped Max with a big Twitter storm and some publicity. Thankfully, we got the thing funded and it’s now off the ground. Hopefully, the business model that it has, of supporting various different legal challenges and being self-funding, will enable it to represent individuals across Europe for generations to come.
When I hear you explain it, Bill, would it be odd for me to think that it sounds a little bit like civil rights type of organization, like a non-profit?
We have a lot of interests in common with the ACLU or the EFF. In fact, they have common topics or campaigns that they would lead. But, we’re specifically focused on Europe and on privacy. It doesn’t mean that there aren’t other organizations that we collaborate with.
This is a broader topic than just that type of campaigning, because obviously there are many implications for data sharing, and it’s not just personal data. There’s all sorts of data that share and there’s all sorts of delegations under GDPR where there are exceptions.
You have journalists who have an exception, so they’re allowed to report the news without being asked to take it down because you don’t want it to appear. You can’t challenge security services and ask them to expunge your criminal record or take you off a watch list, otherwise, that would make life very easy for the people who are a threat out there. So, there are very sensible derogations across GDPR. It’s understanding that this is here for very sensible reasons. It is here to protect our privacy.
Tim Cook of Apple has recently come out and said, “Privacy is a fundamental human right,” and that’s the way it’s viewed here in Europe.
“Privacy is a fundamental human right.” -Tim Cook
There’s a slightly different perspective in the US, where the authorities have a slightly greater emphasis on surveillance and security than they do on privacy.
In the first week of its formation, there was a presidential order saying that the regulations in the US for privacy applied only to US citizens and not to anyone, like, the Europeans, which is somewhat at odds with our perspective.
I’ve spoken about the possible implications that would have had on the very delicate relationship called Privacy Shield, which protects data sharing between Europe and America. The CLOUD Act that has possibly taken things one step further.
Brexit and Privacy Shield
On one of the previous podcasts, I talked with George Gerchow, our CSO over at Sumo Logic. One of the things he said was that he had a feeling that at some point we were going to have an international organization to deal with this. It seems to be getting at what you’re saying. You can’t just consider data in one country. It bleeds across the world with global trade, right?
Possibly a good way of exemplifying this is to focus on Brexit and the challenges that we have here in the UK. Brexit is a very complex issue and a lot of the news headlines have been around what’s going to happen at the border, especially the border between Northern Ireland and Southern Ireland, in terms of goods. But, only a certain amount of our trade is in goods. There’s a lot of trade in services. There’s a lot of digital trade, as well. In terms of the way we trade, every single transaction typically involves goods of some sort, product services or whatever going in one direction, payment going in the other direction, unless it’s free. Nothing is really for free. You need a certain amount of data going in both directions.
You need common standards. It’s the data element in that which is critical here because the UK wants to establish itself as a trusted nation because we have very highly respected laws. We have very highly respected adherence to our laws, in terms of conduct. Therefore, in many people’s eyes, the UK is a trusted nation and we want to establish ourselves in the post-Brexit era as a trusted place for data to be held.
In order for that to be correct, we need to have the right data sharing relationship with Europe and we need to have the right data sharing relationship with America. Many people have criticized Privacy Shield, the existing relationship that covers data sharing between Europe and America.
There have been a number of moves in the US, typically, around the earlier executive order I mentioned, and also the Cloud Act, which actually is a step that the US made unilaterally, which in many ways contradicts the provisions of equality that are outlined in Privacy Shield.
Where did the Privacy Shield come from? Is that something that was agreed to?
Privacy Shield came out of the ashes of Safe Harbour. It was hurriedly negotiated and was agreed to by both Europe and America, to allow us to share data and to keep it. When Safe Harbour, it’s predecessor, fell apart, trade didn’t grind to a halt overnight. There weren’t the adequate provisions for regulatory and legal protection for data sharing. You need to have those.
There are numerous concerns by many privacy organizations that quite a few of the provisions under Privacy Shield have been undermined. There should be an ombudsman in the US, which hasn’t been appointed. There should have been a number of means of redress which are found to be wanting. There should be the right judicial oversight and there shouldn’t be the sort of unilateral extraterritorial reach that the Cloud Act enforces.
Therefore, Europe needs to reassess Privacy Shield at certain intervals. There were a number of criticisms made at the last assessment. I believe there will probably be more to come. There are some challenges by the privacy campaigners such as Max and others against Privacy Shield, which means it’s future is in doubt.
Where do you see that going? What’s your prediction for how this is going to work out?
I’m not sure that I would have a great deal of confidence in the longevity of Privacy Shield. There is, unfortunately, a miss-match in the cultural attitudes in Europe and America, which has been exemplified by GDPR. GDPR in Europe has been brought into force because we see privacy as a human right. In America, there was a different orientation and, as I said, there’s a slightly greater emphasis on security and surveillance.
There are people like the ACLU and EFF, challenging that all the way. But that is a very different environment. To have the alignment that you need to make Privacy Shield work, and with the current administration not really putting any weight behind the enforcement, I don’t think it is sustainable. If you look a little bit closer to home between Europe and the UK, UK has some really difficult negotiations ahead of it, just on the product and services front.
They haven’t even started talking about data sharing yet. The UK has chosen, for a very sensible reason, to be GDPR compliant, in order to smooth the flow of data with Europe. But, in the UK, we also have another law, what we call the Snoopers’ Charter, which has been found wanting.
I love that name, by the way.
Well, it’s the nickname for it. It’s the Regulation of Investigatory Powers Act, but it’s nicknamed the Snoopers’ Charter and it is seen in that way by many privacy activists. It has been criticized by the European courts and also by the UK courts, who feel that the judicial oversight is not sufficient.
What does that allow to happen, permit the government to do surveillance?
It means that telecom providers, internet service providers, need to keep a record and track all traffic. Those records can be accessed by the police who need to do investigations. You need a level of judicial oversight to make sure that that’s not used willy-nilly and that it’s only used where there is a merit in its use and where there’s some judicial oversight to ensure this is just for a serious crime.
Is that similar to the FISA in the US?
FISA is a far more exacting and severe and secretive arrangement, but there are some parallels. So, what we need to do is to ensure that some of the European concerns around the Snoopers’ Charter aren’t used against us in the negotiations, that we’re able to have a successful conclusion to that and that we’re able to share data with Europe. That would give us a reasonable position post-Brexit with our European colleagues, and we need to reexamine Privacy Shield. The courts may do that for us and that may fall apart. And then, we need to reexamine where things are going.
You talk about the need for an international regulator. We’re rapidly having an international de facto standard here because GDPR has come into force and if global companies want to trade in Europe, they have to be GDPR compliant. That means that most global organizations have found themselves moving in that direction anyway, and GDPR is rapidly becoming an almost de facto standard.
Many organizations, such as Facebook, Apple, and Microsoft have decided that they are going to look at GDPR as a standard not only for what we do in Europe but worldwide. Therefore, we may see GDPR becoming a global standard, by default. It’s very much the way that Europe is leading a lot of the privacy debate here because there’s not so much concern or not so much emphasis put on the US, which is shown by the lack of an ombudsman in place to oversee the Privacy Shield.
We may see GDPR becoming the global standard for security by default.
The Future of Data Privacy
Coming from a US perspective, it seems like there’s been a change in attitudes. It seems like political attitudes are changing, because in the US with the stuff happening with Facebook, with the elections, and with hackers allegedly influencing the election, it seems like there’s more of an awareness.
In Europe, there was always a slightly different orientation. We’ve always had the European Charter of Human Rights and a greater emphasis on privacy on this side of the Atlantic. GDPR has been in train for some time now. But, I think it was the Cambridge Analytica and the Facebook debacle that actually brought that front of mind for much of the public because I don’t think the public had really considered it in great detail.
Actually, we’ve seen that the awareness around privacy has risen considerably and companies that are lax or possibly unethical in their approach are going to be found not only wanting by the regulators in the different countries and face fines, but I think they’re going to be punished severely by their customers.
I agree, and I think you’ve started to see elements of that. There also seems to be also a generational thing going on here. Maybe the younger generation, particularly millennials, have always had a phone in their hand.
They’ve been connected as data. They’re actually, potentially, more privacy-aware than those of us who were here before the internet. I only met the internet in college and then I didn’t particularly like it. I printed things out. That’s how I started.
I think there’s a danger in being too generalistic about the generational thing because in some ways the older generation, who were around in the second world war, were careful about they said because people might be listening.
Well, maybe that’s part of the difference between Europe and the US.
Maybe, but and then there have been generations that went through the 1960’s civil movement and then you have the current generation who are more technology savvy. I don’t actually think that attitudes have changed enormously, though you can spot some trends that are slightly generational.
One of the big things is that the current generation is much more tech savvy. If my father wants to change his privacy settings, he probably won’t do it himself. He will probably ask me to help him out, whereas my kids wouldn’t ask me to help them. They’d do it by themselves.
So, it’s an awareness and an ability perspective.
Partly it’s awareness. The younger generation shares a lot more how aware and how conscious they are of what they share. It varies enormously, so I don’t think we can generalize it.
That does make a lot of sense. So, going forward, you’re in the middle of this. Where are you going to be focused?
From our perspective, we wanted to support the UK government in achieving what it wants to do. We want to help them provide better services for less to the general public here in the UK, whether they are patients, citizens wanting to access services, or those concerned about defense and their security.
There is a whole realm of different services that the government provides which are data reliant. If we can improve the efficiency of those and actually improve the delivery of the service, then we will have achieved a lot.
Then, there’s the Brexit headache that we’re going to face. We don’t yet know how that’s going to play out, but we need to actually be quite sophisticated and quite nimble in the way that we are technologically enabled to cope with Brexit. There is the brave new world beyond Brexit where we need to be perceived internationally as a safe destination for data. We need to have the right data sharing agreements in place with Europe and the US. We need to ensure that we’re protecting a thriving digital industry here in the UK ourselves.
Traditionally, the UK has been one of the real hubs for the digital and the media industries in Europe. We don’t want to lose that leadership position. Many in Europe are envious of our position in those realms and want to put up some barriers to digital services from the UK. We need seek to overcome that in order to protect our industries. We also need to be concerned about protecting the skills and the young start-ups in the UK that are going to be the foundation for that technology going forward.
Here in the UK, the government has something called G-Cloud, which provides a framework to allow smaller companies to compete with larger ones on a level playing field, to offer services to the government. UK Cloud was one of the great examples of a success story there. It’s a relatively small company with 200-odd employees but has captured an enormous share of the market for cloud-based services for the government against global competitors like Google and Microsoft and Amazon. That’s partly by being nimble and partnering with those organizations where it counts.
UK Cloud has recently started offering an Azure stack because we saw demand for that type of environment. So, it’s not a head-on competition with those global organizations, but it’s working with them and working with the best array of technologies to provide a multi-cloud environment with a VMware Cloud, Microsoft Cloud, Oracle Cloud, Cloud native environments, Kubernetes type environments for container management, the whole spectrum, but in a super secure environment because we’re providing services for the UK government and really sensitive data.
It’s people’s health records. It’s people’s tax records. It’s people’s criminal records. The really sensitive data that not only needs to be compliant with GDPR, but needs to be super secure because it really matters.
You’ve got your work cut out for you.
It’s enough to keep me busy for now.
Well, I appreciate you taking the time to come on, Bill. It’s been a pleasure. Thank you.