ICO has “strong concerns” about independence if GDPR changes go ahead
The UK’s data regulator - the Information Commissioner’s Office (ICO) - has said that government proposals could limit the ICO’s ability to hold the government to account.
The UK's data regulator - the Information Commissioner's Office (ICO) - has published its response to the government's consultation on proposed changes to data protection, citing strong concerns that the current plans could infringe on the regulator's future independence.
Last month the Department for Culture, Media and Sport (DCMS) published its ‘Data: a new direction' consultation, which proposed a new regulatory framework for data protection measures now that the UK has left the European Union.
The consultation raised eyebrows, given that the UK was only recently granted adequacy status by the EU for data transfers, as the two institutions are currently closely aligned on GDPR. However, the EU has been very clear that if the government backs away from its GDPR commitments, adequacy status could well be revoked.
My colleague Stuart Lauchlan effectively described why the move is a huge gamble for the UK and diginomica has also outlined what the proposed changes would mean for British business. In short, the government is arguing that GDPR tends towards a box ticking compliance regime, instead of encouraging a proactive and systemic approach.
The government also believes that the one size fits all approach disproportionately affects smaller businesses that may not have the same proportionate level of risk associated with data protection. This is a point that the UK Information Commissioner, Elizabeth Denham, agrees on. She said:
I support the intention of the proposals to make innovation easier for organisations. I agree there are ways in which the legislation can be changed to make it simpler for companies to do the right thing when it comes to our data. Perhaps most notably, it is vital that the inevitable regulatory and administrative obligations of legal compliance are proportionate to the risk an organisation's data processing activities represent.
That means finding proportionate ways for organisations to demonstrate their accountability for how they collect, store, use and share our data. They must ensure data is safe and is not used in ways that might cause harm. And they must ensure that all people are able to exercise rights over their personal data.
The government estimates that the reform package will have a net direct monetized benefit of £1.04 billion over 10 years, even after accounting for potential costs incurred through any future changes to the UK's EU adequacy decisions.
Cause for concern
Whilst the ICO is broadly supportive of the government's plans, Denham noted that the "devil is in the detail" and said that the government needs to ensure that the final package clearly maintains rights for individuals. Denham said:
We need a legislative framework with people at its heart and I am pleased to see the consultation recognise the importance of maintaining and building public trust. It is crucial we continue to see the opportunities of digital innovation and the maintaining of high data protection standards as joint drivers of economic growth. Innovation is enabled, not threatened, by high data protection standards.
However, the consultation also calls for some reform of the ICO itself, which is what Denham takes particular issue with - particularly as it relates to maintaining the ICO's independence as a regulator.
Denham welcomes the plans to introduce a more commonly used regulatory governance model for the ICO, including a statutory supervisory board with separate Chair and CEO, but is very wary of giving the government final say on certain issues. Denham said:
An independent regulator assures the public of their protections and maintains trust in data-driven innovation. By holding government and public institutions to account, an independent ICO also builds trust in innovative uses of data in the public sector, and trust in democracy itself. And the independence of the regulator is key to the high standards that will help deliver future global trade and adequacy agreements.
Despite this broad support for the proposals to reform the ICO's constitution, there are some important specific proposals where I have strong concerns because of their risk to regulatory independence. For the future ICO to be able to hold government to account, it is vital its governance model preserves its independence and is workable, within the context of the framework set by Parliament and with effective accountability.
The current proposals for the Secretary of State to approve ICO guidance and to appoint the CEO do not sufficiently safeguard this independence. I urge Government to reconsider these proposals to ensure the independence of the regulator is preserved.
The government's proposals to subvert power and independence away from the ICO will go a long way to undermine not only the power of the regulator, but also the reputation of data protection in the UK. Regulators are independent for a reason and if final decisions land in the lap of government ministers, who often have no real expertise in this field, it is a disaster waiting to happen. Whatever you think of the rest of the reforms, this aspect of them needs to be quashed ASAP.