The U.K. government has named the person it wants to take over as its chief data protection watchdog, with sitting commissioner Elizabeth Denham overdue to vacate the post: The Department of Digital, Culture, Media and Sport (DCMS) today said its preferred replacement is New Zealand’s privacy commissioner, John Edwards.
Edwards, who has a legal background, has spent more than seven years heading up the Office of the Privacy Commissioner In New Zealand — in addition to other roles with public bodies in his home country.
He is perhaps best known to the wider world for his verbose Twitter presence and for taking a public dislike to Facebook: In the wake of the 2018 Cambridge Analytica data misuse scandal Edwards publicly announced that he was deleting his account with the social media company — accusing Facebook of not complying with the country’s privacy laws.
An anti-Big-Tech stance aligns with the U.K. government’s agenda to tame the tech giants as it works to bring in safety-focused legislation for digital platforms and reforms of competition rules that take account of platform power.
If confirmed in the role — the DCMS committee has to approve Edwards’ appointment; plus there’s a ceremonial nod needed from the Queen — he will be joining the regulatory body at a crucial moment as digital minister Oliver Dowden has signaled the beginnings of a planned divergence from the European Union’s data protection regime, post-Brexit, by Boris Johnson’s government.
Dial back the clock five years and prior digital minister, Matt Hancock, was defending the EU’s General Data Protection Regulation (GDPR) as a “decent piece of legislation” — and suggesting to parliament that there would be little room for the U.K. to diverge in data protection post-Brexit.
But Hancock is now out of government (aptly enough after a data leak showed him breaching social distancing rules by kissing his aide inside a government building), and the government mood music around data has changed key to something far more brash — with sitting digital minister Dowden framing unfettered (i.e., deregulated) data mining as “a great opportunity” for the post-Brexit U.K.
For months, now, ministers have been eyeing how to rework the U.K.’s current (legacy) EU-based data protection framework — to, essentially, reduce user rights in favor of soundbites heavy on claims of slashing “red tape” and turbocharging data-driven “innovation.” Of course the government isn’t saying the quiet part out loud; its press releases talk about using “the power of data to drive growth and create jobs while keeping high data protection standards.” But those standards are being reframed as a fig leaf to enable a new era of data capture and sharing by default.
Dowden has said that the emergency data sharing that was waived through during the pandemic — when the government used the pressing public health emergency to justify handing NHS data to a raft of tech giants — should be the “new normal” for a post-Brexit U.K. So, tl;dr, get used to living in a regulatory crisis.
A special task force, which was commissioned by the prime minister to investigate how the U.K. could reshape its data policies outside the EU, also issued a report this summer — in which it recommended scrapping some elements of the U.K.’s GDPR altogether — branding the regime “prescriptive and inflexible”; and advocating for changes to “free up data for innovation and in the public interest,” as it put it, including pushing for revisions related to AI and “growth sectors.”
The government is now preparing to reveal how it intends to act on its appetite to “reform” (read: reduce) domestic privacy standards — with proposals for overhauling the data protection regime incoming next month.
Speaking to the Telegraph for a paywalled article published yesterday, Dowden trailed one change that he said he wants to make which appears to target consent requirements — with the minister suggesting the government will remove the legal requirement to gain consent to, for example, track and profile website visitors — all the while framing it as a pro-consumer move; a way to do away with “endless” cookie banners.
Only cookies that pose a “high risk” to privacy would still require consent notices, per the report — whatever that means.
“There’s an awful lot of needless bureaucracy and box ticking and actually we should be looking at how we can focus on protecting people’s privacy but in as light a touch way as possible,” the digital minister also told the Telegraph.
The draft of this great British “light touch” data protection framework will emerge next month, so all the detail is still to be set out. But the overarching point is that the government intends to redefine U.K. citizens’ privacy rights, using meaningless soundbites — with Dowden touting a plan for “common sense” privacy rules — to cover up the fact that it intends to reduce the U.K.’s currently world-class privacy standards and replace them with worse protections for data.
If you live in the U.K., how much privacy and data protection you get will depend upon how much “innovation” ministers want to “turbocharge” today — so, yes, be afraid.
It will then fall to Edwards — once/if approved in post as head of the ICO — to nod any deregulation through in his capacity as the post-Brexit information commissioner.
We can speculate that the government hopes to slip through the devilish detail of how it will torch citizens’ privacy rights behind flashy, distraction rhetoric about “taking action against Big Tech.” But time will tell.
Data protection experts are already warning of a regulatory stooge.
The Telegraph suggests Edwards is seen by government as an ideal candidate to ensure the ICO takes a “more open and transparent and collaborative approach” in its future dealings with business.
In a particularly eyebrow-raising detail, the newspaper goes on to report that government is exploring the idea of requiring the ICO to carry out “economic impact assessments” — to, in the words of Dowden, ensure that “it understands what the cost is on business” before introducing new guidance or codes of practice.
All too soon, U.K. citizens may find that — in the “sunny post-Brexit uplands” — they are afforded exactly as much privacy as the market deems acceptable to give them. And that Brexit actually means watching your fundamental rights being traded away.
In a statement responding to Edwards’ nomination, Denham, the outgoing information commissioner, appeared to offer some lightly coded words of warning for government, writing [emphasis ours]: “Data-driven innovation stands to bring enormous benefits to the U.K. economy and to our society, but the digital opportunity before us today will only be realised where people continue to trust their data will be used fairly and transparently, both here in the U.K. and when shared overseas.”
The lurking iceberg for government is of course that if it wades in and rips up a carefully balanced, gold standard privacy regime on a soundbite-centric whim — replacing a pan-European standard with “anything goes” rules of its/the market’s choosing — it’s setting the U.K. up for a post-Brexit future of domestic data misuse scandals.
You only have to look at the dire parade of data breaches over in the U.S. to glimpse what’s coming down the pipe if data protection standards are allowed to slip. The government publicly bashing the private sector for adhering to lax standards it deregulated could soon be the new “get popcorn” moment for U.K. policy watchers.
U.K. citizens will surely soon learn of unfair and unethical uses of their data under the “light touch” data protection regime — i.e., when they read about it in the newspaper.
Such an approach will indeed be setting the country on a path where mistrust of digital services becomes the new normal. And that of course will be horrible for digital business over the longer run. But Dowden appears to lack even a surface understanding of internet basics.
The U.K. is also of course setting itself on a direct collision course with the EU if it goes ahead and lowers data protection standards.
This is because its current data adequacy deal with the bloc — which allows for EU citizens’ data to continue flowing freely to the U.K. — was granted only on the basis that the U.K. was, at the time it was inked, still aligned with the GDPR. So Dowden’s rush to rip up protections for people’s data presents a clear risk to the “significant safeguards” needed to maintain EU adequacy. Meaning the deal could topple.
Back in June, when the Commission signed off on the U.K.’s adequacy deal, it clearly warned that “if anything changes on the U.K. side, we will intervene.”
Add to that, the adequacy deal is also the first with a baked-in sunset clause — meaning it will automatically expire in four years. So even if the Commission avoids taking proactive action over slipping privacy standards in the U.K. there is a hard deadline — in 2025 — when the EU’s executive will be bound to look again in detail at exactly what Dowden and Co. have wrought. And it probably won’t be pretty.
The longer-term U.K. “plan” (if we can put it that way) appears to be to replace domestic economic reliance on EU data flows — by seeking out other jurisdictions that may be friendly to a privacy-light regime governing what can be done with people’s information.
Hence — also today — DCMS trumpeted an intention to secure what it billed as “new multibillion pound global data partnerships” — saying it will prioritize striking “data adequacy partnerships” with the U.S., Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia.
Future partnerships with India, Brazil, Kenya and Indonesia will also be prioritized, it added — with the government department cheerfully glossing over the fact it’s U.K. citizens’ own privacy that is being de-prioritized here.
“Estimates suggest there is as much as £11 billion worth of trade that goes unrealised around the world due to barriers associated with data transfers,” DCMS writes in an ebullient press release.
As it stands, the EU is of course the U.K.’s largest trading partner. And statistics from the House of Commons library on the U.K.’s trade with the EU — which you won’t find cited in the DCMS release — underline quite how tiny this potential Brexit “data bonanza” is, given that U.K. exports to the EU stood at £294 billion in 2019 (43% of all U.K. exports).
So even the government’s “economic” case to water down citizens’ privacy rights looks to be puffed up with the same kind of misleadingly vacuous nonsense as ministers’ reframing of a post-Brexit U.K. as “Global Britain.”
Everyone hates cookie banners, sure, but that’s a case for strengthening not weakening people’s privacy — for making non-tracking the default setting online and outlawing manipulative dark patterns so that internet users don’t constantly have to affirm they want their information protected. Instead the U.K. may be poised to get rid of annoying cookie consent “friction” by allowing a free-for-all on citizens’ data.