Digital, Culture, Media and Sport Committee
Oral evidence: Pre-appointment hearing for Information Commissioner, HC 260
Thursday 9 September 2021
Ordered by the House of Commons to be published on 9 September 2021.
Members present: Julian Knight (Chair); Kevin Brennan; Steve Brine; Clive Efford; Damian Green.
Questions 1 - 44
I: John Edwards, Government’s preferred candidate for Information Commissioner.
Witness: John Edwards.
Q1 Chair: This is the Digital, Culture, Media and Sport Select Committee and this is our pre-appointment hearing for the new information commissioner. We are joined today by John Edwards, the Government’s preferred candidate for information commissioner. He is appearing virtually from New Zealand. I will say, “Good morning” here, but “Good evening” in New Zealand.
John Edwards: Good evening, Chair.
Chair: Thank you very much for joining us today. I wonder whether you could tell the Committee precisely, from your experience as the information commissioner in New Zealand, what you think the UK needs to learn from New Zealand and what you see as your key objectives within the first 100 days of your tenure.
John Edwards: One of the things that I am most interested in doing is engaging with stakeholders and listening to their experience of the last three years of the UK GDPR to see whether they believe they are getting good value for money and whether the ICO is meeting their needs, and also to hear from our civil society and other stakeholders—so, industry and stakeholders. I would like to listen, not just to go out and talk to people and tell them what I think they should be doing, but to understand their experience.
What will I bring from New Zealand? I come from an environment where we have had to operate as a persuasive power rather than with firm coercive sanctions. That has been the tradition of this office right up until December last year. It is going to be an adjustment for me having responsibility to administer an Act that has real coercive and quite significant sanctioning powers.
Q2 Chair: New Zealand is often cited as a country that has quite a good relationship with data and information; other smaller countries, such as Estonia and Israel, are seen in the same way. Is there anything to suggest that you could in any way transpose any of the New Zealand system, and the practices that you have learned there, into the UK? What would you bring across?
John Edwards: I think so. One of the things I want to do is to bring the mantra that I began my office here with, when I appeared in front of a Select Committee like this on the third day of my appointment. I was not told that I needed to pre-prepare a statement for the Committee, but on the spot I said, “Look, what I really want to do is to make privacy easy.” I think I can translate that to the UK. I want to make data protection easy—easy for industry to implement at low cost, easy for consumers to exercise privacy-friendly choices in their marketplace, and easy for people to access remedies when things go wrong.
One of my priorities is to look at what services the ICO can provide at the centre. We spend money once for the benefit of it to be used many times throughout the economy and to spare thousands of agencies the expense of seeking out training materials or easy implementation guides tailored for their businesses.
Q3 Chair: We have had five years’ economic transformation in one as a result of Covid. Obviously, the UK has been substantially impacted by Covid; it was probably a very different experience from New Zealand’s. Looking from New Zealand to the UK, what do you think are the potential learnings from this period in terms of how we deliver public services and how we ensure that data are both private but also, at the same time, able to be used? Almost by definition, being private means that it needs not to be shared to some degree. There is a real dichotomy that we have in this country over that particular challenge. What are your views on how you think you could resolve that?
John Edwards: With respect, I would take issue with the dichotomy that you presented. I do not believe that policymakers and businesses and Governments are faced with a choice of: share or keep faith with data protection. Data protection laws and privacy laws would not be necessary if it was not necessary to share information. These are two sides of the same coin. Data protection laws, the UK DPA and UK GDPR, are a “how to”, not a “don’t do”. I think that the UK and many jurisdictions have finally learned that lesson through the Covid crisis. It has been absolutely necessary to have good quality information available minute by minute and to move it across different organisations, where it needs to go, without friction.
There are times when data protection laws and privacy laws introduce friction. What you have seen in the UK is that when they need to, things can happen quickly. I think that the Government are keen on building on that experience and rolling it out more widely. There is a singular moment in squaring the circle that you posed for me at the beginning of your question.
Q4 Chair: Certainly, there has been a loose interpretation of GDPR during the Covid crisis. We know that as parliamentarians in our dealings with constituents. We have been able to cite Covid in order not to get around GDPR, but to be able to work while at the same time not completely bending to it, so to speak. In our experience, I have to say, we often accuse ourselves of gold-plating legislation and rules in this country, and that has very much been the common experience of GDPR in the UK. Are you confident that as information commissioner, you can change that narrative and that what we will not do is to go back to the same old, same old after the pandemic, wherein we may end up again gold-plating GDPR?
John Edwards: Yes, I am confident. The UK DPA and GDPR are enabling statutes. They facilitate the flow of information where necessary. They can be interpreted strictly and prescriptively or they can be seen as necessary preconditions to sharing information.
One way of conceptualising this, if I can give an artistic reference, is the famous optical illusion Rubin’s Vase, or a favourite artwork of mine by Salvador Dali, Slave Market with the Disappearing Bust of Voltaire. What you see in those images depends on what you focus on. Do you want to focus on the vase in the positive space or the two parallel faces in the negative space? You can look at the GDPR as something that obstructs, and that gets in the way, or you can look at it as something that facilitates, enables and sets the conditions under which those economic and social benefits can be obtained safely for the people of the United Kingdom.
Q5 Chair: My final area of questioning, before I hand over to Damian Green, is about equivalence. Obviously, there has been a large discussion in front of this Committee, over time, about Brexit and how we retain equivalence with the EU. How do we manage to go forward with that without just aping what the EU does? How can we make our future developments with data acceptable to a relationship with the EU, but also with any future trade relationship with the US? They are poles apart in terms of how they deal with data. The impression I have is that potentially we could fall between both stools and become non-equivalent with both.
John Edwards: It is an important question, and at the core must be mutual respect. Europe is entitled to regulate for its citizens in the way that it deems most appropriate, and it has certain legal traditions that suggest that the GDPR approach best suits that legislative and regulatory environment. The United Kingdom is entitled to take Fleetwood Mac’s advice to go your own way. There is plenty of scope within the European Commission’s adequacy determinations for recognition of difference.
New Zealand is not identical to GDPR, but it is recognised as adequate. Israel, Canada—these countries are not equivalent, but the test against which the UK will be measured when the adequacy determination is reviewed is essential equivalent. There is a lot of focus in there on the equivalence and on essential, as in necessary, but I see essential as: do you have the essence? It is very unlikely that the UK will depart from the essence that informs almost every privacy and data protection law in the world, and it goes back to those OECD principles that started back in 1980. There is plenty of scope.
If the United Kingdom begins a process of reform—I think Ministers have signalled it intends to do so—it will not start that with one eye on Europe, saying, “Is this going to meet the adequacy test?” You must regulate for what is in the best interests of the people of the United Kingdom. When you do that, there will be a story to tell to Europe that this is what is best for our people and when you look at it, it is just reaching the same destination perhaps in a slightly different way. I have full confidence in the relationships that I have formed with my colleagues across Europe that there is an important story to tell here. There must be, as I say, mutual respect of different legal and cultural traditions, which lead to different expressions of the same objective.
Q6 Chair: Today I am very impressed with your enthusiasm and desire, but when it comes to EU-UK negotiations, our experience is that it can sometimes be a little soul-destroying, if I can put it like that. What will your role be in this process, particularly in respect of the fact that in this Committee we have seen in recent times that the relationship between the Department and those who are at the front line of negotiation, particularly Lord Frost, has not been very good? The problem with that is whether or not you are going to have the freedom in order to go your own way, as you like to say.
John Edwards: I must confess a technical ignorance of the expected role of the commissioner in that, but just thinking about it here, I see myself almost as a conduit. I can feed information into the government policy process reflecting on my understanding and experience of the implications of different policy settings on the fundamental rights of people of the United Kingdom. I can also express how that might land in other jurisdictions that are interested in entrusting their data to the UK. I can also act as a conduit in some sort of quasi-diplomatic capacity with my colleagues with whom I share regulatory and professional experience in the different DPAs across Europe—
Chair: I am sorry to cut across you. That is precisely the point that I was making. If you do want a quasi-diplomatic role, in terms of talking to your contemporaries and your equivalents effectively within the EU and other nations, the difficulty that we could see with that is, for example, when it comes to another area, which is the movement of creatives within the EU. We have seen considerable blockages within government, and the DCMS have felt that they have not been allowed to go their own way, to use that analogy that you used. I admire the enthusiasm, but I wonder whether or not it comes against the cold reality of actual negotiation and realpolitik.
John Edwards: I doubt that I will have a role as a negotiator, but perhaps more as a translator—as somebody who sits squarely in the United Kingdom but apart from the Government. That independence will be recognised and valued, so I will be able to have those kinds of conversations with my counterparts at the European Commission, in the Data Protection Board and on a bilateral basis with colleagues.
Q7 Damian Green: I am delighted that within 10 minutes of starting to give evidence you have managed to reference Salvador Dali and Fleetwood Mac, showing a range of cultural references entirely appropriate for this Committee. Thank you for that.
In the past, you have been heavily critical of the big tech companies. Indeed, there is a deleted tweet where you said, “Facebook cannot be trusted. They are morally bankrupt pathological liars”, which is a punchy viewpoint that I suspect many people around the world would share. Would you like to expand on that a bit? Do you feel that the tech giants are genuinely a threat to the wider democratic scrutiny and process?
John Edwards: Would you like me to provide a more fulsome context for the tweet that you quote, because it has achieved some prominence and some notoriety? I am happy to answer the substantive question, which is whether I consider those tech giants a threat or what kind of role they play in this data ecosystem, but I do want to go on record and say that despite the hyperbole referenced in that tweet, Facebook and every other organisation that is subject to the ICO’s jurisdiction can expect a fair and impartial inquiry when I occupy that role without predetermination or bias. That tweet came from a very profound context of national shock and grief at a very egregious terrorist act that was facilitated, amplified and propagated through that particular platform. I could go into more detail.
We confront with these platforms a phenomenon that has never been experienced in the world in regulation. These are nation state-sized commercial enterprises. It is a problem that I have described elsewhere as “they are one, we are many”. We are many countries, we are many data protection authorities. Even within the United Kingdom, we are many regulators—there is the CMA, Ofcom, ICO, your Committee—that want to understand the impact that these organisations are capable of having within our societies.
It is increasingly difficult to engage them on that national level. We are starting to see assertions of national sovereignty against these organisations. One excellent example, which shows that they are in a position to respond where required, is the effect that we have seen in the last couple of weeks of the commissioner’s age-appropriate design code. There is hope that there can be a constructive dialogue and that these organisations act in a way, within jurisdiction, that is suitable to the culture and legal traditions and expectations of that society, whether that is in New Zealand with a population of 5 million or in the UK with its 60 million.
Q8 Damian Green: I take your point that in a sense regulators around the world are realising that to some extent they have to be co-ordinated, and individually they have to perhaps be more nimble in following the very innovative processes of that these big tech companies. Do you detect any sign that the companies themselves recognise that the world is changing, and that they are the equivalent of the trusts that had to be busted in America in the late 19th century? Do you detect any sign of change in their behaviour yet?
John Edwards: Yes, I do. I see that coming. We have seen some of the largest platforms actively calling for regulation. When you see that happen, you know the tide has turned and that they see the inevitability of needing to finally respect the authorities and the jurisdictions that they operate in and try to get ahead of it—trying to set that agenda. That is just natural corporate behaviour. I make no moral judgment about that kind of conduct, but we as regulators and you as lawmakers need to recognise that we all have a role in setting those standards and enforcing them.
Q9 Damian Green: One of the ways of doing it, and you have mentioned this already, is that there are a plethora of regulators here; we have you, Ofcom, the CMA. What would you do to make sure that you were all pushing in the same direction and moving on one platform?
John Edwards: There are challenges to that, but in the United Kingdom you have made a very significant start down that pathway. Just breaking down those silos culturally is important. There is an agreement between the agencies that I have mentioned. There is a forum called the Digital Regulation Cooperation Forum, and that is formal and documented. That has to be a very positive start. It may be that there are limitations within the statutory origins of those organisations that need to be tweaked in order to enable them to work in concert more and to leverage each other’s influence and to help each other in their narrow areas. I am looking forward to getting into that space and seeing how that can be maximised.
Q10 Damian Green: Looking further afield, we have already had a brief discussion about co-operation and the need for it with European countries. Of course, looking the other way from where we are sitting to the United States, inevitably there is tension within any American Administration in that they want to regulate the tech giants as well. Previous Administrations have been massively hostile to them; nevertheless, in the end they are big, important American companies whose economic interest any American Administration would want to defend. Do you think the UK risks anything if it appears to be out of kilter with the current American way of trying to regulate big tech?
John Edwards: I am not sure what the current American way of trying to regulate big tech is. We have heard talk of an imminent arrival of federal privacy law, and we do not know how it will look. But there have also been a number of state initiatives such as in California the consumer privacy law, which looks very much like the GDPR. You have to remember that California on its own is the fifth largest economy in the world and is the home base for many of those tech giants. There is a moving together. It is a kind of reverse of data protection rules. It is not happening perhaps as quickly as we would like to see, but there is movement.
The one significant thing that the UK needs to be conscious of in moving close to the US before it has crystallised some of those movements into a unified federal approach is the very antagonistic approach that we see Europe take to the US. If the UK aligns closely to the US and Europe sees that as a mechanism for sidestepping the jurisprudence and the decisions of the European Court and so on in striking down Privacy Shield and Safe Harbour, that could complicate UK-Europe relationships or trade and data flows. These are the very real challenges that lie ahead.
Q11 Damian Green: Do you have an instinct as to which way? If the UK is forced to go the American way or the European way, do you think one choice is more desirable than the other?
John Edwards: I do not want to be trite, but I do come back to Fleetwood Mac: you have to go your own way. It may be a third way. I do not think you need to shackle your wagon to either. It is for the UK to determine what suits the UK, just as it is for New Zealand, Australia and Canada to have their own particular approach. New Zealand and Canada are recognised as adequate in Europe, essentially equivalent, with quite significant differences. There is scope to have an environment that fosters innovation in the same way that we see being prioritised in the US but which still retains very strong access to remedies for wronged consumers and a regulatory role that is there to patrol the boundaries.
Q12 Damian Green: Do you think that Britain is big enough to go its own way? Partly on the New Zealand analogy, obviously Britain is a bigger economy than New Zealand.
John Edwards: Yes, of course I do. It is the sixth largest economy in the world. It certainly has the wherewithal to chart that middle course. The size of the UK economy presents for me an enormous opportunity. In the administration of a law that at the moment looks very much like the UK GDPR but gives great latitude for different regulatory approaches, if I can turn that dial just a couple of points it can make a difference of billions of pounds to the UK economy, and thousands of jobs. We do not need to be throwing out the statute book and starting again or scrapping everything. There is plenty of scope to make improvements under the current regime, let alone when we start with a fresh sheet of paper, if that is what the Government choose to do.
Q13 Damian Green: One final thing on another matter in this section is working with academics. There is obviously a huge amount of academic work going on in this country, as well as around the world, on data protection matters. Do you have any particular strategy about how you will work effectively with those academics to feed them into your own work?
John Edwards: One of the things that I am looking forward to about working in the United Kingdom is that there is such a richness and diversity of thought. There is such a marketplace of ideas. It presents a challenge, but we have an active civil society and I value the input that those NGOs and advocacy groups bring. Academia brings another important thread to the party, as does the professional services industry. Each has their own interest and perspective.
It is going to be very important for me to listen to all of those perspectives and then to select from them the best that I can, consistent with my statutory role, for all members of the United Kingdom.
Q14 Steve Brine: It is rather apt that I should follow on there from my colleague Mr Green. You said you welcome the impact of civil society and all of the different groups who will have an opinion on you and have an opinion on what you do. Welcome to our world.
Back in April this year, a cross-party group of MPs from the British Parliament wrote to the Secretary of State, who was recommending your appointment, to express concerns about the advert that had been put out for your role. The Open Rights Group, which I am sure you are aware of, organised that letter. The executive director of that group, Jim Killock, said, “The next ICO commissioner is dead on arrival. The lack of confidence expressed from across the political spectrum in the appointment process of a regulator is unprecedented and undermines the credibility of the new ICO commissioner.” They were particularly commenting on the fact that the advert said we want “commercial and business acumen” and understanding of the “wider benefits of data sharing”, and that “DCMS seeks an Information Commissioner that will work to remove protections within current laws, to reduce the risks of enforcement action”. Does that undermine you? Does that make you DOA? What is your view on the input of the Open Rights Group?
John Edwards: I will move to Mark Twain now and say that rumours of my death have been greatly exaggerated. I respect the passion represented by that. What it said to me was that there is a significant group of people who hold these values dearly, and I was heartened by that. I respect their views. I saw the signatories to that letter. I hope that they have been pleasantly surprised. I look forward to engaging with them. But I also reject the premise that bringing a commercial or commercially savvy lens to this crucial role diminishes the importance of the human rights and consumer safety side of the role.
When you look at documents such as the National Data Strategy, even though the Minister in his op-ed and the rest chose to emphasise certain parts of the role that they wanted to present in those documents, at the core of the National Data Strategy is a recognition that there needs to be a very muscular and assertive regulator there to protect the rights of the consumers and citizens of the United Kingdom. Without that regulator there to ensure that people can have trust and confidence in the digital economy, you will not get the digital dividend that is being sought from the emphasis on innovation.
There is a bound relationship between the regulation of protection, trust and confidence, and that fostering of the climate of innovation and investment in new digital technologies.
Q15 Steve Brine: The Public Administration Committee here said that we should consider making the information commissioner an officer of Parliament, appointed by this Parliament. That would get away from political appointment of a friend of the Government, which is one charge that will be levelled at you here. What would be your perspective on that? I suppose you are perfectly within your rights not to comment on the process that appoints you, but do you have any view on that? Are you aware of that?
John Edwards: I was aware of that. Ultimately, it is a policy decision where this office should sit, and if Members thought that a role such as the information commissioner ought to sit on a par with that of the Auditor General or a parliamentary ombudsman or the like, then there would be advantages to that.
The approach that this Committee and Westminster takes to these appointments is important. I was very heartened to see that the appointment process is not just with the Executive. I think this process of examination, when I will appear before you and be accountable to you, is an important halfway to that parliamentary office. Having to appear before you, recognising your essential role and the fact that you could scuttle this appointment if you thought that was in the best interests of the United Kingdom, enhances the legitimacy of the role of information commissioner. It enhances its authority and it enhances its independence. Nobody is saying that the members of this Committee are in the pocket of the Government, and you can ask me any question you want and here I am in a public forum answering those.
John Edwards: On a personal note, they do not mean anything to me. I just click “yes”. I am like everybody else.
Steve Brine: That is kind of the point, is it not—that you just click them and therefore they have lost their meaning?
John Edwards: Exactly. I could not agree more. Although they seem like a trivial matter when you are crossing from one site to another, just take a second to even try to calculate the millions of clicks—hundreds of millions per day—and quantify those in terms of lost productivity and the like, let alone the administration required for the hosts of those sites.
My point is: does it enhance the rights of an individual? That is a yardstick I bring. Is the life of one single Briton going to be improved by this regulatory intervention? If it is not, I don’t know; I think we should look—
Steve Brine: Is it? I am asking you that question.
John Edwards: I don’t think so, no. That is my personal opinion. It happens to be the law of the land that these need to be applied. There may well be others. I favour a risk-based approach. You do what you like, but if you are going to do something that takes me by surprise when I visit your website, that is not obvious from the kind of transaction that I could reasonably expect as a consequence of the transaction I am trying to enter into on your site, then you bear the consequences of that.
Q17 Steve Brine: Culturally for you, coming from New Zealand to the UK, what are you most looking forward to and what do you most fear? You quoted Mark Twain, so, right back at you: he said, “Travel is fatal to prejudice, bigotry and narrow-mindedness”. You will benefit from that, right? I hope you do not bring a zero-Covid strategy with you.
John Edwards: I hope not to bring any Covid with me but I am very much looking forward to living and working in the UK. I have not had that pleasure before. Actually, that is a lie; I had one day on a building site and a Scotsman dropped a brick on my head, and that was it. London is an international city. It is a very exciting time with lots of potential. There has been a lot of disruption and upheaval. I am looking forward to bringing some stability to the role and providing leadership to an important and large organisation but also system leadership, as the UK navigates this new path away from the European Union.
Q18 Steve Brine: What is your message to the staff that you will be leading? I suspect that they will be watching this session to see about their new boss. What is your message to them?
John Edwards: My message to them is that I will honour the past. The outgoing commissioner has done a fantastic job and she has been ably supported. There is so much fabulous work. I mentioned the age-appropriate design code, which is already improving the online experience for young people, not only in the United Kingdom but all over the world. That is a fantastic legacy. I am not going to come in and disrupt things for the sake of it. I want to learn the culture of the organisation. I want to articulate a vision to the organisation and invigorate that team and bring them along with me to turn the organisation into something that is going to deliver for the United Kingdom.
Q19 Kevin Brennan: I have one quick question to follow up on what my colleague Steve Brine was asking you. I will come back and ask some other questions later. You may not be in as much jeopardy as you seem to suggest in your answer to him in saying that this Committee could scuttle your appointment because technically, although we could recommend that you should not be appointed, the Government are still free to go ahead and appoint you. I just wondered, since you put it that way, whether, if this Committee were to recommend that you should not be appointed, you would accept a position under those sorts of circumstances.
John Edwards: Thank you for the question. This is such an important role that it cannot be undertaken unless I have the confidence of this Committee and the confidence of the Parliament.
Q20 Chair: We are going to ask that of everyone from now on. We have found a way in which we have a veto. Before I turn to Clive, I have a couple of quick questions for you. One of the most controversial areas that the information commissioner has been involved in is that Matt Hancock story; I presume that you have followed that from New Zealand. Would you have ordered the raid?
John Edwards: With respect, I do not think that is a fair question. A statutory officer acts on the basis of the information before her and makes a decision based on her understanding of her legal duties and the powers available and whether or not it is appropriate in the circumstances, having regard to a range of factors, that those be exercised.
The test is not whether you, Chair, would have done the same thing, or even whether I, given the same information, would have done the same thing. I am an old-school public lawyer, and I do not know if there are lawyers on the Committee, but you impugn a decision of a statutory officer not by them being wrong or by disagreeing with them; the test is whether they meet the test for Wednesbury unreasonableness. That is, did that decision-maker make a decision that was available to a reasonable decision-maker apprised of the same information? I have seen no evidence to suggest that any decision in relation to any recent investigations announced by that office go outside that parameter. The place to test that is in a tribunal or in a court. I do not think it is something that I should express an opinion on.
Chair: You will be in the hot seat, though. That is the reason why I asked the question.
John Edwards: Yes, I will. I will have to make similar decisions. I will have to defend them and I will expect that you will disagree with some of them.
Q21 Chair: That is fine, but the thing is that there is a large school of thought in this country that it is uncomfortable, given our tradition of press freedom, to have any potential story of public interest then lead to this sort of action. I know that you would say that this is obviously something that was in the scope of the commissioner at the time and they are more in sight of legal advice than you would be, but just from a moral standpoint, are you in any way uncomfortable with the idea of following up a press story with a raid?
John Edwards: I will step into this lion’s den and say this. I have immense respect for the role of the press and I am happy for them to police their own standards in how they go about obtaining their information and what they publish. They are answerable to their editors, to their shareholders and ultimately to the courts. But that is not what the information commissioner, in my understanding, was investigating. In my understanding, there is a CCTV camera in a government building that holds data, which is subject to the Data Protection Act, and it leaves that building for a purpose that is unrelated to the purpose for which that device was installed and that data was collected.
It could have passed through three hands before it got to the press. I do not know how it got to the press, but investigating the security of a government facility such as that, and the way in which it is responsible for the data it is entrusted with, is an entirely legitimate activity of an information commissioner. That does not necessarily have to impugn the actions or engage the actions of the press, which ultimately reported on the contents of that.
Chair: Thank you. It is rare and refreshing to get an answer to a question in that respect. I have one final question before I turn to Clive, and I would welcome the same sort of candour. What has changed since 2018 in terms of Facebook that it is no longer morally bankrupt? What has it done to convince you that it has turned over a new leaf?
John Edwards: It was 2019.
Chair: It was 2019, so it is even less time. What has it done in less time—in less than two years? Obviously, it turned off Australia, and as a New Zealander maybe you were not too upset about that. What do you think in terms of Facebook and the fact that it is no longer morally bankrupt? What has it done?
John Edwards: I did not say that it was no longer morally bankrupt. I simply used a rhetorical device of hyperbole to express a very deep frustration about the silence in the face of a national tragedy the likes of which this country has never seen. I stand by that. That does not mean—
Chair: I also described it as a morality-free zone, so I am not going to cast any stones. I personally have a lot of sympathy for what you said.
John Edwards: I am not making a judgment on the conduct of the company today or its metaverse product, or whatever it is, or its marketplace, its advertising or its Facebook pixel and whether those comply with the law. I am talking about an engagement two years ago, and the use of that hyperbole drew that matter to the attention of the world in a quite compelling way. It also brought that company and others to the table to set some modest boundaries around posting of extremist content through the Christchurch Call that was co-hosted between Prime Minister Jacinda Ardern and the French President, Emmanuel Macron. That now has, I think, made a real difference in the culture of some of those sites, at least pegging back the fetishised primacy of freedom of expression over all other values.
Q22 Clive Efford: Your predecessor in this role, Elizabeth Denham—assuming you are appointed—has been very fulsome in her praise of you and, likewise, you of her record. You seem to know one another from your international work that you have done, but you sound very different from her, particularly in relation to protecting individuals’ rights over their data and how those data are held. What would you say to us that we can expect that is going to be different about you as the information commissioner?
John Edwards: That is a difficult question for me to answer, Mr Efford, but let me explain. I do have a friendship with Ms Denham and I have enormous respect for her. She has presented the ICO on the international stage in a way that has been compelling and has raised its international esteem. But I have not been a close observer of the activities of the ICO in a domestic sense, so it is a difficult question for me.
My carriage of the role will reflect my personality, my regulatory approach, and my wish to engage with as wide a range of interests as possible. I think you will see some of that. These will be matters of personal style. I might need to come back to you, Mr Efford, in six months or a year and ask you what differences you have observed.
Q23 Clive Efford: Let’s see if that happens. I will look forward to it. I listened to your answers to the Chair earlier about our future relationship with the European Union. The European Commission has warned that any repeal or reform of data protection legislation would cause it to reconsider its data adequacy decision on the UK in the future. If it were to do that, what would be the consequences for people in the UK?
John Edwards: The main consequence I think would be on the mid-tier of enterprise that needs to rely on a frictionless flow of data between Europe and the UK. The top tier of business that is bound by GDPR already will not notice any difference, because they are already working at a level that is GDPR confined. It will involve some extra cost for them. It troubles me a little, the extra cost that losing that adequacy recognition would impose on mid-range, small to medium enterprises. Quite a lot of compliance cost is a dead-weight economic loss. It does not achieve anything productive, and often it does not even deliver tangible benefits for individuals. If there was that extra layer of compliance laid on, and each organisation had to negotiate terms on which data are exchanged with European partners, that would add to that burden. If it can be avoided, that would be in the best interests of the United Kingdom.
Q24 Clive Efford: Does that limit the scope for a third way, which you referred to earlier on?
John Edwards: No, I do not believe it does. Ultimately, it is for Europe to decide what it regards as adequate. As I said in my earlier answer, it is for policymakers in the United Kingdom to make decisions about what they believe is in the best interests of the people of the United Kingdom and then be able to articulate that to colleagues in Europe. If they are able to recognise in those customised rules and regulations the essence of the same kind of regulation and protection that they see, there is a good chance they will say, “Yes, we recognise that you have added your own flavour and you have taken your own approach, but the United Kingdom remains a safe place for European data”. I hope we can get to a position like that. Again, the policy development is not in my hands—that is a Government prerogative—and nor is the adequacy decision in my hands; that is a prerogative of the European Commission. I am happily mediating between those, perhaps, but I do not have my hands on those levers.
Q25 Clive Efford: We got some interesting answers when we asked your predecessor about what social media she used. What do you use?
John Edwards: I am a big fan of Twitter, I have to say. I have maybe 12 different messaging services. I have been working in this area of information law and at the edge of technology from long before I was in a statutory appointment. It has always been my view that to have credibility and to advise on these things, you have to be where the people who are using them are. I use Twitter. I was a Facebook user. I launched the first Facebook campaign in New Zealand 13 or so years ago in support of a legal case I was running. It was the first use of a Facebook page for legal advocacy in this country. I have all of them, but I do not use all of them.
I deleted my Facebook as a sort of protest when Facebook refused to recognise the jurisdiction of my office in New Zealand. I then re-established an account with no friends and no data, simply because it is very difficult to stay connected in this world without Facebook when your dog walker wants you to make appointments through that platform, and your kid’s club’s noticeboard is on a Facebook page. I retain a range. I have LinkedIn; I have all sorts. I probably have a Myspace page somewhere. There was a Bebo account at one point.
Q26 Clive Efford: I will move on quickly before the Chair starts to say I am taking up too much time. Can individuals easily exercise their rights enshrined in GDPR in relation to erasing their data or automated decision making, or is it stacked in favour of the businesses and government organisations to collect data and keep it?
John Edwards: You have touched on an Achilles heel of mine, because we enjoy neither of those rights in New Zealand. I am looking forward to seeing how those are given effect in the UK and to coming back to you with an answer once I have had more experience with them.
Q27 Clive Efford: I will push you a little bit more. You gave a very loose answer, if I can put it that way, in relation to cookies earlier on. Do you think that companies are too matter-of-fact about the data they collect and quite often hoover up data that is really not relevant to what the customer or the user is pursuing in a transaction? Do you think companies hoover up too much information?
John Edwards: Yes, I do, and I think that they retain it for too long and they are too opaque in their uses of it. I think that the role of the information commissioner is to bring them into line on some of those points.
Q28 Clive Efford: Thank you. Coming out of the pandemic, what do you think the challenges for the ICO are going to be? In particular, there has been a lot of data collected in relation to assisting with dealing with the pandemic that should perhaps not be retained and used going forward, particularly for commercial purposes. What are the big challenges for the ICO in the immediate future?
John Edwards: I think that you are right that there need to be limits on retention. We have had the most extraordinary 18 months, and there is a lot yet to be learned from the data that has been collected. We need to have safe places for that research and analysis to occur. It would probably be a great loss to science, research and academia for that to be all swept clean purely for the sake of a data protection law. But I do think that the organisations that are maintaining that need to keep it safe and, if they no longer have a lawful purpose for retaining it, to get rid of it. Controllers of the processes are going to continue to hold on to that and to extract value from it, but they need to be transparent about that.
Q29 Clive Efford: Moving on to transparency, as the new information commissioner what do you think needs to be done to improve transparency and efficiency so that people understand their rights and can enforce their rights in terms of how their data are held and used?
John Edwards: I think we need to move into imposing a greater onus on those large businesses, particularly in articulating transparency. There is too much of an attempt to move responsibility to the individual, like these click-and-consent notices, and they are not sufficient. People are not equipped to read complex privacy policies and make decisions, and our brains are not neurologically wired to understand the trade-off of the short-term benefit that they are being offered against the possible longer-term consequences that they are unwittingly signing up to. There needs to be more effort put into requiring businesses to graphically represent it, to discharge that onus of ensuring people understand the nature of the transaction they are entering into, which does not involve having a postgraduate degree in law and information technology to understand it.
Q30 Kevin Brennan: Thank you, Mr Edwards, for joining us. I want to ask you some questions about freedom of information, as that is part of your responsibility as well.
Your predecessor—on the assumption that you are appointed in the role—has said that there needs to be some kind of a reboot in relation to freedom of information legislation. She also raised the issue of costs and the fact that the freedom of information work is funded directly by the Government. In effect, that gives the Government the ability to strangle your ability to do the job you are required to do under the legislation. Freedom of information, and to what extent it should extend out to all organisations that deliver government services, is another live issue. What is your response to those immediate issues relating to freedom of information?
John Edwards: There is quite a lot bundled up in there. I will have a go, but prompt me if I leave an element out.
Kevin Brennan: Absolutely. Does it need a reboot?
John Edwards: I think there was a review a couple of years ago that found that the fundamentals are working pretty soundly. I do think that, like many other systems, even in New Zealand and in Australia, there is a consequence of the digital environment and the new electronic way of looking at it that has led to a proliferation of information. We all thought that the paperless desk would reduce the number of documents generated, but it has not. It has done the opposite. We have people communicating in such a wide range of media on all sorts of different platforms—e-mail, WhatsApp, text messages—and all of these are part of the official record.
That represents a challenge when a member of the public exercises their right to ask for information about a particular topic and they do so in a way that requires a department to, in effect, empty their pockets. It creates an extraordinary administrative burden. There are two sides to this equation. There are responsibilities on people exercising their rights under freedom of information to try to be as specific as they can. There is a concomitant obligation, I believe, on the public authority to offer assistance and to ensure that relevant, germane, material information is brought together in one place where it can be easily accessed. But for some requests I think that it is legitimate to ask a requester to meet the cost of some of that administration, otherwise you see there is a potential for cross-subsidisation of people who are overusing or even abusing those rights and causing quite significant impacts on public administration.
Q31 Kevin Brennan: In your research for this job, have you come across any examples where you think people are abusing their right to seek information from the Government?
John Edwards: I have had a scan of some cases that came before the tribunal, and I noted that there were a couple there that referenced the vexatious request ground. To me, that is a signal of an abuse of the process. I did not look behind it to see the kinds of volumes. It may not be an intentional abuse; it could be in ignorance.
I think citizens wanting to engage often do not understand the way in which government works, and they think, “If I just ask this broad request, I will get that smoking-gun document” whereas, in fact, there is often no smoking gun. If they were able to entrust an organisation to find the most relevant information that explains the reason for a decision for policy or the letting of a contract, or whatever it is, and provide them with that, and allow the information commissioner to review that to make sure that they have the relevant stuff, maybe they do not need the extra 1,000 Post-it notes and e-mails cancelling meetings and the like.
Q32 Kevin Brennan: On the other hand, it may be that the Government are systematically and deliberately operating the system in such a way as to try to turn reasonable requests into vexatious complaints by continually denying the information that is being asked for, whether it is by members of the public, journalists, or whoever. There is strong evidence, isn’t there, that that is exactly what the Government are doing right now in the UK?
John Edwards: I will take you at your word on that, Mr Brennan. I have no evidence of that. Once I am in position in post perhaps I will gain that, and if I do see that—
Q33 Kevin Brennan: Did you see the result of the tribunal earlier this year about the clearing house in the Cabinet Office and the way that that operated? What was your response to that?
John Edwards: I have not read that. I understand that the clearing house operates. There are a number of areas that I need to be more fully briefed on. I do not see anything objectionable in the concept of a clearing house in principle, but of course the way it operates needs to ensure that it is operating to provide support to get a consistent approach to dealing with the press across government. That is a legitimate aim, I think.
Q34 Kevin Brennan: Of course, the tribunal I am talking about, which reported on 8 June, just this year, found that the Government lost a three-year tribunal case. One of the things the tribunal said was, “The profound lack of transparency about the operation of the Cabinet Office might appear, from the material before this tribunal, to extend to Ministers”. Were you aware of that finding of the tribunal?
John Edwards: No, I have not read that report. I have read a summary of it. It is something that I want to engage with, and if there are practices that need to be improved then I will certainly want to do that. If I see conduct that is attempting to subvert Parliament’s intentions in enacting the Freedom of Information Act, I will certainly act.
Q35 Kevin Brennan: I am sorry that I asked the original question in a multiple form. One question that I asked was about funding of your work, or the work of a commissioner, in relation to freedom of information. Your predecessor has been concerned about the way that is funded, and also about whether there is a case to extend freedom of information, in the modern way that governments often operate, to all organisations that deliver government services, even when they are not Government Departments.
John Edwards: Yes. There are a number of housing trusts and the like that have responsibility for quite significant amounts of public funding, and certainly they need to be accountable for the decisions that they are making, and the public needs to have confidence that they are being prudently managed and with probity. I suppose extending FOI to cover those organisations would be one option.
Another would be imposing that burden on the contracting agency and saying that if you are going to deliver services through the agency of an NGO or a private agency, you must make sure that they retain records sufficient to meet the Government’s obligations as if the Government were providing these themselves. That would be my expectation from prudent public administration anyway, and I would be interested in talking to the office of the auditor and the Chancellor of the Exchequer about whether there is scope to ensure that people have confidence in how those privately delivered public services are accountable.
Q36 Kevin Brennan: As you may know, there has been considerable controversy about some of the contracts that have been awarded during the Covid crisis and the relationship between those awarded on a VIP fast-track procedure and their associations with Ministers, political, financial and otherwise. Currently, the ICO has a backlog of about 2,000 FOI complaints. Is the problem with this that whatever the cause of that, it seriously hampers the operation of the Act and the rule of law because Departments then have an even stronger incentive to refuse embarrassing or sensitive requests for information? They know that even if at the end of the process they have to disclose it, effectively, to paraphrase, information delayed is information denied, sometimes, in terms of the importance of that information. Can you commit to clearing this backlog within six months?
John Edwards: I can certainly commit to looking into it and coming back to you. If I say I can wave a magic wand without having explored the problem and understanding the resourcing, I am setting myself up for a failure. I would like to see how that part of the organisation works.
There may be scope to have different tracks, to accelerate high public interest matters from more routine matters. I am happy to explore all those options. I certainly would agree with you that it is important that that system needs to be working effectively. I certainly agree with you that timeliness is critical in many of these, particularly where the information being sought informs democratic rights in relation to elected officials.
I am conscious of the question. I have seen it confronted here. I have written reports about some of the concerns for different governments here, and I look forward to exploring the concerns that you have apprised me of.
Q37 Kevin Brennan: I welcome that commitment, if you are appointed, to come back and report on progress on that to the Committee. The Information Commissioner’s Office recently stopped publishing updates on which authorities are failing to meet required standards of FOI compliance and are, therefore, being monitored by the ICO. Would you commit to publishing the record of which organisations have been put in enhanced monitoring, as used to happen?
John Edwards: I am not sure that I am in a position to make commitments at this stage. I assume the commissioner has reasons for having suspended the practice, if that is what she has done. I will want to have a look at that and reach my own conclusions, but thank you for bringing the matter to my attention.
Q38 Kevin Brennan: The Cabinet Office, which is the villain of the piece here, is often also under investigation for the way in which it discloses the nature of the person making the information request. In other words, it distinguishes between a member of the public, a journalist, a politician or somebody else, which it is supposed to be blind to in dealing with information requests. What is your response to that and how requests should be dealt with? In fact, the Scottish Government recently got into trouble for special advisers sifting through freedom of information requests and distinguishing between journalists and so on, and have had to reverse that. What will you do to make sure that the Government do not operate in that way, and make sure that these are dealt with in a blind way?
John Edwards: I think it is folly to attempt to tilt requests in that way. I do not believe that there is any obligation on somebody making a request to declare their affiliations or if their brother-in-law is working for The Telegraph, or The Times, or whatever. The decisions should be made blind to the requester because you do not know who stands behind that. When you make a decision about a request, when you make a decision that information is to be released, it is to be released to the world. One of the things I would be interested in working on with the Cabinet Office and others in government is the extent to which fostering a culture of proactive release of information might help with some of the bottlenecks that you have described, rather than this transactional basis, which can lead to these sorts of bottlenecks.
Q39 Kevin Brennan: Finally, I put it to you that I hope you are successful in doing that. In one of your colourful attacks on Facebook you used the hashtag, “Don’t give a Zuck”, as I recall. Could a slightly amended version of your hashtag be a reasonable way, if possibly an unparliamentary way, of describing the Cabinet Office’s attitude to freedom of information?
John Edwards: I am not sufficiently informed to make that kind of judgment at this stage, but I will certainly come back to the Committee once I have been able to express my view in a hashtag.
Kevin Brennan: Unusually for me, I will let you get away with that.
Q40 Chair: I can inform you, Kevin, that it would definitely be unparliamentary if you were to use that particular phrase.
I have some further matters for your in-tray if you were to be successful, Mr Edwards. First, one thing that has been mentioned to me—it is a little bit niche, but I think it is worth mentioning to you—is from businesses. To get a contract to supply government they have to score 10% in terms of whether they get above the line or below the line in their social value. The social value is a very broad estimate. Their suggestion is that because of information rules in this country, they cannot request some of the information from their employees and their suppliers that is asked for by government procurement in order to come up with this 10% score. Were you aware of that and, if you are, is it something you would look at to see whether we can have more joined-up thinking about this particular matter?
John Edwards: It is not something I am aware of, and it is not something I fully understand from your description. Is the problem that these businesses wanting to secure procurement with government are prevented by data protection laws?
Chair: Yes. They cannot get the 10% score because the data protection laws effectively mean that they cannot request the data that they need to supply to Cabinet Office in order to reach that score.
John Edwards: That does sound like a conundrum. It sounds to me as if there might be a legitimate interest there, so I would be interested in exploring the nature of that problem and seeing if there is a solution.
Q41 Chair: There is another matter that relates to online harms, and I know that is going to be an Ofcom matter rather than yourselves. There is a lot of talk about the Apple iOS potentially blocking the ability to trace URLs being searched on phones. I understand they are moving to potentially having that as an option—an opt-in—rather than as an automatic part of their iOS, but this has quite significant repercussions in terms of child protection and online safety more generally. What are your views on that?
John Edwards: I am not sure that Apple’s initiatives in this area have been very well reported in the wider press. My understanding—and I may not have this correct myself—is that there were two quite distinct initiatives. The one that you are describing is one that would put in the hands of parents an ability to control the functionality available to children, so it is parental control over a device or an account, as I understand it. The one that has excited some debate in data protection circles is the checking of photographic images against a database of known child pornography images. I think perhaps they could have told this story better.
As I understand it, there is this dataset of known and proven images of child sexual abuse, and they are tagged with a piece of code that means if they appear anywhere else they can be automatically recognised without having to scan the image and recognise actions or pictures. I understand that the proposal was that if one of those tags was recognised on a phone, that would be flagged. That has been misrepresented as Apple looking at all your photos; Apple is going to see if you have taken a photograph of your toddler in the paddling pool in the backyard, and you could be called up for child pornography. That, I understand, is unlikely or is impossible because that image will not be in the source dataset. I have not seen anyone object or advocate for people’s right to hold and upload to iCloud those tagged images. The concerns I have seen have been more in the nature of the slippery slope.
Chair: Sorry, I am going to cut across you. It relates to an article in The Financial Times by Tim Bradshaw on 3 September, where he outlined the potential for Apple to effectively encrypt URLs on its phone. That would make it much more difficult for authorities to check out whether or not those individuals have been looking at images that are profoundly disturbing and are potentially online harm. That is what I am referring to.
John Edwards: I am sorry; I have misunderstood.
Q42 Chair: You are right, that is another story. That is definitely another story, but this is 3 September. Basically, is this something you would look at in terms of engagement with Apple? You have talked about privacy and the need for privacy. At the same time, as we enter a new online harm universe in which we are looking at the scope of regulation and the way in which we regulate, don’t you agree that it is important that no company allows those who are looking to damage society and to harm children to have a fairly easy means of getting away with it, for want of a better phrase?
John Edwards: This is the single most significant challenge for law enforcement, intelligence and security in the tech world today. Your Secretary of State and others have been grappling with this. It is not just Apple; it is WhatsApp, it is Signal, and it is Telegram. There are these channels that are very hard to crack, and most of us might say there should be legitimate reasons to get into some of these because, as you say, there are very significant harms that can be caused by material concealed by these cryptographic methods. I have not seen a solution yet.
Q43 Chair: The solution would be that Apple do not do what they are going to do. That would be the solution, surely. If they do not encrypt the URLs, which is not being done at the moment, that itself would stop that from being a potential backdoor.
John Edwards: Yes. As I say, I am not really informed about that. If you are right, and I have no reason to believe that you are not, that would be one mole whacked but it does not make the issue go away.
Q44 Chair: There is one other story that is featured today. I am sorry to basically give you a paper review, Mr Edwards. There is another story about Facebook being accused of allowing sexist job advertising. Effectively, what it suggests is that men are shown jobs about engineers and woman are shown jobs about nurses. There is a lot of criticism about the algorithms. This is more of a tangential question: where do we stop in terms of monitoring algorithms and trying to hold them to account for algorithms? Do we want to have a society in which we try to have social media companies conforming to all norms, or do we want a society in which we can promote stereotypes? Where do we draw the line here? Where do we have real control, but also where do we allow independence and freedom to act?
John Edwards: It is an interesting question also about the regulatory boundaries, because the kinds of phenomena you are describing could equally be an Ofcom issue under the online harms law. In relation to this particular algorithm, I think people should be entitled to ask this really simple question and get an answer: who do you think I am? Why are you giving me this advertisement? What data is it based on? Who do you think I am? That gives people a right of self-audit.
We are starting to see that develop. If you see an ad on Twitter you can ask, “Why am I seeing this ad?” It’s pretty crude at this stage, but I think that will be a direction of travel. That is the only effective way that we will see some of these biases and prejudice that are coded into these algorithms revealed. I just hope we can get there, before AI starts to make it more difficult to even understand why those recommendations and decisions are being made, to even ask that question: who do you think I am?
Chair: Thank you. That is a whole new area. Thank you very much for taking part today in this process and also for staying up until the best part of midnight in New Zealand. We are now going to convene a private session in order to consider our findings before issuing a report, hopefully later today. Thank you, Mr Edwards. That concludes our session.
John Edwards: Thank you very much.