John Edwards delivers his first speech as Information Commissioner
Kia ora koutou katoa, as we say back home
This is my first speech in my role as UK Information Commissioner.
Before I get into the detail, a brief disclaimer. Many of you will be aware that the jurisdiction of the office covers a range of legislation and regulations, including freedom of information. I’m going to limit my discussion here today to data protection issues, as I understand that is the area of most interest to this audience, but rest assured I will be addressing specifically freedom of information issues and audiences very soon.
From the day my appointment was announced, people, politicians, journalists kept asking me what are your priorities? What are you going to do? What are you going to deliver in your first 100 days? I thought it was a bit presumptuous for me to arrive in a new country, a new system, a new jurisdiction and start issuing proclamations on what was broken and how I was going to fix it.
So, as we say back home, I kicked it to touch, and said instead: “I’m going to listen”. And I launched the listening tour.
So I have been listening.
And what I’ve been hearing is that you’re concerned about change. You spent 2017 and 2018 preparing your organisations for the arrival of GDPR. You spent 2019 adapting to the new law. And the next two years disappeared into a wormhole where time was warped by the pandemic. 2022 was meant to be an easier year and the into view comes a new Information Commissioner and a Government promising a shake-up of UK data protection law.
I know that you’re concerned about the transaction cost of a new law. Nervous that a new law may imperil adequacy or prompt regulatory diversion with our neighbours and trading partners. And, yes, worried that a new Commissioner might make your life more difficult.
In the face of this change, and uncertainty, my message this morning is intended to be one of reassurance.
I want to reassure you that my focus is on bringing certainty in what the law requires of you and your organisations, and in how the regulator acts. And certainty too for people about what their rights are and what they can expect from their regulator.
Privacy, and data protection, are not values and rules imposed upon an unwilling populace by some external force. They are not burdens to be shucked off. They are laws that represent deeply ingrained features of the UK culture and legal system.
When I was appointed last year, my predecessor and friend Elizabeth Denham recommended a book to me, titled Watching the English. It is a book of the hidden rules of English behaviour, as seen by anthropologist Kate Fox. Liz intended that it would smooth the way for me as a colonial antipodean coming to terms with the coded mores of English culture.
In places it presents amusing observations about the unwritten codes of conduct that shape English life. The uncommunicated but understood rules of queuing for a drink in a pub for example.
But what really stuck with me was the author’s reflection on what she sees as an English and British obsession with privacy. Fox quotes George Orwell’s observation that “the most hateful of all names in an English ear is Nosy Parker”, and highlights how so many social rules and maxims are concerned with the maintenance of privacy. ‘How are you?’ is answered ‘fine, thanks’ or ‘mustn’t grumble’ and so on, and rarely as an opportunity to share your feelings, for instance.
Fox sums this up with a quote from that great bastion of Englishness, Jeremy Paxman, who intones that “the importance of privacy informs the entire organisation of the country, from the assumptions on which laws are based, to the buildings in which the English live.”
This culture of privacy has strong historic roots.
Privacy protection did not arrive in the United Kingdom with the GDPR. Nor did it arrive with the 1995 European Directive, or with the International Covenant on Civil and Political Rights. It didn’t arrive with the Universal Declaration of Human Rights, and nor did it arrive with the Warren and Brandeis’s 1890 article in the Harvard Law Review.
These concepts, that form the basis of our law, that you must have a lawful basis for rifling through my papers and information, that an individual is entitled to assert and exercise agency, and autonomy over his or her domain and personal affairs predate all of those.
One of my favourite cases is that of Entick and Carrington, from 1765. Bailiffs from the king entered the plaintiff’s house, and conducted a thorough search, including going through his private papers, looking for seditious material. The Court found in favour of the plaintiff, finding that for such an intrusion, the King himself, and his agents needed a clear legal authority that was absent in that search.
The Prime Minister William Pitt, memorably articulated the same concept soon after that case when he said:
“The poorest man may in his cottage bid defiance to all the force of the crown. It may be frail: its roof may shake, the wind may blow through it, the storm may enter, the rain may enter. But the King of England cannot enter.”
That deep legal and cultural commitment to protect fundamental rights informs what comes next for us in the UK. I see the opportunities for the UK to shape its own laws, and see a desire in Government to promote innovation. I understand the entirely sensible goal of enabling business and government to derive a digital dividend, and extract value from data. But all of this will be built upon a foundation that prioritises privacy. That cultural value of privacy has been reflected as I’ve met with organisations across the UK.
Different sectors face different challenges, but I’ve heard a consistent message of organisations understanding the importance of getting privacy right. Public sector leaders appreciate the role privacy plays in the successful delivery of their services, particularly around digital innovation. And business leaders see the financial benefits of good data protection model as a means of protecting the largest business asset that doesn’t appear on their balance sheet.
In this context, the proposed reform should not be seen as radical. And while there is always a cost in moving from one regulation to the next, there is nothing in what is proposed that imposes additional burdens on business. If anything, I can see a clear intention to reduce regulatory burdens, in order to create a streamlined law that more effectively protects people’s rights. My undertaking to you is that once Parliament has decided on the appropriate regulation, we at the ICO will devote ourselves to ensuring that the transition is seamless, and as painless as possible.
Similarly, a streamlined law that more effectively protects people’s rights should not put adequacy at risk.
Ultimately, the decision to grant adequacy rests with the EU, who must decide whether the data of its citizens enjoys the same level of protection in Manchester as it does in Munich. Given DCMS have committed to maintaining high standards of protection, I struggle to see how the legal protections will be less in Cardiff than is afforded to those in Copenhagen.
Returning to what I have heard as I have met with organisations across the UK, that anxiety about change I described at the outset has also been expressed positively as a desire for certainty.
People want certainty in how the ICO will act, and I believe we can provide that. One aspect of that will be in a three year plan we’re calling ICO25, setting out our values, aspirations and priorities. You can expect to see that later this year.
But the people I’ve spoken with also want certainty in what the law says. This is an area that the ICO does well – the office’s guidance is well read and well respected. But I would agree that there is scope to bring greater certainty to what the law is right now, in addition to what it might become.
I’ve heard a few of the ideas I have heard so far of how we might achieve that greater certainty.
How could we improve our guidance, for example?
My initial view is that there are groups of people who need the support of privacy law, but who are simply not aware of the rights they have.
That could be migrants dealing with the complexities of visas and their right to remain.
It could be the victims of sexual assault looking for both justice and support.
It could be non-English speaking communities.
How can the law protect them – the law we all put so much energy into protecting - if those people don’t know the law exists?
There is a role here for the ICO, and the privacy community more broadly, to better reach these communities of unmet need.
What I have also been hearing on my tour is that organisations want a greater certainty in how the ICO will respond to complaints. Now this, I will acknowledge, is a difficult area. Those who fall foul of the law are always inclined to consider that the regulator’s actions were unpredictable.
But it does strike me as an area where the ICO could improve our offering. I am struck by the assurance for positions offered by tax and revenue authorities around the world, which allow an organisation to say ‘if I take this approach, how will you treat it?’. They put their money down, they get an undertaking from the regulator, and they are then able to invest with confidence. Why can’t we do the same thing in privacy? You come to me and say ‘if we do this thing, how will you treat it?’. We offer a service with a similar principle in our sandbox programme, but I want to explore whether we can offer broader assurance advice.
This would offer a way to set out our regulatory position that is quicker and more effective than relying on ex post enforcement action.
Which brings us to the subject of fines – the topic I am always asked about, especially in any media interviews.
I don’t have a problem with fines – they have a role to play in our regulatory approach, alongside other enforcement action. And the attention they attract brings a benefit, in encouraging compliance across entire sectors.
But fines are a slow way to find certainty. Each one takes a great deal of time and resource to put a single stake in the ground, and it takes so many of these stakes to mark out a perimeter that gives certainty on what the law says and how we will apply, interpret and enforce it.
The view that I am coming to is that our significant enforcement efforts must be used with surgical and targeted application. A big fine must serve a broader purpose of bringing certainty to an issue or sector. And there must be certainty about why we have chosen to take action.
I’ll draw to a close now.
I hope I have given you some reassurance about what’s ahead, and in particular our stance in relation to the law reforms. Remembering of course, that we do not have our hands on the levers of that law reform process.
And I hope that the insight I have shared from my listening exercise gives you a sense of our future direction.
I have been buoyed by the positive feedback I’ve heard of how the ICO is trusted. Our willingness to engage is appreciated. And the expertise of our staff is respected. That is the platform I want to build on as Commissioner.
I want you to see an ICO that is agile and curious. We want to move fast and fix things.
I want you to see an ICO that preserves people’s rights.
And I want you to see an ICO that brings you certainty in an uncertain world.