In an interview with POLITICO on 23 March, UK Information Commissioner John Edwards said he had “made it very clear” that the government’s proposed data protection reforms must not “undermine the independence” of the country’s data regulator, the ICO.
So is the ICO’s independence threatened under the UK’s proposed reforms of the General Data Protection Regulation (GDPR)?
The last Information Commissioner, Elizabeth Denham, certainly thought so.
Before leaving office, she said that the reforms risked “undermining the independence” the ICO needs to carry out its responsibilities.
Let’s consider what the government is proposing, and see whether the ICO has grounds for concern.
Proposed ICO Reforms
The government’s consultation on reforming UK data protection law, known as “Data: A New Direction”, has sparked controversy for several reasons.
The proposals set out possible reforms to many areas of the UK GPDR, including scrapping the mandatory requirements for data protection officers, removing rights to object to certain AI-generated decisions and modifying the UK’s cookie rules.
I identified 74 proposed reforms to UK data protection and privacy laws last September.
A long section of the consultation deals with reforming the ICO. There are around 28 potential reforms proposed, affecting the ICO’s strategy, structure and, ultimately, its independence.
Some key proposed reforms to the ICO’s “strategy, objectives and duties” include:
- Empowering the Secretary of State for DCMS to prepare a statement of strategic priorities for the ICO
- Requiring the ICO to “have regard for economic growth and innovation”
- Requiring the ICO to consider the government’s wider international priorities when conducting its own international activities
And here are some of the proposed changes to the ICO’s “governance model and leadership”:
- Establishing an independent board and CEO of the ICO
- Appointing the non-executive members of the ICO’s board and its CEO via the public appointments process (the same process used for appointing the Information Commissioner
- Removing the requirement for parliamentary approval when setting the Information Commissioner’s salary
Some further proposed reforms concern codes of conduct, complaints and enforcement, including:
- Empowering the Secretary of State for DCMS to approve codes of practice and complex or novel guidance
- Requiring any data subject to attempt to resolve their issue with an organisation before lodging a complaint with the ICO (the ICO has often been doing this informally anyway)
- Increasing the statutory deadline by which the ICO must issue a final penalty notice from 6 to 12 months
Liz Denham’s Concerns
Last October, outgoing Commissioner Denham published a response to the government’s reform proposals.
Denham’s response was a mixed bag, deeming some of the proposals as sensible but raising concerns about others, such as the suggestion to remove rights to object to automated decision-making under Article 22 GDPR.
But the proposed reforms to the ICO appeared to be most problematic for the then-Commissioner. The ICO’s response argued that certain proposals risked undermining the regulator’s independence.
Denham did “welcome” parts of the reform package, such as “the proposal to introduce a more commonly used regulatory governance model for the ICO,” i.e. “a statutory supervisory board with separate Chair and CEO.”
But the Commissioner suggested that having this CEO selected via the Public Appointments process could result in “significant and frequent government interventions” and would not accord with the ICO’s role “in overseeing compliance by government.”
In other words, a CEO who was appointed by the government (subject to a recommendation from a parliamentary committee) might not be willing to effectively enforce the law against the government.
Instead of having the CEO selected by ministers, the ICO said it would prefer to give this power to its own governing body.
Ministerial Approval of Codes of Conduct
Another area of concern for the ICO was a proposed new power for the Secretary of State for DCMS: approving and rejecting codes of conduct and complex novel guidance issued by the ICO.
Denham said this plan “would reduce the ICO’s independence,” would “reduce regulatory certainty for organisations, would threaten “wider trust and confidence in the ICO’s guidance,” and could potentially “lead to more legal challenges.”
Denham also criticised the proposed “right of approval and veto of ICO guidance for the Secretary of State.”
“It is our view that this proposal is fundamentally at odds with safeguarding the ICO’s independence,” the report said, “which is key to engendering the public’s trust and confidence in the digital and data economy.”
Why Does the ICO’s Independence Matter?
The independence of supervisory authorities is vital under the GDPR and other data protection frameworks, such as the Council of Europe’s Convention 108+ and the OECD’s Best Practice Principles.
For example, under those OECD guidelines, which were cited by the ICO in its response to the proposed reforms, “the CEO’s primary accountability should be to the governing body”—not the government.
The ICO also cited Convention 108+, which says supervisory authorities “should act with complete independence and impartiality in performing their duties and exercising their powers.”
These things matter when considering the protection of data subjects, whose fundamental rights could be rendered vulnerable to the government’s changing policy priorities.
And they matter to businesses and data protection professionals, too—because undermining the independence of the ICO would be liable to put the UK’s adequacy decision under threat.
In his POLITICO interview, Edwards said he was “confident” that ministers were “fully aware of the concerns,” and that he was “working constructively with them… to try and ensure that the policy objectives are met in ways which don’t imperil adequacy or undermine the independence of the office.”
The proposed reforms to the UK GDPR are by no means uniformly bad, and there may be beneficial ways in which the UK could diverge from the EU without losing its adequacy decision.
But from the perspective of maintaining EU adequacy and protecting fundamental rights, undermining the ICO’s independence is among the riskiest of the proposed reforms.
PrivSec World Forum
Part of the Digital Trust Europe Series - will take place through May, June & July 2022, visiting five major cities;
PrivSec World Forum is a two-day, in-person event taking place as part of the Digital Trust Europe series. Data protection, privacy and security are essential elements of any successful organisation’s operational make-up. Getting these things right can improve stakeholder trust and take any company to the next level.
PrivSec World Forum will bring together a range of speakers from world-renowned companies and industries—plus thought leaders and experts sharing case studies and their experiences—so that professionals from across all fields can listen, learn and debate.