On Thursday, 9 September, the UK government’s preferred candidate for the next Information Commissioner, John Edwards, appeared before the Digital, Culture, Media and Sport Committee for a pre-appointment hearing.
The process is not binding—the Committee can only recommend that the government does or does not appoint Edwards based on his performance. But the hearing provided some great insights into who John Edwards is, what he thinks about the GDPR, and how he is likely to regulate.
- What Edwards really thinks about Facebook
- Whether Edwards supports the UK’s planned divergence from the GDPR
- Whether Edwards clicks on cookie banners
- How Edwards would regulate big business
- Whether Edwards agrees that he is a “dead on arrival” “corporate lobbyist”
Overall, this was a confident performance from a personable and frank candidate. There were many straight answers—despite some confusing and poorly-phrased questions.
Some of Edwards answers may agitate businesses, some of them may agitate civil society—but in my view, he struck this balance reasonably well.
I think it is highly likely that the Committee will recommend Edwards based on today’s hearing. And although this would not be decisive, Edwards did imply that he would decline any job offer that was not backed by the Committee’s recommendation.
Here’s what the Committee asked, how Edwards answered, and my analysis of his responses.
What are Edwards’ views on “big tech”?
The Committee sought Edwards’ views on tech regulation, mentioning Facebook and Apple—but none of the other “big tech” corporations.
Edwards, who is currently New Zealand’s Privacy Commissioner, is well-known for having bad-mouthed Facebook in the past—an incident that was evidently top-of-mind for several members of the Committee.
Here’s a summary of the Committee’s big-tech related questions:
- Do you hate Facebook?
- You hate Facebook, don’t you?
- Do you think Facebook is a threat to the democratic process?
- What has Facebook done since 2019 that means you no longer think it is staffed by “morally bankrupt pathological liars?”
- No, but, seriously—do you hate Facebook?
- What social media platforms do you use?
- Is the GDPR stacked in favour of big business?
- What can we do to ensure businesses are being transparent and enabling individuals to exercise their rights?
- Apple plans to introduce new privacy protections with an upcoming update. These could hamper the UK’s regulation efforts with its Online Safety Bill. What would you do about this?
Here’s a summary of Edwards’ answers:
- Edwards says he is on 12 different “messaging services”, and his favourite social media platform is Twitter. He thinks he probably still has MySpace and Bebo accounts.
- Edwards shut his Facebook account following the company’s alleged refusal to recognise the jurisdiction of the New Zealand Office of the Privacy Commissioner but has since reopened it.
- Edwards said (repeatedly) that his comments on Facebook were deliberate hyperbole at a time of national grief. He stands by these comments. They had the effect of bringing Facebook to the table.
- Regulation should place a greater onus on businesses to use data responsibly and transparently. Too much onus has been placed on individuals to manage their own data.
- If the UK were able to prevent Apple from adopting privacy-preserving technologies in iOS, it would not make the barriers to government surveillance “go away.”
- Apple’s intentions to scan for child sexual abuse material (CSAM) have been misunderstood by some people.
Predictably, the Committee kept coming back to Edwards’ comments about Facebook. His responses were reasonable here—the comments were clearly made in anger but Edwards was able to defend them.
Few would disagree with the view that businesses should be regulated to take the onus off of individuals when agreeing to data collection. The devil is, of course, in the detail—and there was little scope for providing this detail during the hearing.
The questions about Apple’s proposed privacy protections were bungled, and Edwards’ answers were accordingly confused. I believe the Committee was referring to Apple’s “Privacy Relay” mechanism here, but this was unclear to Edwards (and me).
Edwards spoke about his views on Apple’s CSAM-scanning proposals. First, he said the public wrongly believed that innocent pictures of their children could be flagged as CSAM. Second, he outlined the “slippery slope” concerns and appeared more sympathetic to those.
As to whether governments should be trying to “crack” encrypted messaging apps (he mentioned “Apple”, WhatsApp, and Signal), Edwards said that there must be a legitimate purpose for trying to “get into” such apps.
Edwards played his cards reasonably close to his chest on these points—but remember that this hearing is sort of a non-binding job interview, so perhaps that’s not surprising.
What should be the UK’s direction on data protection?
The Committee’s questions on the international aspect of data protection regulation focused exclusively on the EU and the US.
The crux of the questioning was:
- How far can the UK diverge from EU standards while maintaining adequacy?
- Can the UK move closer to US standards?
- Can the UK forge its own path on data protection?
- What is the biggest risk associated with the UK losing its EU adequacy decision?
Edwards’ answers in this area can be summarised as:
- It is possible to maintain adequacy if the UK retains the “essence” of EU data protection principles.
- The UK’s international data protection agreements and decisions should be founded on “mutual respect” for the standards of different jurisdictions.
- Europe and the US are entitled to their own regulations, as is the UK.
- The US is moving closer to EU standards, as evidenced by laws like the California Consumer Protection Act (CCPA).
- A big difference between the US and the UK data protection regimes is that the UK provides better access to legal remedies.
- The UK is the world’s fifth-largest economy and can create a “third way” between US and EU standards.
- There is scope for divergence within adequacy—look at New Zealand and Canada, whose data protection regimes are very different from the EU’s.
- If the UK lost its adequacy decision, the most significant impact would be on small and medium-sized organisations, which would encounter a significant additional compliance burden. Big businesses would be unlikely to notice a significant detriment.
- Ultimately, the UK’s direction on data protection is a policy decision to be left to Parliament.
Watching the stream, I got the impression that Edwards has not ruled out the possibility that the UK will lose its EU adequacy decision in future.
It is right that Edwards should be aware of this possibility, and he is correct that the UK’s direction on data protection is ultimately a matter for Parliament.
Edwards clearly thinks there is room for divergence from EU standards. There was a lot of talk of the UK establishing a “third way” in data protection.
While this degree of divergence might be unrealistic, it would have been unwise for Edwards to give the impression that he thought the UK was shackled to EU standards.
Edwards twice cited the examples of New Zealand and Canada as evidence that there is scope for divergence from EU standards while maintaining adequacy. I’m less confident on this point—these adequacy decisions are out-of-date.
The Committee asked a lot about a US trade deal. Sadly, none of the other countries on the UK’s proposed “adequacy” list were mentioned. Edwards appeared to believe that simultaneously recognising the adequacy of the US and the EU was possible for the UK.
Edwards may be overstating the degree to which the US has converged with EU standards—the CCPA is a million miles away from the GDPR (although admittedly, it is a step towards Europe). But I agree that one major difference between the US and UK regimes is the potential for access to remedies.
It’s interesting to hear Edwards’ views on this topic, and he will be responsible for advising Parliament about data protection and privacy reforms. But ultimately, Edwards is correct to say that the UK’s legislative direction is not up to him.
What is the role of the Information Commissioner and data protection law?
The Committee asked Edwards several questions about his potential predecessor, Elizabeth Denham, and what he will bring to the role of Information Commissioner. These questions were bound up with other questions about the nature of UK data protection law.
The Committee’s questions (paraphrased):
- What do you think the UK needs to learn from New Zealand?
- What are your objectives for your first 100 days as Commissioner?
- How can the Commissioner help ensure data is private but also readily useable?
- There has been a looser interpretation of the GDPR throughout the pandemic. How can you ensure we don’t return to the “gold-plated” view of data protection?
- In response to the job post advertising this vacancy, the Open Rights Group said the new Commissioner would be “dead on arrival” and act as a “corporate lobbyist.” Do you agree?
- Organisations seeking procurement contracts say that they cannot request demographic information from their employees due to data protection rules. This info is required to win contracts. What’s your view on this?
- How will you contribute to the UK’s negotiations on international data transfer agreements?
Some of Edwards’ answers (paraphrased):
- The New Zealand Privacy Commissioner relies mostly on persuasive power. The ICO has more power to sanction organisations.
- Data protection law should be easy and cheap for organisations to implement—and should make it easy for consumers to exercise their rights and access remedies.
- The notion that data protection protects personal data but makes it difficult to share is a false dichotomy—the GDPR is a “how-to,” not a “don’t do.”
- The GDPR is what you make it—the law can be something that restricts or enables.
- Edwards (it appeared, genuinely) said he was “heartened” by the Open Rights Group’s comments and that he hopes that they are pleasantly surprised by his appointment. He looks forward to working with them.
- Regulatory efforts such as the Age Appropriate Design Code have had a meaningful impact already.
- Organisations may have a legitimate interest in obtaining demographic data from their employees as part of procurement bids.
- The Commissioner can be a “conduit” and a “translator” rather than a negotiator.
Edwards’ view that the GDPR can enable responsible data-sharing, rather than prohibiting it, will be music to the ears of many data protection advocates. However, this sentiment could also be interpreted as a call for looser interpretation of data protection rules.
The Committee may be hoping that Edwards can become directly involved in the UK’s international data transfer negotiations. Edwards did not appear to know whether this was a formal part of the role of the Commissioner. I would suggest that it is not.
However, I agree with Edwards’ description of his potential contributions to these negotiations—a “conduit” and “translator” who can speak with his counterparts across jurisdictions and provide insight based on his knowledge and experience.
One minor point of disagreement I have with Edwards is on whether organisations can rely on “legitimate interests” to collect demographic data from their employees as part of the government procurement process.
Under Art 9 GDPR, reliance on legitimate interests to process special category data is restricted to non-profits. However, Edwards’ broader point was, arguably, that existing data protection law should not be an impediment to legitimate business activity—and I agree with this.
What does Edwards think about cookies?
The Committee asked about cookies a few times in slightly different contexts.
I’d summarise the questions like this:
- Do you share Elizabeth Denham’s views that we should reform the law to eliminate cookie banners?
- Aren’t cookie banners “intensely annoying?”
- Do companies gather too much data via cookies?
To paraphrase Edwards’ answers:
- Like many people, Edwards tends to just click “accept” when confronted with a cookie banner.
- Many hours of productivity must be lost through people dealing with cookie banners.
- Cookie banners are “the law of the land”.
- Edwards takes a “risk-based approach” to these matters and expects websites to act within visitors’ reasonable expectations when collecting data.
- Companies do hoover up too much data via cookies. They also retain the data for too long and are too opaque about how they use it.
- Our brains are not “wired” to properly assess the trade-offs involved when agreeing to provide data via cookie consent mechanisms.
- The ICO can bring companies “into line” when it comes to collecting and retaining data via cookies.
Edwards, perhaps understandably, appeared not to be very interested in reforming the rules on cookies.
There are two broad views on whether privacy and data protection law have led to cookie banner hell:
- The GDPR has caused cookie hell and should be amended to get rid of cookie banners.
- The GDPR has been misinterpreted (willfully or not) by website operators who are imposing absurd, non-compliant consent mechanisms in the name of complying with the law (this is the correct view).
When Edwards said that cookie banners are the “law of the land”, I took this to imply that he subscribes to interpretation 1, but I could be wrong.
Edwards seemed to cite a loss of productivity as the main harm caused by cookie banners, but he was also clearly concerned about the excessive data collection and retention facilitated by cookies.
The fact that Edwards clicks “accept” on every cookie banner means he might not be a privacy geek. I’m going to stay neutral on whether or not that’s a good thing.
Want to know more about the UK’s direction on data protection?
PrivSec New Normal is an upcoming in-person event on 16 November 2021.
We’ll be exploring how data protection, privacy, and security have been affected by COVID-19—and considering how the UK will proceed with its post-Brexit data protection reforms.