John Edwards, the current New Zealand Privacy Commissioner, has been named as the UK government’s preferred candidate to head the UK data regulator (the Information Commissioner’s Office (ICO)).
The government has recently announced these changes to the ICO, as well as a general shake-up of UK data protection laws.
The new Information Commissioner
Mr Edwards has been said to favour light touch regulation which appears to fit with the UK government’s desired approach going forwards.
It is understood that Mr Edwards will be empowered to go beyond the regulator's traditional role which focusses on protecting data subject rights. His role would now be "balanced" between protecting rights and promoting "innovation and economic growth". This seems to indicate that the interests of those businesses complaining about the burden of data regulation will be taken into account.
The UK's new Information Commissioner will be charged with a post-Brexit "shake-up" of the UK data protection laws, including getting rid of cookie pop-ups.
In an interview with The Telegraph newspaper, Digital Secretary Oliver Dowden said that the reform of the data protection rules is "one of the big prizes of leaving" the EU.
Mr Dowden also said "there's an awful lot of needless bureaucracy and box ticking and actually we should be looking at how we can focus on protecting people's privacy but in as light a touch way as possible".
In addition, the Digital Secretary now has the power to create data adequacy partnerships with partners around the world.
Data adequacy partnerships
The government has announced that it will prioritise making new data adequacy partnerships with countries around the world. In particular, the government is exploring adequacy rulings in respect of the United States, Australia, the Republic of Korea, Singapore, Dubai, Colombia, India, Brazil, Kenya and Indonesia. Such partnerships would build on the existing adequacy arrangements the UK has in place (e.g. with members of the EEA and with jurisdictions that form part of the UK: Jersey, Guernsey and the Isle of Man).
The government has said data adequacy partnerships mean organisations would not have to implement costly compliance measures to share personal data internationally.
We will doubtless see further announcements in the coming months as the UK’s new regulatory landscape begins to take shape.
Arguably, it is easy to generate headlines about big data protection changes, but much harder to frame new laws, especially those that might diverge from the EU. It will be important for the UK to maintain its current adequacy status with the EU. The EU does have the power to revoke the UK’s adequacy status if the UK’s data protection laws diverge significantly from the EU’s in the future.
There is certainly a lot of rhetoric about boosting growth through data transfers and breaking down barriers to innovation. How easy this will be, whilst not diverging too far from the EU and still protecting individual rights, remains to be seen.