There was a time when information safety was nearly a byword for one thing uninteresting, boring and technical.
Now not. The previous few years have seen information safety points hardly ever out of the headlines, from main safety breaches at family title firms to latest controversies over GP information and vaccine passports.
There have additionally been two main upheavals within the legislation, with the brand new Normal Knowledge Safety Regulation taking impact in 2018, adopted by the post-Brexit modifications because the UK disentangles itself from EU legal guidelines.
However as information safety has grown in significance and attracted wider curiosity, there was growing frustration on the approach information safety legislation is enforced and controlled. Particularly, the Data Commissioner, Elizabeth Denham, has grow to be the goal of criticism for failing to take extra strong motion to implement the legislation. This criticism reached the mainstream final week when the Telegraph revealed an opinion piece entitled ‘The Information Commissioner’s Office is letting us down’ (£), arguing that the Commissioner had spent an excessive amount of time chasing headlines and never sufficient imposing the laws. This was adopted rapidly by a prolonged rebuttal on the ICO’s web site.
What ought to we make of all this? The context right here is necessary, so maybe we shouldn’t be shocked by the timing of those public criticisms. Elizabeth Denham’s time period as Commissioner runs out in October, when a brand new Commissioner will take up the position. We don’t but know the id of her alternative, though the robust favorite is John Edwards, at the moment New Zealand’s Privateness Commissioner. A few of the public criticisms seem like a not-so-subtle try at influencing the brand new Commissioner to take regulation in a brand new and completely different path.
Most of the criticisms raised by the Telegraph and elsewhere are nicely based. Elizabeth Denham has had the next public profile than any of her predecessors, commonly showing in public to debate information safety points and making certain that the ICO has contributed to debates round synthetic intelligence and new applied sciences. However by way of regulation, the ICO has used its important powers sparingly since 2018 and has most popular to supply recommendation and steering moderately than impose heavy fines or challenge formal enforcement notices. While companies actually welcomed the Commissioner’s softly-softly strategy at first, many are actually questioning whether or not it is just too lenient. My purchasers who work arduous to get it proper inform me that they’re pissed off to see opponents gaining a bonus by ignoring the foundations with obvious impunity.
Within the EU, regulators have taken an altogether extra strong strategy. This week it was introduced that Amazon had been fined a report €746 million by the Luxembourg information safety authority, whereas elsewhere regulators have already racked up a whole bunch of smaller fines. In fact, efficient regulation shouldn’t be all about fines and we must always not underestimate the significance of the ICO’s advisory position. However demonstrating that non-compliance has penalties is without doubt one of the greatest methods to influence reluctant organisations that information safety issues.
n the opposite hand, there are clearly some inside the present UK authorities who don’t want to see the Commissioner taking a stronger strategy and would like information safety to return to its former low profile. There have been repeated statements from inside the UK authorities about the price and perceived burden of knowledge safety compliance, in addition to the potential to use the ability of knowledge to drive financial development. The Data Commissioner is unbiased of presidency however, in a post-Brexit world, the UK authorities now has a far higher position by way of setting the path of knowledge safety coverage. These voices are going to be troublesome to disregard.
It looks like we’re at a crossroads, with the longer term path of knowledge safety regulation unclear. Can we wish to see the regulator as a largely advisory physique, providing recommendation and steering however leaving the tough problems with enforcement to the courts? Or would we favor an energetic and interventionist regulator that isn’t afraid to problem the organisations it regulates (together with, in fact, the federal government itself)?
Whoever takes on the position as the following Commissioner goes to wish a thick pores and skin, professional diplomacy expertise and the stability and poise of an Olympic gymnast. Good luck!