Will the new Information Commissioner be able to fend off the critics?

July 2021

Another Commonwealth candidate – this time from New Zealand – has emerged as favourite to replace Elizabeth Denham when her tenure at the helm of the ICO ends this Autumn.

This marks a trend for Anglosphere figures winning top public appointments in the UK, including former Governor of the Bank of England, Mark Carney. Carney, like Denham, is Canadian.

John Edwards, currently New Zealand’s Privacy Commissioner has reportedly been recommended to replace Denham, subject to approval from the Prime Minister. Edwards has so far declined to comment on his potential appointment.

Already dubbed as ‘Facebook-hating’ by ‘The Times’, Edwards has been a vocal critic of social media companies. He gave Facebook a fierce dressing-down after the Christchurch mosque massacre in 2019, which was livestreamed on the platform.

News Edwards is tipped to be the next Commissioner seems to have been released following harsh criticism of Number 10’s handling of the appointment.

The Department of Culture, Media and Sport (DCMS) Committee was meant to start hearings to appoint a new commissioner on 8th July, but was postponed twice.

Just last week, the DCMS Committee chairman, Julian Knight commented; “We understand that despite processes running well, delays centre on Number 10. This mishandling calls into question decision-making at the top of Government.”

Denham’s replacement needs to be in place and ready to start work in November, so the clock’s ticking.

Data Sheriff, or Data Stooge?

The appointment process has been criticised from the start. The original job description, posted in February, didn’t even mention candidates should have experience in regulating data protection.

The advert also indicated the new Commissioner would need to play a ‘key role’ in supporting the rollout of the Government’s controversial National Data Strategy.

This led to fears the Government was seeking a malleable stooge rather than an honest broker. I think it’s fair to say these fears would appear to be unfounded if John Edwards is appointed.

Still is it possible the bumpy appointment process damaged perceptions of the role? Is this why the Government has looked further afield yet again? Is there no senior talent in the UK who wants to take the job on?

ICO under fire

Regulators in any field occasionally find themselves in the position of upsetting everybody, especially in a high-value, high-impact area of business like data.

Denham has not been without her critics. The ICO stands accused of lacking teeth when it comes to dealing with data behemoths like Facebook and Google.

A quick glance at LinkedIn reveals no shortage of criticism by professionals, some suggesting the ICO like other bodies (yes, we’re looking at you, HMRC) tend to go after ‘low-hanging fruit’. Are they more comfortable issuing fines for breaches of the marketing rules, than GDPR?

Conversely, the ICO also faces criticism it has failed to deliver on its bread-and-butter work. Should the regulator only focus on the big picture, or should they focus in on data protection compliance at company level?

It’s a difficult balance to get right.

Part of the problem may be the reactive nature of the ICO, they only appear to investigate when there’s a breach or a significant complaint. Should this change?

Earlier this year the ICO announced it was resuming its ad tech investigations (paused during the pandemic). Work is said to include ‘a series of audits focusing on data management platforms’. Does this represent a more proactive stance or not? We await the outcome.

Other DPAs in the EU would certainly appear to take a more proactive approach, for example back in 2019 the Dutch DPA carried out an audit of approximately 175 websites in various sectors to check their compliance with the requirements for tracking cookies.

Meanwhile, the ICO has been credited with publishing a new Children’s Code, which comes into force in September. But how will this be enforced?

After all the hype of GDPR, businesses may have settled back into feeling no one will ever come after them.

To be fair to the ICO, the task was huge, even before the impact of a global pandemic. It’s common knowledge the backlog caseworkers face is substantial.

There are also claims the ICO is underfunded and under resourced. However, a Deloitte report on Data Protection Authorities in 2019 showed the UK Regulator to be better funded that its EU counterparts.

It’s likely to also be significant that of the ICO’s 680 or so staff, only tiny fraction are in the investigations team.

The challenge ahead for the next Commissioner

Data protection divergence?

Along with running the tight rope of balancing resources, tackling the big issues whilst not ignoring the bread-and-butter, the new regulator will have to tiptoe through the minefield that is Brexit and alignment with the EU.

We’ve already heard more than murmurings about a desire, in some areas of Government, to ditch GDPR and create a more innovation-friendly data protection environment. Cut the EU red tape!

My money is on the Government trying to loosen GDPR’s regulatory grip on some areas of technology deemed high-value and high-profit as we start leaving the EU’s orbit.

With all this in mind, how influential with the new Commissioner be?

Covid Passports and NHS App

The pandemic has led to a huge surge in the collection and use of health data, another sensitive conundrum for legislators to tackle.

The current Commissioner has warned the Government in an interview with the Telegraph that the ICO will be alert to any mission creep with the NHS covid app.

She said: “We will be watching the evolution of the app very carefully. My modus operandi has always been how can we help government get this right and build in privacy to these innovations. At the end of the day, if there is a contravention of the law with the app or overreach in its use then we will take action.”

She stressed the ICO’s will focus on how it is to be used next, and how it will be decommissioned when no longer necessary.

The ICO is currently advising the Government on the domestic use of vaccine passports. Denham is clear ministers must make sure any measures, for example to use passports for nightclub-goers, must be time-limited and not be allowed to evolve into a more permanent post-pandemic regime.
Will the new Commissioner take a similar view, given the New Zealand government’s zero-Covid strategy?

If Mr. Edwards does take the job, we wish him the best of luck. He’ll need it, too, with a serious in-tray of problems to solve.


Data protection team over-stretched? Ease the strain with our no-nonsense advice and support via our flexible Privacy Manager Service. Find out how our experience team can help you. CONTACT US.