The U.K. needs a new Information Commissioner to regulate data protection, privacy, and freedom of information law. The Sunday Times has tipped John Edwards, New Zealand Privacy Commissioner, as the government’s top choice.

Who is John Edwards? Would he do a good job of heading up the Information Commissioner’s Office (ICO)? Does he really hate Facebook, as the media says—and is this even relevant?

Who is John Edwards? 

John Edwards is the New Zealand Privacy Commissioner—the head of the country’s Office of the Privacy Commissioner (OPC). He was appointed in 2014 is part-way through his second five-year term.

Before starting his role as Privacy Commissioner, from 1993-2014, Edwards worked in New Zealand as a self-employed barrister and solicitor, focusing on information and privacy law. 

Edwards also served as legal counsel for the New Zealand Families Commission from 2003-2013, and as a senior solicitor at New Zealand’s Ministry of Health from 1997-1999. He was Chair of the Global Privacy Assembly from 2014-17.

Data protection enthusiasts might be pleased to see that Edwards has a solid legal background and a wealth of experience in privacy regulation. However, as a New Zealander, his experience mostly relates to another jurisdiction.

Another non-U.K.-based Information Commissioner?

If appointed as Information Commissioner, Edwards would replace Canadian Elizabeth Denham—and would become be the second consecutive person from outside the U.K. to occupy the post.

Is this a problem? Not necessarily, although last year it transpired that current Commissioner Denham had been working from home in Canada throughout much of the pandemic.

New Zealand is a common law jurisdiction, like the U.K., but its data protection regime is quite different.

The country has an EU adequacy decision but it dates from 2013 and is up for review. New Zealand’s privacy law received a significant overhaul last year when it passed the Privacy Act 2020, but the legislation is arguably less strict than the EU and U.K.’s regime.

Couldn’t the government have found a U.K.-based Commissioner? 

Remember, Edwards’ appointment is not a done deal yet. Vivienne Artz, currently Chief Privacy Officer at the London Stock Exchange, is also apparently being considered—so there is still a chance that the new Information Commissioner will be U.K.-based.

Would Edwards be better than the current Information Commissioner?

The current U.K. Information Commissioner, Elizabeth Denham, has been criticised by some in the data protection community who argue that she has failed to enforce data protection law.

Last year, a group of 20 U.K. Members of Parliament (MPs) wrote to Denham, urging her to take action over the government’s multiple alleged breaches of data protection law. 

An ongoing court case against the ICO, filed by Open Rights Group director Jim Killock and academic Michael Veale, alleges that Denham and her team have failed to investigate unlawful activity in the online advertising industry.

There are some indications that Edwards will be a tougher regulator than Denham.

Edwards doesn’t have a strong record of enforcement—but the OPC has only recently been empowered to take substantive action against businesses that violate New Zealand privacy law. 

Late last year, the OPC received the ability fine organizations up to $10,000 NZD in certain circumstances. 

But in a 2017 report, Edwards pushed for a much higher fine ceiling of $1 million, arguing that “privacy enforcement sanctions no longer appear adequate to deal with serious (data) breaches.”

The report also recommended reforms to the Privacy Act’s criminal offences that would make it easier to prosecute people who obstructed or failed to comply with the Commissioner.

And then there are Edwards’ comments about Facebook…

Does Edwards really hate Facebook? 

Much of the press coverage around Edwards’ possible appointment focused on his alleged “hatred” of Facebook.

The Times described Edwards as a “Facebook-hating New Zealander.” The NZ Herald said Edwards would be tasked with “leading a war on big tech on behalf of No 10.”

In response, Edwards tweeted “Not hating” on Sunday.

But it’s fair to say that Edwards has been outspoken about Facebook in the past. 

After Facebook failed to accept responsibility for the Christchurch massacre in 2019, Edwards described the firm as “morally bankrupt pathological liars who enable genocide (Myanmar), facilitate foreign undermining of democratic institutions.” 

Does this Facebook stuff actually matter? 

Not really. 

As Information Commissioner, Edwards would be empowered to issue fines against Facebook under the U.K. Data Protection Act 2018 and the Privacy in Electronic Communications Regulations (PECRs) if the company breaches data protection or privacy law. 

But a bigger concern for Facebook might be the U.K.’s Online Safety Bill, which could impose sweeping new liabilities on online platforms, or the Digital Markets Unit, a new office set up to regulate competition among big tech firms. 

Is Edwards likely to get the job?

We’ll know whether Edwards is the new Information Commissioner some time before Denham’s term expires on October 31, 2021. 

Although Edwards might be the government’s top pick for the position, some observers have been surprised at the choice of candidate.

The job ad for the new Commissioner called for a candidate that could “communicate the wider benefits of data sharing… for competition, innovation and growth” and “advise” businesses on data protection while “minimising regulatory burdens.”

This led some campaigners to conclude that the next Commissioner would be a government puppet or a “corporate lobbyist”—rather than an experienced privacy regulator like Edwards.

But if he does get the job, Edwards will have a challenge on his hands. 

In a speech last year, Edwards said “privacy is not dead. It is not going anywhere.” 

This pro-privacy attitude might conflict with the U.K. government’s desire to “promote innovation” by deregulating data protection.

Missed PrivSec Global’s livestream experience?

No problem, simply CLICK HERE to access the sessions on demand