Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Levying big fines on big tech companies is not an effective way of keeping them in line, the UK’s privacy chief has said, in comments that have prompted a backlash from data privacy experts and transparency campaigners.
John Edwards, the information commissioner, said that issuing penalties in the hundreds of millions of pounds, as his counterparts in Europe do, would only tie up his office in litigation.
In an interview with The Times he said: “I don’t believe that the quantum or volume of fines is a proxy for impact. You know, they get a lot of headlines. It’s easy to compile league tables but I actually don’t believe that that approach is necessarily the one that has the greatest impact.”
The Information Commissioner’s Office’s heaviest fines are in the tens of millions of pounds, although it has the power to sanction up to 4 per cent of a company’s global turnover. The ICO employs a thousand staff across five offices. Its highest fine to date was a £20 million levy on British Airways in 2020 for a data breach.
In contrast, the Irish regulator, which leads enforcement against big tech for Europe, has issued €3.2 billion of fines since 2018 at an average of €112 million each, according to enforcementtracker.com. The ICO has levied fines totalling €75,541,500, an average of €504,000 per fine.
Edwards said he preferred engaging with industry to ensure compliance with laws such as the Children’s Code, which regulates how companies handle the data of young people.
He said there were a dozen examples of how the online world was safer because of the way the Information Commissioner’s Office has enforced the code.
He added: “Now, if instead of doing that, I fine Meta €10 billion for failing to do those things: a) they wouldn’t make the changes that we’ve asked; b) they would take us to court and consume huge resources. And we would be in court for four, five or six years.”
Some experts believe, however, that the ICO is being too lenient. Ben Rapp, group chief executive of Securys, a data privacy company, urged the regulator to take a tougher line. “Vigorous and exemplary enforcement remains a necessary part of assurance and deterrent,” he said. “You have only to look at the effectiveness of the Securities and Exchange Commission in the US or enforcement regimes across the EU.
“This means not only fines, but also a move from toothless reprimands to the full panoply of enforcement orders. Otherwise, not only does the UK risk serious infringements of citizen rights and freedoms, but also losing its status as a safe destination for data exported from other countries.”
Madeleine Stone, senior advocacy officer at Big Brother Watch, a privacy campaigner, said: “The ICO’s conciliatory approach to the enforcement of data protection law is strikingly at odds with the public’s growing concern over the power of Big Tech companies and their use of the public’s sensitive personal data.”
Edwards highlighted the reversal by LinkedIn (owned by Microsoft) of its plans for training AI on user data as an example of the ICO using its powers of persuasion.
He said he did not believe the major tech companies were blatantly breaching the law. “Google employs hundreds of privacy-focused engineers, hundreds of lawyers,” he said. “These, I think, are not the companies that are blatantly breaching the law. They are very mindful of the legal environment in which they are operating at the margins.”
One of his biggest challenges will be AI and how companies use personal data to train their models and reproduce it. The ICO is consulting on how to regulate and Edwards says it’s “a very complicated current debate”.
Despite so much data being taken by the companies already to build their products, he denies that the issue is too far advanced for regulators to act. “There’s still an AI supply chain and there’s the training at one end. And there’s a whole lot of applications, whether they’re retail or the like. And you know, those uses, those applications, are still subject to data protection.”
On a personal level Edwards is more of an Apple user and believes that those using Android devices are surrendering more of their privacy. He advised the latter “to be mindful of how often they have their location switched on”.
Edwards, who used to be New Zealand’s privacy commissioner, does not use the more privacy focused browsers such as Brave or DuckDuckGo. He prefers a mix of Safari, Chrome and Edge.
He is also sanguine about having smart devices in the home, which he uses as timers or for the radio. “I don’t believe that they are listening in on me,” he added.
He no longer uses a virtual private network (VPN), which is software favoured by the privacy conscious to hide their internet location. “I used to, prior to my life as a regulator. VPNs had uses in terms of accessing content that might have been convenient but perhaps not best ethically sourced. So in my subsequent life as a regulator, I do things completely by the board.”
Edwards was speaking before the opening today of an online exhibition to mark 40 years of the ICO.
The ICO exhibition “Our lives, our privacy: the 40 items that shaped 40 years of privacy rights” is available at ico.org.uk
English