Addressing a room full of privacy professionals at the IAPP Global Privacy Summit 2022, U.K. Information Commissioner John Edwards envisioned many would be looking to regulators to “just tell us what we need to do” to minimize risks, reach compliance and reduce associated costs.

“That’s fine,” Edwards said. But he was quick to point out, the most “important thing” about privacy and data protection is “the human story.”

“You’re going to see your drug counselor later today. You made that insurance claim last week. How do you feel about your kids meeting with the school and the school not treating their personal information with respect?,” Edwards asked. “We are not here to put regulations in your way. We are here because these things are fundamental rights. You have these rights, your customers have these rights, and if you respect them, you will build trust and add value. If you don’t, you will burn it down as we’ve seen time and time again.”

During a “Commissioner’s Chat,” moderated by Center for Information Policy Leadership President Bojana Bellamy, CIPP/E, Edwards and German Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber discussed a variety of key topics facing regulators, businesses, and individuals today, including enforcement, data protection reform, and the privacy and data protection regulatory environment.

That environment is different today for Germany, a part of the European Union, and the U.K. which exited the EU and established its independence in 2020. Kelber and Edwards, who was appointed U.K. ICO last fall, outlined differing views on Brexit and what it means for regulatory approaches.

While Edwards believes Brexit has presented an opportunity for greater regulatory certainty “by moving in a way that does not rely on consensus building across 27 diverse legal and cultural linguistic traditions,” Kelber disagreed, saying reaching a consensus among the European Union’s 27 countries and those within the European Economic Area “means greater impact on the way technology and business cases develop” and is “very valuable to us.”

Regulatory priorities

Following Brexit, the U.K. retained the General Data Protection Regulation. Last fall, three years after its implementation, the U.K. government announced a consultation reviewing potential revisions to the data protection regime. While the GDPR has its benefits, most notably its “principle-based” approach that gives “a really clear steer about the expectations for data processing,” Edwards said that high-level principle also contains weaknesses, and “sometimes uncertainty creeps in.”

While there is much in the consultation “we can live with,” Edwards noted some ideas would “take the U.K. quite significantly out of step with some of our colleagues in Europe.” The consultation advocates for adopting a risk-based compliance framework, including removing the requirements to appoint a data protection officer and conduct data protection impact assessments. It also notes reform of the ICO to create “a clearer mandate for a risk-based and proactive approach to its regulatory activities” and would give the Secretary of State powers to identify “strategic priorities to inform how the ICO sets its own regulatory priorities.”

Some of the potential changes give businesses flexibility to “take a risk-based approach,” Edwards said, which he also plans to do as a regulator. But he is concerned about any proposal that would affect how the independence of the ICO is perceived and has advocated before regulators for the importance of maintaining an independent regulator in the U.K. Overall, he believes his messages have been heard.

He also sought to allay any fears that the reform would jeopardize the U.K.’s data adequacy status.

“There is plenty of scope. I think we need to focus on what is important for ensuring that the fundamental rights are not reduced, preserving those, and seeing what’s left,” he said. “Law is not a static thing. Laws are human creations to serve humanity. We don’t serve the law. The law serves us. And as circumstances change, we have to be prepared to review those regulatory standards and continually ask ourselves, ‘Is this achieving what we wanted for it?’”

During a separate Global Privacy Summit session, European Data Protection Supervisor Wojciech Wiewiórowski discussed an upcoming June conference in Brussels during which GDPR’s global stakeholders will connect to discuss enforcement strategies and GDPR’s efficiency. Wiewiórowski doesn’t anticipate “a huge change in data protection law in Europe” in the near future but said it’s an opportunity for “an open discussion on what are the experiences in enforcement and future models.”

Beyond the GDPR, Kelber said, “an endless stream of new tasks” are coming before data protection authorities, from technical developments to new and proposed regulations, including the Digital Markets Act and Digital Services Act — each of which were recently agreed to provisionally by the European Parliament and European Council — Data Governance Act, and AI Act. The suite of data regulations will mean a “regime” change, Kelber said, with “better cooperation between data protection authorities and antitrust authorities.”

Pointing to AI as an example, he said an understanding of technologies’ systems and activities could be enhanced, and potential issues within them like concerns around discrimination or bias could be better addressed.

With the increased creation and use of surveillance technologies around the world, Kelber also pointed to the area as one of concerned focus. He said the technology negatively impacts citizens and business competition and does not belong in the government or private sectors.

“To stop that kind of spying, to make people really give back control over their personal data is not just a question of innovating, but it’s a question of can you survive as liberal democracies, as open societies, in the digital age,” he said.  

On the other hand, Edwards noted surveillance technologies are being used in various ways to assist Ukraine amid Russia’s invasion, and he’s “actually ok with that.” An “absolutism” mindset against the technology may not be the way to go, he said.

“We need to surface these kinds of legitimate activities of the state, and the state’s first responsibility is the protection of its citizens. We need to surface these and be honest about them and say under what conditions in a free, rule-of-law-based Western democracy should these conditions take place,” he said. “These are not questions about security versus privacy, or surveillance versus privacy. These are not zero-sum games. We need to have 'and' conversations, not 'either/or' conversations.”

Privacy as a business enabler

Though data protection authorities are tasked with enforcing regulatory compliance, Edwards and Kelber agreed that privacy can be an enabler for businesses instead of a compliance burden.

“There are business cases which are in confrontation with privacy and will be and will stay there and it’s good to block these kinds of business cases. We will not be an innovator at any cost,” Kelber said. “But I see that companies which really research what data they have, or risks there are, see they can do much more with the data they have than before they did privacy auditing.”

For larger companies and governments, he added, it’s “easy to show them (that) there are alternative ways of doing the things they want to do and that the trust of people of giving their data, of adapting new services, is a crucial thing for them.”

Privacy regulations are a “how to, not a don’t do,” Edwards said, but when the government or a regulator tells a company what to they need to do it may not be warmly embraced, he said.

“All the privacy laws in the world are predicated not from the need to lock stuff down, but on the recognition that data needs to flow, and it sets parameters and expectations for how that should occur safely,” he said. “If you don’t come up to me and say thank you for the law which protects my data, that’s fine, I don’t mind. But don’t blame the law for getting in the way. The law is actually there protecting you and your clients and their value.”