15
Examination of witness
John Edwards
Q28 The Chair: A very warm welcome to the European Affairs Committee, continuing our inquiry into data adequacy and its implications for UK-EU relations. We are delighted to have John Edwards, the Information Commissioner, with us this afternoon, to pursue our inquiry. John, you are very welcome to the committee.
We are being broadcast. There will be a transcript, which we will give you every opportunity to comment on. We will try to do this within an hour, if we possibly can.
To get us started, I will ask you an opening question to set the scene for us. Could you talk a little about the strengths and weaknesses you see in the Information Commissioner’s Office now? Do you have the tools you need to do the task? Do you have the right level of enforcement capability, through notices and fines? How would you assess the role as it is currently structured?
John Edwards: I might ask you to repeat the bits of the question that I miss out. It was a multi-part question, but I will approach it as fulsomely as I can.
The Information Commissioner’s Office has a whole economy jurisdiction. It covers millions of data controllers in relation to 70 million individuals. There are hundreds of millions of transactions involving data every day, and not all of those go well or according to the law.
We have to make very methodical choices about how we allocate our resources, how we choose to encourage compliance, how we enforce and how we investigate. Some of the enforcement is hugely resource-intensive, so we need to be very judicious in the way we select the matters to intervene on.
I should just fill the committee in on my own experience; I am not sure if you have had a briefing in advance. I came from eight years in a similar role in New Zealand and, prior to that, many years as a practising lawyer.
It seems to me that there is very little evidence on the efficacy of different modes of enforcement and regulation, but there is evidence that the single most significant determinant of compliance with regulations is ease of compliance. That means that, if we at the ICO can invest to assist the businesses, NHS trusts, charities and clubs of the United Kingdom to meet their obligations to respect the data that has been entrusted to them, then we can have far more impact than we would if we allocated the entirety of our resources to the game of whack-a-mole that is enforcement, prosecution and management of appeals.
I think that the ICO does a good job of enforcement. You will have seen contrary views. There are critics who believe that the efficacy of enforcement is measured by the stack of fines. I do not believe that that is the case. It is much more difficult to measure the impact one has in the economy for the protection of individual rights, but the fact that it is difficult does not mean we should not strive to do that, and to apply our resources where they will have the greatest impact.
I would accept the statistic—I will not call it the criticism—that the ICO is not in the top rank for issuing fines. I would ask, by way of response, whether those jurisdictions where fining is the instinctive response to non-compliance are actually achieving better outcomes for their citizens.
The Chair: We will unpack all those issues.
Q29 Lord Stirrup: Good afternoon. Can I ask you about the issue of the independence of the Information Commissioner? I would be grateful if you could address the issue from a number of different perspectives.
Clearly, it is important that, in exercising your function effectively, you have sufficient independence, but equally it seems that one of the key risks to future agreements on data adequacy is going to be the perception of the independence of the Information Commissioner, and particularly the perception within the EU. You have the issue of substance, but you also have the issue of perception.
There is also, of course, the question of whether you feel the degree of independence you have now is sufficient, but also what you think may well happen in the future with the Data Protection and Digital Information Bill. How will that impact upon your role and, again, upon the question of EU perceptions? I wonder if you could talk us through those related, but in some ways slightly different, issues.
John Edwards: As a whole economy regulator, a lot of our business is directed towards government, including Ministers and Secretaries of State. This is in both jurisdictions. I know you are primarily concerned with data protection in these hearings because of the link to adequacy, but it should be remembered that I have an important jurisdiction under the freedom of information legislation, and that is a really essential part of the accountability framework for this Westminster system of public administration.
I cannot discharge either function—regulating the public sector under the GDPR or in freedom of information—without a high degree of operational independence. I dare not use the phrase “absolute independence”, because there is no such thing.
I am aware of the reservations colleagues in Europe have expressed about the proposed reforms. I am not aware of any reservations that have ever been expressed about the current state of the ICO’s independence. The ICO is a very well-respected regulator internationally, and I am sure your special adviser will be able to confirm that from his networks.
The reservations that I have heard and tried to address about the impact of the proposed reforms in the Data Protection and Digital Information Bill are misinformed. I have visited and provided evidence to the LIBE Committee, which I understand is in correspondence with your inquiry, and answered these questions directly. I have met with Commissioner Reynders and have talked through these.
The Government are very conscious and aware of these sensitivities, and have been responsive. When I took up my post, I advised Secretaries of State and Ministers that I would like to get into a position where I was able to publicly support a reform Bill, and that that support would depend on three bottom lines, or red lines, being met. One was that there should be no reduction in the fundamental rights of people of the United Kingdom; the second was that the reforms should not put at risk the United Kingdom’s adequacy status; and the third was that the reforms should not unnecessarily raise the compliance costs of legislation.
I was happy to be able to effect changes to policy behind the scenes, unheralded, that allowed me to come out and say that I believed that those red lines had not been crossed. The Government, as I say, were responsive.
I expressed a reservation in quite hearty terms about the proposal that the Secretary of State would have responsibility for the appointment of the chief executive of the new Information Commission, and that measure was dropped. I understand that that was not an attempt to compromise the independence of the ICO at all. My instinctive reaction to that was that it is the chair’s first and most significant duty to appoint a chief executive, and that must be an unfettered duty. I understand, in fact, that there are many regulators that do have that model where a Secretary of State appoints both chief executive and chair, but I pushed back on that, and the Government responded and dropped that proposal.
There was a proposal that worked its way into the first draft of the Bill, I believe, that the Secretary of State would retain responsibility for signing off significant guidance issued by the ICO. I was concerned about that, but we worked with DCMS, as it then was, to restrict the circumstances in which the Secretary of State would be able to influence that, to such a degree that I was comfortable with where that got to and, in fact, was comfortable with the level of transparency. If the Secretary of State were to decline to issue guidance submitted by my office to hers, she would have had to have reported that to Parliament.
The European Commission, I understand, also expressed reservations about that finalised position. The Government responded to that and have backed out of that. I am very confident that the independence of the ICO has been retained.
The remaining issues that cause some discussion in Europe are, I think, misunderstandings. There is an obligation, for example, for the ICO to have regard to certain strategic objectives of the Government. In a common-law jurisdiction, an obligation on a statutory body to have regard perhaps has a different meaning than it may in a European code Napoléon kind of environment.
I cannot speak to that, but I can say that there remains on the statute an obligation on the ICO of independence. That, to me, is the overarching obligation. An obligation to have regard to strategic objectives is not an obligation to enact those. There is no ability—this is the clincher—for any member of the Executive to exert any influence on the day-to-day operational, quasi-judicial, regulatory activities of the Information Commissioner, now or under the proposed reform.
I am confident that I will remain independent and that the structures that established the office and under which we will operate will reinforce that independence. There is enhanced accountability under the Bill, and I welcome that. That is important.
Lord Stirrup: You make a powerful case. I realise there is a degree of hearsay in this, but these are not legal proceedings. Are you able to say how well your case went down with your European interlocutors such as the Commission, the European Data Protection Board, LIBE, et cetera? Did they give the impression that they were being convinced by you, as we are?
John Edwards: LIBE is a particular forum that welcomes a wide diversity of opinion. It is a robust forum, and I would be misleading this committee if I said that there were any road to Damascus moments as I presented my full-throated defence of the UK reforms.
I believe that colleagues in the European Commission have had a much greater level of comfort, having had those explanations. I have offered to brief the European Data Protection Board on the reforms; to date, that offer has not been taken up. But on a bilateral basis I meet with colleagues from Italy, Germany, Belgium and France, and each time I have a bilateral with those independent regulator equivalents, they ask me about these questions and I explain, as I have to you, why I remain confident that the independence of the office will not be compromised by the reform.
If I may, I will take a step back, Chair, if I can be indulged for a moment.
The Chair: You can do that briefly. I am just watching the time.
John Edwards: It is important to frame this thing called adequacy is. First, it is a terrible word. Nobody congratulated their child for bringing home a school report with “adequate” written on it. There are different terms used in Europe. One of them is “essential equivalence”, but fundamentally what we are concerned with here is my ability to say to my colleagues in Europe, “When your data is in my jurisdiction, it will be as safe as it is at home”. I have no hesitation in being able to provide that assurance to any European colleague.
Baroness Hayter of Kentish Town: You twice used the expression “independence in day-to-day activities”. For some of us, of course, that makes us very jumpy. Our concern is whether you have independence over your budget-setting and business plan.
I guess some of us are a bit jumpy because of what happened with this Government with the Electoral Commission, which has now been mandated that it must take account of guidance. I think “guidance” was the word; I have now forgotten. That was seen as an attack on its independence.
It will not just be what happens; it will then be reviewed in the future. I am looking at whether day-to-day independence is sufficient independence, because there is something much bigger than your day-to-day activities.
John Edwards: I am very pleased that you have mentioned budget and financial matters, because that is the reality of independence. I have seen in other parts of the world regulators choked. They can have all the independence they want, but if they have no resources to deliver on that then they cannot.
The ICO is quite unique in its funding model, in fact. It is funded through a levy on data controllers. That means that we are quite resilient, and we are at a degree of arm’s length from the Government. We get a certain amount of grant in aid for functions under network infrastructure security, freedom of information and a couple of other line items, but that comes to about £10 million. The rest of our budget is collected from individual feepayers. That provides an extra level of independence that even many of my European colleagues do not enjoy.
Baroness Blackstone: You have told us quite a bit about the current Bill that is going through Parliament, and suggested that it does not cause the problems that some people in the EU seem to believe it does. Could we go back to the 1918 Data Protection Act, and could you tell us a bit about any issues that concern you about that Act? In doing that, could you say something about the extra costs it imposes on organisations?
John Edwards: Do you mean the 2018 Act?
Baroness Blackstone: Yes.
John Edwards: I ask only for the purposes of precision, because there was a 1984 Act, but you are talking about the 2018 Act which is directly reformed by this Bill that is now working its way through the Houses.
The Government, in their policy consultation, wanted to provide a greater level of flexibility. They have engaged the business community to see whether further flexibility might be able to be provided in a reformed Bill. That is what most of the substantive amendments are intended to achieve.
I have experience all around the world in data protection. There is a strength of the approach in the UK and Europe to data protection that is also its weakness. In order to cover the infinite variety of data transactions that data protection regulation reaches, the rules must be set at a level of abstraction or general principle. That helps us to apply the same rules to an NHS trust as we do to an emerging technology such as artificial intelligence. The legislation is technology-neutral and, as I say, it is principle-based.
The downside of that is that there is some uncertainty. There is a cost to business in trying to figure out, “Is this thing that I want to do with the data a legitimate interest?” If I get a judgment wrong on that, I am going to be in the gun for 4% of my revenue in fines, so I am going to spend a lot more money on lawyers to get certainty about that.
The Government responded to that with this legislation, by providing greater certainty about aspects of legitimate interest and greater clarity about when data might be used for research purposes. That is a legitimate approach. I do not believe it meaningfully weakens the legislation, but if it releases cost from the economy without compromising fundamental individual rights then it is the right thing to do. I do not see that it does compromise rights, and it may well improve the efficiency of business.
Baroness Blackstone: Do you think those costs are not so high that they are causing enormous problems for some kinds of organisations? Do you think they are contained?
John Edwards: I believe that it is incumbent on me as the regulator to spend once at the centre for the whole economy to benefit from that. Rather than 10,000 small organisations going and spending £500 on legal advice, I can spend a few thousand pounds on guidance that is then accessible to them. That is the approach that we have taken, and that is the approach that I brought with me from New Zealand.
We invest in guidance. We create tools for businesses. We have created a subject access tool. We have just recently issued a privacy statement generator tool. There is guidance on how to responsibly develop AI. We have what we call a sandbox, which allows innovators to join in and work with us and understand how the law applies to them. We have an innovation advice service, which any organisation can come to and say, “I don’t understand how this aspect of the law is going to apply to my business model. Can you help?” They will get an answer within 10 working days. It is a really important role of the regulator to provide that guidance and certainty and, as I say, to invest on behalf of the wider economy.
Baroness Blackstone: How far does compliance with the EU data regime cause extra costs?
John Edwards: I would say it is impossible to answer that question. It is also unhelpful without the counterfactual.
If we in the UK did not have a data protection law that was robust—if we relinquished adequacy—that would impose an enormous cost on the economy. I have seen different estimates from different departments, and I will not speak to those because I cannot vouch for the analysis behind them, but it is tens of millions of pounds.
It is a frustration to me that we have this proliferation of instruments to allow for the movement of data from one jurisdiction to the other. There are standard contractual clauses, there are binding corporate rules, there are codes and certification mechanisms, and each of these comes with a cost and is a drag. Having adequacy means that it is absolutely seamless and frictionless for data to move from the UK to Europe, and that is of huge economic value to this country.
The Chair: That is a very good transition to Lord Jay, who is going to ask about the implications of adequacy not being granted next time around.
Q30 Lord Jay of Ewelme: You have talked a bit about independence. You have talked a bit about LIBE’s view. Like you, I have given evidence to LIBE in my time.
I just wondered, in the light of all that, whether you believe there is any risk to the UK’s adequacy status. I am not asking whether you think there should be, because we already have the impression that you think there should not be, but whether you think there is, and whether you think others might question some of the things that we are doing, and whether that might call our own adequacy into question.
John Edwards: I will answer your question directly. Is there a risk? Yes. I challenge any colleague in Europe to take the Bill that is now before Parliament and compare it with the GDPR as enacted in European jurisdictions, and to find another regime among the other 15 adequate countries that is more similar than the United Kingdom’s is to Europe. If there is a risk, it is a risk based on political machinations, rather than on principled analysis.
Lord Jay of Ewelme: What scope is there for you to reduce that risk between now and the time when a decision has to be taken? Is that something that is on your mind? Are you worried enough about this to be making contingency plans in case there were a withdrawal of adequacy status and what that would mean for us?
John Edwards: I will not orient the business of my organisation towards meeting a standard required by Europe. I will continue to act as instructed by the legislation under which I am appointed. I believe in showing, not telling, so the way that I discharge my functions as commissioner now, and the way I will as chair of the new body, will demonstrate the independence that the European Commission values and wishes to see.
Baroness Ludford: I just wondered if you could give us a view on whether it is possible, and if so how far it is possible, for the UK to innovate—that is a slightly loaded word—in its approach to data protection and retain the adequacy status.
You mentioned the issue of legitimate interest. I remember that that was probably one of the biggest disputes, if not the biggest dispute, certainly within the European Parliament when I was there, in the drafting of the GDPR. We understand that the Commission considers that provisions of the Data Protection Bill providing for the Secretary of State to amend and potentially expand the criteria for organisations to have a recognised legitimate interest in processing personal data to be problematic. I just wondered how far one can innovate without undermining.
John Edwards: To the specific point, I have seen the LIBE correspondence that described concerns about what it called a Henry VIII provision, allowing for executive amendment. I would call that a contingent risk.
The fact that the capability to make those adjustments occurs should not in itself cause alarm. However, the way in which a Secretary of State chose to exercise that power might well be subject to scrutiny, and I am sure it would weigh heavily upon her mind that that scrutiny would follow from any such exercise of that power.
Baroness Nicholson of Winterbourne: Riding on the back of your point about our capacity to innovate or not, I was intrigued by your bilateral discussions. I merely wondered whether you were planning to follow those up. There is a multiplicity of approaches, as we know, in the European Union member states on this issue. Some are tougher than others, some are less competent than others and some are exceptionally good—Germany, in particular. Do you see any opportunity to influence and change from inside once we are closer to it?
John Edwards: First, to return to the point about innovation, I believe I did not adequately respond to Baroness Ludford’s question on that, so I will come back to it.
We can innovate plenty. One of the things that we have innovated on in the UK is issuing a children’s code, which has specified a number of ways in which the online environment for children can be improved and made safer. A number of large tech companies have altered their practices and service offerings for children as a result, and they have rolled those out all over the world. In innovating in that way, we have improved privacy for children in Europe, as well as in the UK.
The ICO continues to be a very respected regulator. Although it is difficult to influence Europe as a bloc now that we are no longer on the EDPB, that also gives us an advantage in being more fleet of foot and in being able to settle positions without having to negotiate with 27 others. That can be very influential, because our position on matters such as AI is very much respected. We are currently consulting, for example, on generative AI models, how the UK GDPR principles apply to them and what our expectations are. I expect that colleagues in Europe will be influenced by those as well.
When we talk on a bilateral basis, there is very much a productive sharing of ideas. We sit on a data protection authorities group of the G7, which has France, Germany and Italy as members. On that, we are able to issue position papers setting out our shared understanding of the challenges that we face and enforcement opportunities that there are. Those are sometimes picked up by our international colleagues, so that influence continues even though the formal means of accessing the collective in Europe are no longer available to us.
We also have memoranda of understanding with European authorities, principally with the Irish Data Protection Commission, and that is very important to share information. We will be proceeding with more of those bilateral memoranda of understanding.
Q31 Lord Jackson of Peterborough: As an observation, I wanted to say that, in my experience, your organisation has been very flexible and has worked very well. You have not made a fetish of data and freedom of speech or freedom of information, which some stakeholders across the world have done. In other words, you understand—I read your speech to LIBE last May—that subject access requests can be excessive and vexatious, for instance, and so there has to be a balance. That is my observation, rather than a question.
My question follows on from Lord Jay’s earlier question. You talked about how your organisation is a pan-economy organisation and regulator. What specific sectors of the economy would be most hit by the potential lack of an adequacy agreement with the EU?
John Edwards: It would be small to medium-sized businesses that do not have the resources to work to the higher level of compliance that the GDPR applies, yet still interact with colleagues or customers in Europe.
There is one statistic that might interest the committee. I am going on a rather faulty memory, but I am sure your adviser will be able to look it up and assist. When the GDPR came into force, something like 1,200 US media organisations cancelled their operations in Europe because they could not see how they could comply and remain profitable. That is the kind of warning that I am sure policymakers are very aware of here in considering the risks of getting too close to the line of imperilling adequacy.
Lord Jackson of Peterborough: You will be aware that, as we discussed last week, there is an imbalance between the big players in data and SMEs. In fact, the academic report in 2022 showed that SMEs had a 12% drop in sales, admittedly in that one year after the 2018 Act and GDPR came in, as opposed to bigger organisations where it was less than 2%.
You have answered the question as to who might be affected. If it was likely and you had a reasonable amount of notice, what steps would you encourage representative organisations in government to take to protect those businesses from irreparable damage to their business model by the lack of an adequacy agreement?
John Edwards: It is difficult to think about in the abstract, I am afraid. It would depend on the nature of the objection, but, generally speaking, businesses would need to be able to provide assurance by an alternative means that data was going to be protected in the UK. That would involve giving assurances of equal individual subject access rights, maybe security standards, or undertakings that there would be no onward transfer to third countries, for example. Those might be some of the things.
As for what we would do, it would be incumbent on my office to provide the tools, again by way of templates, which we have done in the past. We have developed standard contractual clauses and other similar tools that businesses should be able to take off the shelf and adjust for their purposes, so that they are not having to spend £1,000 with their local solicitor to develop something. In that hypothetical, we would be trying to take the cost out of the economy for them.
Lord Jackson of Peterborough: Finally, is it your sense from talking to your colleagues in the European Union that, should an eventuality such as that happen, there might be recourse to litigation via the ECJ, or do you think that is a step too far?
John Edwards: I am sorry: at whose suit?
Lord Jackson of Peterborough: If there was a breakdown in the relationship between the Government and regulatory authorities as between the UK and the EU, how tough would the EU be in protecting its single market in data?
John Edwards: It is difficult to know. The route would probably be that a European regulator would enforce against a European data controller that was transferring data to the UK. That controller might then challenge that decision, and that would then potentially work its way to the court. That would be where a contest might be heard about the nature of the Commission’s assessment, whether in fact the UK was adequate, and whether the steps taken to secure the transfer were sufficient according to the domestic law.
Q32 Baroness Anelay of St Johns: I am going to ask questions that build upon the questions asked by my noble friends Lord Jay and Lord Jackson, about what would happen if a no-adequacy decision was made and what impact it would have on you.
First, earlier you mentioned the work that you do to advise business, and you have just referred again to it. If there were a no-adequacy decision, what impact would that then have on your budgetary position with regard to providing new and different advice to businesses affected?
Secondly, earlier you mentioned the international reputation that your office has earned for the work that it has delivered. Might that international reputation be at risk as a result of a no-adequacy decision?
John Edwards: To the second question first, I do not believe so, because we will continue to do what we do, and our work will continue to be held in high esteem. I will continue to work closely in international fora and to develop opportunities for enforcement co-operation. I do not see that that would reflect on the ICO, unless of course the decision was that the UK is no longer adequate because the ICO is not independent. That would be an irrational decision, and I do not see how it could come to that.
To your first question, if the EU determined that the UK was no longer an adequate jurisdiction, what effect would that have on my budget? It would not have an effect. We would divert resources to help businesses to cope with the implications and costs of that decision, but we are always moving resources around depending on what the most pressing issues on the economy are.
In the last year, we have done more on AI, for example, than we might have expected to, because that has exploded on to the scene and really necessitated a robust regulatory response. Everything that we decide to allocate our resources to comes at the cost of something else.
The question of whether we enforce enough was asked. I do not know how much is enough, but we cannot be out there prosecuting or fighting appeals in the courts if we do not have the resources because we decided to make allocative decisions elsewhere.
Baroness Anelay of St Johns: Are you, in effect, saying that it would have an impact on the way in which you determine priorities and the way in which the current budget is allocated?
John Edwards: No, I do not believe so. I could show you a spreadsheet that we have at the moment of guidance that we will have to issue or update when the Data Protection and Digital Information Bill is passed. There are dozens of lines on that. The impact of the scenario that you are describing would mean that guidance about how to deal with no adequacy would find its way to the top of that list.
Q33 Baroness Scott of Needham Market: Earlier in the session, you talked to us about the fact that you have been involved for some time with the genesis of the new Bill. Presumably, that includes the governance changes, which are quite far-reaching in the establishment of the commission. Can you confirm that you are comfortable with those? More importantly, can you explain to us how you see the merits of changing to that system and what the possible risks are.
John Edwards: The model of a corporation sole, which I now am and operate under, was suitable for the time of its design, when there was a small, suburban office administering data registration in Wilmslow, in Cheshire. We have retained that governance model through the GDPR, and we now have something like 1,100 staff, a budget of £80 million and an enormous diversity of regulatory activity. I am not sure that the corporation sole model is best placed for that.
I support the move to a commission with a board. That will enable us to have a wider diversity of skills and expertise available to the organisation, and it will provide us with resilience in governance. It will enhance, rather than diminish, the independence of the organisation. There will be a contest of ideas at that board table.
Baroness Scott of Needham Market: I wanted to ask about potential risks.
John Edwards: There is always a risk in execution, is there not? As we effect the transition from the current state to the future state, it is about timing and making sure that we have a board in place. That is not something that would be entirely within my control. As I have tried to build up my experience of and knowledge about public administration in the UK, particularly with arm’s-length bodies, every interaction I have involves a rolling of eyes at the protracted processes that organisations go through in appointing members. That is not an ICO problem; that is a system-wide issue, and it causes some frustration.
My office has been planning for this transition for a couple of years, and we have a staged approach. We were working with government on the stages at which the different provisions of the law will be brought into effect. We have engaged in a pretty robust risk assessment and minimisation process.
Q34 Baroness Ashton of Upholland: We are coming towards the end, so I am glad to be able to get you to think about the future. I wonder if you can do two things. The first is to let us know how you see the long-term future, bearing in mind, as you have mentioned, that things such as AI and so on are constantly changing the way that we have to think about data. My question is about the future in the context of the different levels and types of information, but also just generally.
Secondly, because you have experience from New Zealand, I wonder if you can give us a reflection on your experiences, especially with APEC, but also thinking about new and innovative ways of dealing with data and alternative models, one of which—the global cross-border rules system—we know about. How do you feel about those? They are a bit like shiny objects at the moment, in my view. They look good but I am not entirely convinced, so I would be grateful if you could give us a general view on that.
John Edwards: The imperative for data to move around the world has been recognised. It is essential to the global economy. The former Prime Minister of Japan captured it nicely at the 2019 G20, when he spoke of the need to provide for data free flow with trust. That phrase now informs many of the international conversations that we have on this point.
The adequacy framework, with the European Commission anointing different jurisdictions, had great promise but has not lived up to that promise. In all the years, we have had only 15 jurisdictions. There is not a mutual recognition of adequacy, so that on its own is not going to work.
We need to be open to the convergence of different approaches or interoperability between different approaches. There are different cultural and legal traditions around the world. It is not appropriate for one economy to insist that those are abandoned. We have to recognise that there are different approaches to some of these issues, but there should be ways and mechanisms for the different systems to interoperate.
The global cross-border privacy rules system has potential to bring some of those schemes and systems together. We have signed up to the Global CAPE—I cannot remember what it is called, but Steve will be able to tell me. It is a pre-cursor to joining. The UK is an associate member of the global CBPR. The global CBPR represents an advance from its predecessor, which was the APEC CBPR, but it still needs some movement.
I have been very encouraged in the discussions that I have had on the CBPR to see European colleagues start to join the conversation. With the APEC version, that was never an option, so there was no future for it as an international instrument. The fact that the conversation is starting to move to “yes, if”, and starting to talk about possible ways in which a framework could get closer to an international standard, is encouraging.
Baroness Lawlor: I would like to come in on that. You are a lawyer by background, and you have been a practising lawyer for a great deal of your life. You have also been New Zealand’s privacy protector, as it were.
I am very interested in what you say about the interoperability of systems. As a lawyer, how do you rate the different bases in law? Ours is the common-law approach, or was until we joined the European Union, but there is a strong movement among many lawyers now to try to restore common-law principles to our trading. Would you like to comment as a lawyer, and also as Information Commissioner, on this interoperability and how you see it working across the different legal systems?
John Edwards: Speaking ill of my former profession, lawyers are the ones who make a mess of this and add cost. There are hugely complex instruments that are produced to bridge one system to another. I have my own reservations as to whether those deliver any material benefit to any person within the home jurisdiction. They are really there to satisfy a legal construct, rather than to provide material benefits.
To come back to your question, for policymakers, lawyers and parliamentarians, it is about engaging with the question of why we are here and how we protect people’s information. It does not necessarily mean that every single entity has to have a data protection officer. It does not mean that every organisation has to generate a piece of paper called a record of processing activity. It means a commitment to respecting people’s data and information, keeping it safe and ensuring that access from government entities is undertaken only in accordance with the rule of law, with specific parliamentary authority. It is about principles such as that, rather than getting into the details and cross-mapping.
Baroness Lawlor: What I was getting at was exactly what you are saying. In some systems you have a more permissive law, and that was the basis of our legal approach, certainly to business. With shared principles such as data privacy, protecting consumer privacy, not transferring data outwards and so on, could a system of righting wrongs where they occur be a better system under a clear legal arrangement?
John Edwards: Thank you for the question. When we go back and look at all the litigation in Europe, we find that it goes back to the Snowden revelations. Millions and millions of pounds of expense has been caused by an anxiety that, if data goes to the US, it may be accessed by an intelligence service. We do not actually know whether the intelligence agencies in Europe are any more principled in the way that they keep their populations safe, but I believe that, coming together as a community of liberal democracies with a commitment to the rule of law and respect for individual rights would be a much better basis on which to form a community in which data can freely flow, rather than mapping these very technical legal protections against each other.
If that is a utopian view, it will require engagement at a political level, in a way that we saw glimpses of with the Shinzo Abe Initiative but have not seen sufficiently since. We have seen steps towards it, with the OECD starting to look at some of the obstacles to a connected approach, and I have some optimism about that work.
Baroness Lawlor: What about the global CBPR?
John Edwards: That could be one way in which we get that recognition.
Lord Stirrup: You said at the beginning that the ICO is a respected organisation, but you said you also have your critics. One of the most difficult things for any enterprise is for it to ensure that it does not start to believe its own propaganda or myths.
I have two questions. First, how does the ICO measure and report its performance at the moment? In moving to a commission model, is there scope for introducing more internal challenge to the ICO itself, having non-executives or whoever who are there to provide the grit in the oyster?
John Edwards: To your last point first, yes, there is. The changes to the governance also include changes to accountability, and I think we are going to have to be more accountable.
To your first question, about how we measure our impact, it is very difficult. As I have said, I reject a metric that says that our efficacy should be measured by the quantum of fines that we issue. I do not believe that that maps to influence, impact or change in the economy, but it is difficult to find adequate proxies for that.
I think we are effective, but we have not seen a decline in breach notifications, for example. Maybe greater consciousness and awareness of breach notification obligations means that they go up. Maybe that is a good thing.
There is a lot of complexity in this. We will continue to generate and report against our KPIs, but some of those KPIs create a distorted impact on how we prioritise our work. We need to have those under constant review.
It is very important that you play your part in holding us to account. I need to introduce some of the complexity of my world to you when you seek that accountability, and I will, but I will not shy away from the accountability. I will explain that, when we are regulating across the whole economy, we are trading off different kinds of fruit sometimes, and it is difficult to measure across those allocative decisions.
The Chair: Thank you very much indeed, Mr Edwards. We have achieved two miracles this afternoon. First, we have been just within the hour, and, secondly, we have not been disrupted by votes, so let us pocket that. It was a fascinating session.
I have one last concluding thought. From the echoes I hear from the European Commission, you probably need to go on with your campaign to explain to it that operational independence really does mean that you have adequate independence for your role, because there is still some doubt about that.
John Edwards: Thank you, Lord Chair, and I will. I wonder if I could just take one more minute of the committee’s time. I know you have had correspondence from the LIBE Committee, which we have discussed already. I ought to just point out that I found the first two assertions puzzling. It alleges that the change in definition of personal information has some material impact; I do not believe it does. Its second assertion—that we have changed our stance to pseudonymised information—is misplaced. I do not where it got that idea, but it is not my understanding of the effect of the law. We will still regard pseudonymous information as within the legislation and within our regulatory ambit.
The Chair: That is a very helpful clarification indeed. Thank you very much. With that, I conclude this public session.
