What can organisations expect from the appointment? How worried should Big Tech be?

The key takeaway

John Edwards, the UK’s newly appointed Information Commissioner, commenced his five-year term on 4 January 2022. Some commentators have painted him as anti Big Tech, but equally Edwards has emphasised how “fair and impartial” he intends to be. Against this background, it will be interesting to see where he lands, especially given his comment on starting the role that: “Privacy is a right not a privilege. In a world where our personal data can drive everything from the healthcare we receive, to the job opportunities we see, we all deserve to have our data treated with respect”.

The background

Prior to his appointment, Edwards was New Zealand’s Privacy Commissioner for more than seven years, and before that a solicitor and barrister specialising in information law, holding roles such as policy adviser to the New Zealand Prime Minister and Cabinet in respect of Freedom of Information. In addition, he also chaired the International Conference of Data Protection and Privacy Commissioners (now the Global Privacy Assembly).

The development

Regulation of Big Tech

Edwards replaces Elizabeth Denham who led the growth of the ICO, doubling its headcount during her twice-extended term, in order to implement and enforce the GDPR and meet the increasing demand to further regulate the ever-evolving area of data protection law. Denham was proactive in reigning in Big Tech; most recently with the introduction of the Children’s Code, which led to sweeping changes by social media platforms. Under Edwards, a previous member of the OECD’s Informal Group of Experts on Children in the Digital Environment, the ICO will continue to prioritise its work to protect children online via the introduction of the Online Safety Bill as well as the continued enforcement of the Children’s Code.

Further, due to his reputation as a critic of Big Tech it is anticipated that Edwards will take, in line with the government’s current attitude, a particularly firm approach towards the regulation of Big Tech. Nonetheless, during his pre-appointment hearing with the DCMS Committee, Edwards emphasised that, despite his personal opinions, every organisation that is subject to the ICO’s jurisdiction could expect a “fair and impartial inquiry” under his leadership, without “predetermination or bias”.

The balancing game

Edwards joins the ICO at a busy time; future work includes implementing the draft model international data transfer agreement, as well as overseeing the Freedom of Information Act, which he welcomes as an opportunity to increase transparency so that users understand and trust the decisions made on their behalf. The ICO will also engage with the UK government on their recent “business-friendly” proposals to the Data Protection Act. At the same time, both the impact of the proposals and the risk of revocation of the EU’s adequacy finding for data transfers to the UK (based on current UK data protection laws) will need to be considered carefully. Edwards has experience of achieving this balance with his recent success in implementing the Data Privacy Act 2020 in New Zealand, and the granting of adequacy by satisfying the high threshold required by the EU.

In a blog post and recent interview, Edwards highlights the need for proportionality – to achieve this, he will work closely with data processors to ensure that the privacy of individuals is protected (including easy access to remedies “when things go wrong”) whilst still “reaping the benefits of data-driven innovation”. The ICO will put an end to “regulations for regulation’s sake”, and the “drag” on growth due to an era of the EU’s GDPR regime, by lightening the regulatory burden on businesses albeit maintaining a very high and robust level of data protection.

Why is this important?

Despite the new Information Commissioner’s reputation as a critic of Big Tech in New Zealand, he has emphasised a pragmatic approach to regulation since his appointment; in particular, only asking businesses to take compliance steps when there is a “concomitant benefit” for citizens and consumers. This shows the ICO’s efforts to harmonise the protection of personal data and the innovation and economic growth of organisations. The new approach will become clearer in the next few months as the ICO moves forward under fresh leadership.

Any practical tips?

Keep a close eye on any new guidance published by the (new) ICO, as this should give an early indication of which way the regulatory wind is blowing, and how strongly against Big Tech.