Written evidence submitted by The Information Commissioner Elizabeth Denham (OSB0062)
About the Information Commissioner
As Information Commissioner I have responsibility for promoting and enforcing the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), the Freedom of Information Act 2000 (FOIA), the Privacy and Electronic Regulations 2003 (PECR) and the Environmental Information Regulations 2004 (EIR). My data protection responsibilities include the Children’s Code which is a statutory code of practice under the DPA18 applying to online services likely to be accessed by children.
I am independent from government and uphold information rights in the public interest, promoting transparency and openness by public bodies and organisations and data privacy for individuals. I do this by providing guidance to individuals and organisations, solving problems where I can, and taking appropriate action where the law is broken. I welcome the opportunity to respond to this call for evidence and would be delighted to assist the committee in its work.
I warmly welcome the draft Bill. It is a vital contribution to making the United Kingdom the safest place to be online and illustrates how the country is a global path finder in developing an innovative 21st century approach to digital regulation. I am committed to supporting and working with the government and Ofcom to successfully implement the new regime.
The ICO’s Role in Online Safety
Modern data protection legislation is a key enabler of online safety. It provides a framework for responsible data use and a secure online environment for personal information. It also plays a crucial role in upholding the safety of users online. For example, the UK GDPR and the DPA18 govern the way that personal data is used to target the delivery of content online, including where profiling is used to target vulnerable adults and children. Data protection law requires algorithmic processing involving personal data be proportionate and transparent. This helps address power and information asymmetries between services and users where personal data is involved.
My office is taking action now to protect people online. For example, the ICO’s Children’s Code is an application of data protection law which makes a vital contribution to keeping children safe online by ensuring that the best interests of the child are the primary consideration when designing and delivering online services. Thanks to my office’s interventions, many of the UK’s major online platforms have reformed how their services are accessed and used by children. I will shortly be publishing a Commissioner’s Opinion on age assurance which will formally set out our expectations in this area.
I welcome the new tools the draft Bill will offer to uphold online safety. There are inevitable trade-offs between safety and privacy online. My office will work with government and Ofcom to ensure that potential privacy and data protection risks arising from the regime are identified and mitigated at an early stage.
The committee has invited submissions on any aspect of the draft Bill. My response centres on concerns that I have about the potential for overlap between the privacy provisions in the draft Bill and the UK data protection regulation regime, creating the risk of duplication and inconsistency.
I fully recognise and support the duty on regulated services to have regard to the importance of protecting users from unwarranted infringements of privacy when deciding on, and implementing, safety policies and procedures. It is essential that we get the balance right between protecting and respecting individuals’ privacy and developing a proportionate, transparent and accountable approach to online safety. Both are vital objectives.
However, I have concerns that there is potential for overlap – perceived or real – between the data protection and e-privacy regime and the provisions in the draft Bill. As matters stand, my office has been unable to identify any substantive privacy concerns that would arise under the online safety regime that would not ultimately be addressed by data protection law or PECR.
Unless there is clarification on the interaction of data protection law and PECR within the online safety regime, the regime will create an environment where regulated services face a patchwork of privacy requirements. This risks leading to a duplication of efforts by the ICO and Ofcom, inconsistency of decision-making, and, most significantly, confusion for organisations and the wider public.
The public would expect that my office will take the lead in determining online privacy matters and handling decisions about super-complaints which allege privacy infringement, in collaboration with Ofcom where relevant. Clarity on this point will be vital for ensuring that regulatory requirements are transparent, consistently applied and that duplication is avoided.
It is my preference that determination of online privacy matters should be clarified on the face of the legislation. I have expressed my views to DCMS and am pleased that DCMS officials are working with my office and with Ofcom to find solutions that will achieve a streamlined and coherent regime that serves the public interest.
The ICO is committed to continuing to support the government and Ofcom on the implementation of the online safety regime, including through the Digital Regulation Cooperation Forum. I look forward to engaging with the committee further on the issues I have highlighted and on the ICO’s wider experience and expertise in relation to regulation of online safety, and to appearing before the committee on 23 September.
16 September 2021
 For example clause 106 in relation to the power to make super-complaints.