The Information Commissioner’s Office (ICO) has published its response to the recently announced government consultation on the future direction of the UK’s data protection regime, expressing apparent concerns over its future independence as Boris Johnson’s Conservative government seeks to alter or remove key elements of existing data regulation.
Information commissioner Elizabeth Denham said: “It is important government ensures the UK is fit for the future and able to play a leading role in the global digital economy. I therefore support this review and the intent behind it.
“As the proposals are developed, the devil will be in the detail. It will be important that government ensures the final package of reforms clearly maintain rights for individuals, minimise burdens for business and safeguard the independence of the regulator.”
The government’s proposed reforms for the ICO, as detailed in chapter five of the extensive consultation document, available here, will supposedly empower it to “protect data rights and promote trust in the data protection system in order to unlock the power of data”.
Among other things, it plans to “strengthen” the ICO’s current obligations by placing a new duty on it to have regard for economic growth and innovation when discharging its function. Some fear this could lead to a weakening of UK citizens’ privacy rights in the service of supporting the activities of businesses using data in new ways.
It further intends to introduce a duty for the ICO to “have regard to competition” when discharging its duties; to cooperate and consult with other regulators, notably the Competition and Markets Authority, the Financial Conduct Authority and Ofcom; and to give the secretary of state for the Department for Digital, Culture, Media and Sport – currently Nadine Dorries – the power to prepare a set of strategic priorities that the ICO “must have regard to”, alongside other powers.
It also proposes to end the ICO’s current structure as a “corporation sole”, a single legal entity consisting of an incorporated office occupied by one person, and establish an independent board, led by a chair with non-executive directors, and a CEO at the ICO. The title of information commissioner would in future be given to the chairperson.
Strong concerns
Denham said she welcomed many of the proposals, particularly those that relate to ensuring that the ICO’s powers are effective. But she added: “Despite this broad support for the proposals to reform the ICO’s constitution, there are some important specific proposals where I have strong concerns because of their risk to regulatory independence.
“For the future ICO to be able to hold government to account, it is vital its governance model preserves its independence and is workable, within the context of the framework set by Parliament and with effective accountability.
“The current proposals for the secretary of state to approve ICO guidance and to appoint the CEO do not sufficiently safeguard this independence. I urge government to reconsider these proposals to ensure the independence of the regulator is preserved,” she said.
“Some of the proposals risk undermining the independence we need to carry out our responsibilities under both data protection and freedom of information legislation to oversee government and the public sector,” the ICO said in its full consultation response, which can be downloaded here.
“Independence, within a framework of strong accountability to Parliament, is important. It allows us to regulate without fear or favour, to make decisions about where we intervene or act, based on an impartial assessment of the harm or potential harm to people. It also reassures the public that our actions are impartial and that government as well as businesses are being held to account.”
Among the issues raised in the full consultation response, the ICO said the proposals meant the appointment of its chief executive would not rest with its chair and board, but rather with the secretary of state, which means its constitution would be less independent from government than that of Ofcom, for example.
The ICO also expressed concerns around proposals to grant the secretary of state the power to approve codes of practice and novel or complex guidance. It said these were key mechanisms in how it goes about exercising its functions and that the proposals effectively give a government minister a veto over key guidance, creating a lack of clarity about its ownership and accountability and undermining its role, risking judicial reviews or other legal challenges.
A similar proposal to introduce a right of approval and veto of guidance following consultations may undermine the contributions of contributing stakeholders and create additional regulatory uncertainty for businesses.
Privacy worries
The ICO went on to express further concerns around other proposals contained within the legislation. For example, on proposals to eliminate the requirement to consider whether legitimate interests in processing data are outweighed by the fundamental rights and freedoms of individuals, it called for more detail on a number of points, including how the government sets out the nature of specific types of data processing, and how the changes will interact with the exercise of people’s rights.
It also expressed concerns about the proposal from the Taskforce on Innovation, Growth and Regulatory Reform to remove the right to human review of automated decision-making, and over proposals to introduce a small charge for making a subject access request, which it said risked restricting the ability of everyone, whatever their circumstances, to exercise their data rights.
The ICO also warned on proposals to remove the threshold for what constitutes high-risk data processing, saying this would restrict its ability to prevent people from experiencing harm after the fact, and on proposals around data reuse and repurposing, which it said could increase the use of people’s data in ways they might not anticipate or expect.
In other aspects, the ICO’s response found much to be positive about. Denham said she was pleased to see the consultation appreciated the importance of maintaining and building public trust when it comes to how data is used, and that the proposals to make innovation easier for organisations – particularly with regard to ensuring the regulatory and administrative obligations of legal compliance are proportionate to the risk involved when it comes to data protection.
The ICO also spoke in support of issues that that have been seized upon as a cause célèbre in recent months: notably, proposals to change browser cookie consent mechanisms – considered an onerous requirement by many – and to which it has itself proposed changes; and proposals to give it more powers to tackle unsolicited direct marketing and fraudulent telephone calls.
“Data protection is not just an academic exercise, or the province of regulators or data protection officers,” said Denham. “It matters to all of us and has the power to affect every aspect of our lives.
“I, and my office, remain committed to supporting the government to ensure a data protection framework that works for everyone, and is fit for both the challenges and the opportunities ahead. The ICO has provided support throughout the development of these proposals, and stands ready to implement the reforms that Parliament decides upon.”