The United Kingdom’s newly appointed information commissioner, John Edwards, might find it hard to steer a successful path between ensuring citizens’ data rights are preserved while also trying to make U.K. laws more palatable for data-driven business.
Some believe Edwards—who succeeded Elizabeth Denham this month after previously serving as New Zealand’s privacy commissioner—will need to perform a precarious balancing act between ensuring the European Commission remains happy the United Kingdom honors the terms of its adequacy agreement with the European Union, which allows the country to continue to share data across Europe, while also satisfying the U.K.’s post-Brexit ambitions.
These measures include Britain developing its own separate data protection policy, facilitating data adequacy agreements with other countries, and reforming its data laws to make them more business friendly.
Legal experts believe divergence from Europe poses serious risks.
“[Big Tech] will be a huge factor in any equation Edwards develops. Nobody should be surprised if tensions from time to time develop between Edwards’ commission, other government entities, and the stakeholders of multinational technology firms.”
Trevor Morgan, Product Manager, Comforte
“The European Commission has made it clear it could intervene at any point if the U.K. deviates from the level of protection currently in place,” said James Castro-Edwards, data protection and cybersecurity lawyer at law firm Arnold & Porter. “It could potentially revoke the U.K.’s adequacy decision, which would be problematic and costly for U.K. businesses that receive personal data with Europe.”
How Edwards navigates this potential conflict “will be one of the key determinants of the success or failure of his tenure,” said Tegan Miller-McCormack, associate at law firm Katten Muchin Rosenman.
“The U.K. government views the reform of its data protection regime as one of the biggest potential benefits of leaving the EU, as it wants to create an ambitious, pro-growth, and innovation-friendly data protection regime,” said Miller-McCormack.
“A good example of the balancing act Edwards will need to perform will be tested by how successfully he assists in the negotiation of adequacy partnerships with non-EU states, including the United States,” she added. “The freedom to negotiate such agreements is one of the most obvious potential Brexit bonuses, but in doing so, Edwards will be acutely aware of not threatening the EU’s adequacy decision.”
Edwards will face a range of other tough challenges, too—namely, how the United Kingdom intends to police Big Tech firms.
While serving as New Zealand’s privacy commissioner, Edwards took “fairly unyielding positions” toward Facebook, Google, and others, said Trevor Morgan, product manager at IT data security vendor Comforte. Morgan warned Edwards might have to dial his criticisms of social media firms down to suit his dual role as data regulator and “brand ambassador” for the U.K.’s planned data protection policies.
“Big Tech is a particularly thorny issue given the tentacles it has into economies, innovation engines, and political developments and influence. It will be a huge factor in any equation Edwards develops,” said Morgan. “Nobody should be surprised if tensions from time to time develop between Edwards’ commission, other government entities, and the stakeholders of multinational technology firms.”
Laurence Winston, partner and co-head of law firm Crowell & Moring’s International Dispute Resolution Group, said upholding citizens’ data rights and taking a proactive role in investigating and sanctioning breaches might be even more of a priority in the United Kingdom following the lack of successful class actions holding companies to account for alleged data abuses.
In November, the U.K.’s Supreme Court rejected a legal claim that sought billions of pounds in damages from Google over alleged illegal tracking of millions of iPhones. In a unanimous decision, the court said it was necessary to establish what, if any, unlawful use Google had made of each user’s personal data and what material damage had been suffered by the user as a result.
Winston said the ruling might have set back the possibility of future data privacy class actions from arising.
“The decision … has had major implications and has thrown up doubts over the future of class actions, opt-out claims, and the kind of damage suffered when a person loses control of their data,” he said.