The UK government believes unlocking the power of data is a key Brexit dividend, so it’s no surprise it recently launched a wide-ranging consultation on its proposed reforms to the UK’s data protection regime.
One aspect of the consultation was perhaps not expected, however: the extent to which the government envisions the Information Commissioner’s Office (ICO) as being directed by Whitehall rather than an independent regulator.
Among other things, the government wants the ICO to have regard to the secretary of state’s “statement of strategic priorities”, consider economic growth and innovation when discharging its functions, and give the secretary of state the power to reject the ICO’s codes of conduct and regulatory guidance.
It’s an approach that, to paraphrase the line in Spinal Tap about Sammy Davis Jr and Frank Sinatra, is something akin to “yes I can, if the government says it’s okay”.
As such, it was encouraging to see that in its response to the consultation, the ICO strongly pushed back on the proposals, noting that they risk undermining the independence it needs to carry out its responsibilities to “regulate without fear or favour”.
Article 52 of the GDPR also has it right in that the ICO should act with complete independence and impartiality in performing its duties and exercising its powers, remain free from external influence, and not seek or take instructions from anybody. That is surely not a controversial position, but here we are.
Putting aside concerns about executive overreach, it’s odd that the government thinks these changes are even needed at all; the ICO is a more business-friendly and pragmatic regulator than many of its continental counterparts and – two large-ish fines aside – it’s not the type of regulatory Rottweiler that needs bringing to heel.
If anything, criticism of the ICO focuses on its perceived closeness to big business and reticence to bring high-profile enforcement actions. But the answer to those criticisms is not to make the regulator less independent. Indeed, it’s difficult to imagine that the government’s thinking is driven by its concern over the lack of GDPR enforcement in the UK and so intends to work with the ICO to issue a string of blockbuster fines.
The UK envisions a new pro-growth and innovation-friendly data regime that is independent from the European Union’s privacy laws, and its proposed changes to those laws are often sensible and, in some cases, an improvement on the GDPR.
But changes can be made without hobbling the ICO – and if they can’t, then the UK has a bigger problem on its hands than regulatory independence. In any event, it’s disappointing that it needs to be said that the authority charged with enforcing the UK’s new regime must be able to operate without government meddling, given the obvious regulatory uncertainty that would create for businesses and individuals alike.
Looking beyond these shores, the government wants to agree data adequacy deals with various international partners, and it should be able to do so without viewing the world solely through the prism of the GDPR, which itself is far from perfect. One wonders, though, how the UK would assess the viability of a country whose regulatory authority was subject to government interference.
The ICO plays a central role in maintaining the UK’s reputation on the world stage by promoting consistent and independent regulation of its data protection laws. The ICO can certainly be improved, but the government’s proposals threaten to undermine that task and much besides.
The force of the ICO’s response, and the slippery slope that would be set in motion by normalising interference in the regulation and enforcement of data laws in the UK, should convince the government to walk back on its proposals.
Edward Machin is an associate at law firm Ropes & Gray. He specialises in legal and regulatory issues around privacy, data protection and security, e-commerce and marketing, and information law.