The new Information Commissioner – what this means for UK data
The following article appeared in ABTA's issue of Travel Law Today - Spring 2022.
On 4 January 2022, John Edwards took up post as head of the UK’s Information Commissioner’s Office (ICO), the UK’s independent regulator for data protection and information rights law. Taking over from his well-regarded predecessor, Elizabeth Denham, he has started a five-year term leading the organisation.
Edwards hails from New Zealand and has a background as a solicitor and barrister, including time as a policy adviser to the New Zealand government on freedom of information issues, as well as eight years as New Zealand Privacy Commissioner, during which time he chaired the International Conference on Data Protection and Privacy Commissioners. His perspective is, “Privacy is a right, not a privilege” and he has stated, “In a world where our personal data can drive everything from the healthcare we receive to the job opportunities we see, we all deserve to have our data treated with respect.”
Edwards oversaw a major overhaul of New Zealand’s data privacy laws with the introduction of the Privacy Act 2020. However, that legislation only gave him the power to levy NZ$10k penalties when he had been pushing for penalties of up to NZ$1m. The UK’s Information Commissioner can, by contrast, issue fines of up to £17.5m or four percent of global turnover, whichever is the higher. Whilst it may have taken a change of jurisdiction, it appears Edwards now has access to the significant fining powers he was hoping for.
Edwards has spent the majority of his first 100 days in office on a listening tour, engaging with organisations, businesses and individuals throughout the UK about their interactions and experiences with the ICO. He gave his first major public speech as the UK Information Commissioner at the IAPP Data Protection Intensive in London on 23 March 2022, in which he spoke about his perspective on data protection issues.
He stated that he had been “buoyed by the positive feedback” regarding trust in the ICO and appreciation for its willingness to engage, and for the expertise of its staff. He wants to see an ICO that is quick to act, agile, curious and capable of bringing “certainty to an uncertain world.”
New reforms and data adequacy Edwards is jumping in at the deep end of information rights in the UK, as the ICO will be active in engaging with the UK Government on proposed reforms to the Data Protection Act 2018 now that Brexit has taken place and the UK is no longer strictly tied to the EU’s current data protection regime (GDPR) even if it is currently mirroring it. Amongst many other issues, he will also be dealing with criticism resulting from the introduction of the ICO’s Age Appropriate Design Code, a statutory code of practice setting out standards for products and services accessible to minors, developed by his predecessor.
The UK Government ran a consultation last autumn titled “Data: A new direction” that discussed various proposals for reform. These included introducing a cost limit for data subject access requests, a modified approach to accountability obligations to allow greater flexibility, raising the threshold for data breach reporting to the ICO, and reforms to the requirements for international data transfers.
In addition, the consultation paper considered reforms to e-privacy law including a partial relaxation of the rules around cookie consents, such as the introduction of an exception for analytics cookies, which would no doubt be welcomed by many. However, the proposed introduction of increased fines for breaches of the Privacy and Electronic Communications Regulations 2003, which set out the rules on cookies and marketing via e-mail, telephone and SMS, amongst other requirements, would clearly be a source of apprehension for a lot of businesses. This would increase the ICO’s fining powers from a maximum of £500k to match the much higher maximum fines available under the GDPR mentioned earlier in this article (£17.5m or four percent of global turnover, whichever is the higher).
Responses are currently being analysed and the outcome of the consultation should be announced later in 2022.
Edwards urges that the proposed reforms not be seen as radical, and has suggested that they will not place any burdens, besides the costs naturally associated with change, on UK businesses. In fact, he frames the reforms as holding a “clear intention to reduce regulatory burdens, in order to create a streamlined law that more effectively protects people’s rights”. He has said that once Parliament has decided on the appropriate regulation, the ICO will devote itself to ensuring that the transition to any new laws is seamless and as painless as possible.
But UK businesses aren’t the only audience Edwards needs to satisfy. In June last year, the EU formally recognised the UK’s data protection standards as being adequate enough to permit the flow of personal data from the EU to the UK without further protections being needed. A crucial, though not unexpected, decision, given the UK’s current mirroring of the EU’s approach via adoption of the “UK GDPR” following Brexit. Concerns have arisen, however, over whether that adequacy decision could be at risk in future in light of the proposed data protection reforms, which would be introduced during Edwards’ tenure as Commissioner.
Clearly, Edwards will need to work to balance the UK’s potential divergence from the EU GDPR in some respects with ensuring that the UK’s data laws are sufficiently robust for EU countries and others around the world to trust a free flow of data across borders. No doubt this will be one of numerous challenges he will face over the next five years at the head of one of the UK’s most topical regulators.
Mark Smith, Purdy Smith – Founder and CEO