Featured Article: New ICO Head and Data Protection Law Reforms
Data Protection Reforms
Since Brexit, the UK government has been seeking to reform data protection regulations in the UK in a way that it says will cut down on what Digital Secretary Oliver Dowden has been quoted describing as the “needless bureaucracy” of the current system of data protection and data transfer between countries. The Government message is that the appointment of a new ICO who could “go beyond the regulator’s traditional role” would be a way to reform regulations and make new data adequacy agreements with other countries that would reduce barriers to data transfer, help data (and more trade) to flow more freely, and improve innovation and economic growth. The government has been keen to stress that despite (and perhaps to facilitate) these planned changes, the new regulator will have a “light touch”, but data will still be protected.
It appears that cookie pop-ups have been used by the UK government as an example and as part of the justification for wanting to make changes to data protection laws. Digital Secretary Oliver Dowden has argued in recent media reports that the requirement for the kind of cookie pop-ups that are present on most large sites, asking for permission to store a user’s personal information, are a visible example of the kind of needless bureaucracy at work that could be avoided with a change to data regulations.
What Is Data Adequacy?
Data Adequacy partnerships are agreements that protections are in place and are similar in two countries, thereby allowing the safe sending of people’s personal data internationally. Having a data adequacy partnership in place was part of the negotiations with the EU for Brexit.
For post-Brexit UK, heralded by the impending appointment of John Edwards as the new ICO, the UK government is now keen to make new, more frictionless data adequacy partnership agreements with the EU and many different countries which the UK wants to trade with.
Critics of the UK government’s post-Brexit push to reform data protection regulations with new data adequacy partnerships are worried that this could weaken the UK GDPR and lead to the personal and private data of UK citizens being put at risk of being taken and shared.
Privacy advocates have also been sceptical as to whether it is realistic and possible for the UK government to give UK citizens and consumers more control over how their data is used on the one hand, while also giving businesses (and the government) greater freedoms to use that data through new agreements.
EU and GDPR
It was only in June this year that the UK government managed to achieve a data adequacy agreement with the EU, and any more proposed changes to that agreement now by the UK may be difficult to negotiate.
Who Is John Edwards?
John Edwards, the person named to succeed the current Information Commissioner (data protection regulator) Elizabeth Denham, is currently New Zealand’s Privacy Commissioner and head of its Office of the Privacy Commissioner (OPC), where he has been in the job for more than 7 years. Prior to his work with the OPC, he was a self-employed barrister and solicitor focusing on information and privacy law, and Chair of the Global Privacy Assembly from 2014-17.
In addition to his obvious legal background and experience, he is also known for overseeing New Zealand’s adequacy status with the EU, which is one of the reasons why he is favoured for the UK job.
Mr Edwards is also known for his apparent dislike for Facebook. In April 2019 for example, after Facebook appeared to not accept any responsibility for the Christchurch massacre (mosque shootings) where one shooter described YouTube to be “a significant source of information and inspiration”, Mr Edwards was quoted from his Twitter account in the Guardian as saying, “Facebook cannot be trusted” and that the company were “morally bankrupt pathological liars”. He was also quoted as saying of Facebook that they “allow the live streaming of suicides, rapes, and murders, continue to host and publish the mosque attack video, allow advertisers to target ‘Jew haters’ and other hateful market segments, and refuse to accept any responsibility for any content or harm”.
Recently, Mr Edwards has indicated on his Twitter account that he doesn’t hate Facebook.
Why Is This Relevant?
The relevance of a possible Facebook-hater as the ICO is that he would be responsible for imposing fines for breaches of the UK Data Protection Act 2018 and the Privacy in Electronic Communications Regulations (PECRs) and would have an influence over the UK government’s Online Safety Bill. This Bill is designed to establish a new regulatory framework to tackle harmful content online and would, therefore, potentially affect Facebook as a major content hosting platform.
Is An Overseas Regulator A Problem?
Some critics have highlighted the fact that the current UK ICO, Elizabeth Denham, who has been criticised for not enforcing data protection laws well enough, has been working from home in Canada throughout most of the pandemic, and the UK now looks set to appoint another ICO from overseas where there is a different data protection regime.
What Does This Mean For Your Business?
If the government’s argument is to be accepted, changing data protection laws to help data transfers between different countries and the UK could unlock more trade and benefits for British businesses. If the argument of some data privacy/security advocates is to be accepted, new data laws could mean that our personal data is more at risk and that the government is proposing a balancing act that may not be possible to realistically achieve. For Facebook and other social media companies, the appointment of John Edwards as the new ICO may give them cause for concern given his previous comments about Facebook, and his soon-to-be power over the imposition of penalties and the possible impact of the development of the UK’s Online Safety Bill.