There was a time when data protection was virtually a byword for something dull, boring and technical.
No longer. The last few years have seen data protection issues rarely out of the headlines, from major security breaches at household name companies to recent controversies over GP data and vaccine passports.
There have also been two major upheavals in the law, with the new General Data Protection Regulation taking effect in 2018, followed by the post-Brexit changes as the UK disentangles itself from EU laws.
But as data protection has grown in importance and attracted wider interest, there has been increasing frustration at the way data protection law is enforced and regulated. In particular, the Information Commissioner, Elizabeth Denham, has become the target of criticism for failing to take more robust action to enforce the law. This criticism reached the mainstream last week when the Telegraph published an opinion piece entitled ‘The Information Commissioner’s Office is letting us down’ (£), arguing that the Commissioner had spent too much time chasing headlines and not enough enforcing the legislation. This was followed quickly by a lengthy rebuttal on the ICO’s website.
What should we make of all this? The context here is important, so perhaps we should not be surprised by the timing of these public criticisms. Elizabeth Denham’s term as Commissioner runs out in October, when a new Commissioner will take up the role. We don’t yet know the identity of her replacement, although the strong favourite is John Edwards, currently New Zealand’s Privacy Commissioner. Some of the public criticisms appear to be a not-so-subtle attempt at influencing the new Commissioner to take regulation in a new and different direction.
Many of the criticisms raised by the Telegraph and elsewhere are well founded. Elizabeth Denham has had a higher public profile than any of her predecessors, regularly appearing in public to discuss data protection issues and ensuring that the ICO has contributed to debates around artificial intelligence and new technologies. But in terms of regulation, the ICO has used its significant powers sparingly since 2018 and has preferred to provide advice and guidance rather than impose heavy fines or issue formal enforcement notices. Whilst businesses certainly welcomed the Commissioner’s softly-softly approach in the beginning, many are now questioning whether it is simply too lenient. My clients who work hard to get it right tell me that they are frustrated to see competitors gaining an advantage by ignoring the rules with apparent impunity.
In the EU, regulators have taken an altogether more robust approach. This week it was announced that Amazon had been fined a record €746 million by the Luxembourg data protection authority, while elsewhere regulators have already racked up hundreds of smaller fines. Of course, effective regulation should not be all about fines and we should not underestimate the importance of the ICO’s advisory role. But demonstrating that non-compliance has consequences is one of the best ways to persuade reluctant organisations that data protection matters.
n the other hand, there are clearly some within the current UK government who do not wish to see the Commissioner taking a stronger approach and would prefer data protection to return to its former low profile. There have been repeated statements from within the UK government about the cost and perceived burden of data protection compliance, as well as the potential to exploit the power of data to drive economic growth. The Information Commissioner is independent of government but, in a post-Brexit world, the UK government now has a far greater role in terms of setting the direction of data protection policy. These voices are going to be difficult to ignore.
It feels like we are at a crossroads, with the future direction of data protection regulation unclear. Do we want to see the regulator as a largely advisory body, offering advice and guidance but leaving the tricky issues of enforcement to the courts? Or would we prefer an active and interventionist regulator that isn’t afraid to challenge the organisations it regulates (including, of course, the government itself)?
Whoever takes on the role as the next Commissioner is going to need a thick skin, expert diplomacy skills and the balance and poise of an Olympic gymnast. Good luck!
At a crossroads: what next for data protection regulation?