Last year, John Edwards was confirmed to as Elizabeth Denham’s successor as head of the UK’s data protection authority, the ICO (Information Commissioner’s Office).
Edwards, who joins on a five-year term, spent the past eight years as the New Zealand Privacy Commissioner. He is widely thought to be taking on a tough position, with the UK facing an uncertain future following Brexit, COVID-19 and a potential shake-up of domestic data protection law.
But in his inaugural speech as Information Commissioner, Edwards vowed to meet those challenges head-on as he highlighted the way data protection law should work to benefit society.
“Privacy, and data protection, are not values and rules imposed upon an unwilling populace by some external force. They are not burdens to be shucked off. They are laws that represent deeply ingrained features of the UK culture and legal system,” he said.
He also assured the public that he would identify practical steps to tackle the myriad challenges that await organisations and individuals.
A time of change
Edwards began his speech by emphasising his short-term goals. “From the day my appointment was announced, people, politicians, journalists kept asking me what are your priorities? What are you going to do? What are you going to deliver in your first 100 days?
“I thought it was a bit presumptuous for me to arrive in a new country, a new system, a new jurisdiction and start issuing proclamations on what was broken and how I was going to fix it.
“So, as we say back home, I kicked it to touch, and said instead: ‘I’m going to listen’. And I launched the listening tour.”
Edwards says his ‘listening tour’ revealed Britons’ concern over regulatory and social upheaval. In 2017 and 2018, organisations and individuals had to grapple with the arrival of the GDPR (General Data Protection Regulation), then came Brexit and shortly afterwards the COVID-19 pandemic.
Just when these issues appeared to be subsiding, the UK Government proposed a shake-up of data protection law, which could jeopardise the UK’s adequacy status in regard to the GDPR.
“I know that you’re concerned about the transaction cost of a new law. Nervous that a new law may imperil adequacy or prompt regulatory diversion with our neighbours and trading partners. And, yes, worried that a new Commissioner might make your life more difficult,” Edwards said.
“In the face of this change, and uncertainty, my message this morning is intended to be one of reassurance.
“I want to reassure you that my focus is on bringing certainty in what the law requires of you and your organisations, and in how the regulator acts. And certainty too for people about what their rights are and what they can expect from their regulator.”
A culture of privacy
Edwards sought to reassure the public that he understood the value that the UK places on privacy regardless of its legal definition.
“Privacy protection did not arrive in the United Kingdom with the GDPR,” Edwards said. “Nor did it arrive with the 1995 European Directive, or with the International Covenant on Civil and Political Rights. It didn’t arrive with the Universal Declaration of Human Rights, and nor did it arrive with the Warren and Brandeis’s 1890 article in the Harvard Law Review.
“These concepts, that form the basis of our law, that you must have a lawful basis for rifling through my papers and information, that an individual is entitled to assert and exercise agency, and autonomy over his or her domain and personal affairs predate all of those.
“That deep legal and cultural commitment to protect fundamental rights informs what comes next for us in the UK. I see the opportunities for the UK to shape its own laws, and see a desire in Government to promote innovation.
“I understand the entirely sensible goal of enabling business and government to derive a digital dividend, and extract value from data.”
How will the ICO address complaints and fines?
One of the biggest criticisms of Elizabeth Denham’s reign as UK Information Commissioner was the body’s inconsistent enforcement action and its response to complaints.
This was partly a result of circumstances, with the introduction of the GDPR and the pandemic uprooting long-standing processes. Just as organisations across the globe struggled to keep business going during the pandemic, so too did the ICO.
But Edwards also acknowledged “those who fall foul of the law are always inclined to consider that the regulator’s actions were unpredictable”.
He underlined the importance of regulatory fines but conceded that they “are a slow way to find certainty.
“Each one takes a great deal of time and resource to put a single stake in the ground, and it takes so many of these stakes to mark out a perimeter that gives certainty on what the law says and how we will apply, interpret and enforce it.”
He added: “The view that I am coming to is that our significant enforcement efforts must be used with surgical and targeted application. A big fine must serve a broader purpose of bringing certainty to an issue or sector. And there must be certainty about why we have chosen to take action.”
Edwards implied that the ICO might look at alternative ways to handle regulatory infractions.
“I am struck by the assurance for positions offered by tax and revenue authorities around the world, which allow an organisation to say ‘if I take this approach, how will you treat it?’.
“They put their money down, they get an undertaking from the regulator, and they are then able to invest with confidence. Why can’t we do the same thing in privacy? You come to me and say ‘if we do this thing, how will you treat it?’.
“We offer a service with a similar principle in our sandbox programme, but I want to explore whether we can offer broader assurance advice.”
‘Certainty in an uncertain world’
Edwards closed his speech by discussing the public’s trust in the ICO. He said that he has been “buoyed by the positive feedback” he’s heard regarding the data protection body, and he highlighted the respect that the organisation’s team have received.
“I want you to see an ICO that brings you certainty in an uncertain world,” he added.
Of course, to do that, organisations must also do their part. To achieve certainty, business leaders must take on board best practice advice and manage their data protection challenges responsibly.
If you’re looking for advice on how to do that, DQM GRC is here to help.
Our green paper Reviewing Data Protection Policies and Procedures – Guidance for practitioners contains essential tips on how to maintain your regulatory compliance requirements.
This free guide is ideal for those tackling the GDPR and who need guidance on how to conduct periodic reviews of data protection policies and procedures.