UK Appoints John Edwards as Data Protection Chief | Privacy Concerns

New Leadership for U.K. Data Protection

The United Kingdom government has identified its preferred candidate to succeed Elizabeth Denham as the chief data protection watchdog, as the current commissioner’s term is concluding. The Department of Digital, Culture, Media and Sport (DCMS) announced today that John Edwards, the privacy commissioner of New Zealand, is their nominated replacement.

Edwards’ Background and Experience

Possessing a background in law, Edwards has led the Office of the Privacy Commissioner in New Zealand for over seven years. Throughout his career, he has also held various positions within other public sector organizations in his native country.

He is widely recognized for his active engagement on Twitter and his publicly expressed disapproval of Facebook. Following the 2018 Cambridge Analytica data misuse incident, Edwards announced his decision to delete his Facebook account, citing the company’s non-compliance with New Zealand’s privacy regulations.

Alignment with Government Agenda

Edwards’ critical stance towards large technology companies corresponds with the U.K. government’s objective to regulate tech giants. This aligns with ongoing efforts to introduce safety-focused legislation for digital platforms and revise competition rules to address the power of these platforms.

Confirmation Process and Potential Changes

The appointment of Edwards requires approval from the DCMS committee and a formal acknowledgement from the Queen. If confirmed, he will assume the role at a pivotal time, as digital minister Oliver Dowden has indicated a potential shift away from the European Union’s data protection standards following Brexit.

Previously, former digital minister Matt Hancock had defended the EU’s General Data Protection Regulation (GDPR) as a “decent piece of legislation” and suggested limited divergence in U.K. data protection policies post-Brexit.

A Shift in Government Perspective

However, with Hancock no longer in government, the administration’s approach to data has evolved. Current digital minister Dowden views unfettered data mining as “a great opportunity” for the U.K. in the post-Brexit landscape.

For several months, ministers have been exploring ways to revise the U.K.’s existing data protection framework—rooted in EU regulations—to reduce user rights under the guise of streamlining processes and fostering data-driven “innovation.” While official statements emphasize maintaining “high data protection standards,” these standards are being redefined to facilitate increased data collection and sharing.

Pandemic Data Sharing and Future Plans

Dowden has suggested that the relaxed data sharing practices implemented during the pandemic—where NHS data was provided to numerous tech companies—should become the “new normal” for the U.K. post-Brexit.

A task force commissioned by the prime minister recommended scrapping certain aspects of the U.K.’s GDPR, labeling it “prescriptive and inflexible.” The report advocated for changes to promote data access for innovation and public interest, particularly in areas like AI and growth sectors.

Upcoming Regulatory Overhaul

The government is preparing to unveil proposals for overhauling the data protection regime next month, signaling its intent to “reform” (i.e., reduce) domestic privacy standards.

Minister Dowden has indicated a desire to modify consent requirements, potentially removing the legal obligation to obtain consent for tracking and profiling website visitors. This is being presented as a pro-consumer measure to eliminate “endless” cookie banners.

According to reports, only cookies posing a “high risk” to privacy would still necessitate consent notices.

“Light Touch” Regulation and Concerns

Dowden emphasized the need for a “light touch” approach to data protection, focusing on protecting privacy while minimizing bureaucracy.

The draft of this proposed framework will be released next month, but the government’s intention to redefine U.K. citizens’ privacy rights—using rhetoric about “common sense” rules—is clear. The aim is to lower current privacy standards and weaken data protections.

Citizens in the U.K. may find that the extent of their privacy and data protection will be determined by the level of “innovation” that ministers seek to “turbocharge.”

ICO’s Role and Potential for Deregulation

Once approved, Edwards, as head of the Information Commissioner’s Office (ICO), will be responsible for implementing any deregulation measures.

The government hopes to mask the details of its plans to weaken citizens’ privacy rights behind a broader narrative of “taking action against Big Tech.”

Data protection experts have already voiced concerns about the potential for a regulatory compromise.

Government Expectations for the ICO

The Telegraph reports that the government views Edwards as an ideal candidate to foster a “more open and transparent and collaborative approach” in the ICO’s interactions with businesses.

Furthermore, the government is considering requiring the ICO to conduct “economic impact assessments” to evaluate the cost to businesses before introducing new guidance or codes of practice.

Potential Consequences and EU Alignment

U.K. citizens may ultimately find their privacy rights dictated by market forces, potentially leading to a decline in data protection standards. This could result in a future where fundamental rights are traded away.

This shift also risks a collision course with the EU, as the current data adequacy deal—allowing free data flow between the U.K. and the EU—was granted based on the U.K.’s alignment with GDPR. Dowden’s push to weaken privacy standards threatens this agreement.

The European Commission has warned that it will intervene if the U.K. deviates from GDPR.

The adequacy deal also includes a sunset clause, expiring in four years, requiring the Commission to reassess the U.K.’s data protection standards in 2025.

Seeking Alternative Data Partnerships

The U.K. government is also exploring data partnerships with countries that may have more lenient privacy regimes. Today, DCMS announced plans to pursue “multibillion pound global data partnerships” with the U.S., Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre, and Colombia.

Future partnerships with India, Brazil, Kenya, and Indonesia are also being prioritized, despite the potential impact on U.K. citizens’ privacy.

While the government claims this will unlock £11 billion in trade, U.K. exports to the EU—valued at £294 billion in 2019—highlight the relatively small scale of this potential “Brexit data bonanza.”

The Need for Stronger Privacy Protections

Addressing the issue of cookie banners requires strengthening privacy protections, making non-tracking the default online setting, and prohibiting manipulative dark patterns. The U.K. may instead opt to eliminate consent requirements, allowing unrestricted data access.

Outgoing Information Commissioner Elizabeth Denham cautioned the government, emphasizing that data-driven innovation can only succeed with continued public trust in the fair and transparent use of data, both domestically and internationally.

The government’s decision to dismantle a well-balanced privacy regime risks creating a future of domestic data misuse scandals, mirroring the issues seen in the U.S.

U.K. citizens may soon experience unfair and unethical data practices, learning about them through news reports.

This approach could erode trust in digital services, ultimately harming digital businesses. Dowden’s apparent lack of understanding of internet fundamentals is also a concern.

The U.K.’s actions also threaten its relationship with the EU, potentially jeopardizing the data adequacy deal.

The government’s long-term plan appears to be to replace reliance on EU data flows with partnerships with jurisdictions that prioritize a less restrictive approach to data privacy.

Ultimately, the level of privacy afforded to U.K. citizens may depend on the government’s pursuit of “innovation.”