Britain’s new Information Commissioner, John Edwards, who started work today, takes up the post at a time when the nation’s data regulations stand at a crossroads. Edwards has a reputation as a staunch critic of Big Tech, but businesses may be more interested in his stance on GDPR, as the UK government has suggested that forthcoming data rules may diverge from the EU data protection regime.
Edwards succeeds Elizabeth Denham, whose term as Information Commissioner ended last year. The New Zealander is a barrister by background, and leaves the position of New Zealand Privacy Commissioner, which he had held for eight years, to take up his new role. He had previously worked as a policy adviser to the New Zealand government.
“Privacy is a right not a privilege,” said Edwards on his appointment. “My role is to work with those to whom we entrust our data so they are able to respect our privacy with ease whilst still reaping the benefits of data-driven innovation. I also want to empower people to understand and influence how they want their data to be used, and to make it easy for people to access remedies if things go wrong.”
How will John Edwards differ from his predecessor?
Denham, who had been in post since 2016, achieved mixed results in her time in ICO, says Jonathan Kirsop, partner at law firm Pinsent Masons. He says Denham was seen by some as more keen on “chasing headlines than applying effective regulation,” and points to the ICO‘s patchy enforcement record under her leadership. Indeed, large fines handed out to British Airways and Marriott Hotels for data breaches were subsequently scaled back significantly, from £183m to £20m for BA, and £99m to £18.3m for Marriott, on appeal.
“There were a number of successes in the Denham regime, and the standard of guidance and consultative documents has greatly improved, such as the data-sharing code and the recent consultation on international transfers,” Kirsop says. “But many will hope John Edwards will return to a more consistent and proportionate enforcement regime and focus on issues of concern to individuals while applying the pragmatism and consultative approach that the ICO has long been known for.”
In New Zealand, Edwards garnered a reputation as a staunch critic of Big Tech. He labelled Facebook “morally bankrupt pathological liars who enable genocide” in tweets following the attack on a Christchurch mosque in 2019, which saw 51 people killed. Footage of the attack was streamed live on Facebook.
Edwards subsequently deleted the tweets, and Kirsop believes he is unlikely to take a strong line on Facebook and its rivals in his new role, given the government’s ambition to make post-Brexit Britain a global tech hub. “As a UK government appointment, at a time when it is consulting on potential reforms to data protection law to support technology and innovation, it would seem unlikely he will act in a way which is seen as too restrictive or punitive to the technology sector,” Kirsop says. “That said, he does not appear likely to be a government ‘puppet’, with a strong legal background before his experience as a regulator and a track record of standing up for privacy rights.”
John Edwards’ GDPR challenge
Indeed, Britain’s data protection law reforms are likely to be a key item on Edwards’ to-do list. As reported by Tech Monitor, the government is looking to move away from GDPR, the European standard for data protection, to what it believes will be a more agile regime. Proponents of the change, including chancellor Rishi Sunak, believe the UK can set its own data laws without endangering the data adequacy agreement it has with the European Union, which allows data to flow between companies in the UK and EU. If the EU feels the UK government plans do not protect the data of its citizens sufficiently, then the adequacy agreement could be revoked.
“Edwards’ success will lie in finding the right balance between the UK’s desire to become a more business-friendly and data-driven innovative economy whilst maintaining the legacy high water mark of EU legislation,” says Daniel Jones, associate at Taylor Vinters law firm. “His first test will be to find the right line with the UK’s approach to international transfers including the updating of the standard contractual clauses and the potential risk of losing the UK’s adequacy decision which has largely been granted due to the mirroring of the GDPR.”
Kirsop agrees. “While welcoming some of the proposals [around data law reform], many businesses will be keen to preserve adequacy and hope he will be robust in pushing back on anything which may threaten this,” he says.
One area of potential tension concerns how the UK allows personal data to be sent to other countries not within the EU, such as the USA, adds Paul Knight, a partner at law firm Mills & Reeve. “The UK needs to update the current approach, and the ICO consulted on this towards the end of 2021,” Knight says. “Plus we know the government is keen on global ‘data partnerships’ with the USA, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia.”
He adds: “UK businesses should look out for new data protection contract clauses and ‘transfer impact assessments’ being announced by the new Information Commissioner in the coming months for international transfers of personal data. But, given the position with the EU, these may not be radically different from what is in place at the moment.”