Podcast exclusive:
In cases like Snap AI chatbot, Edwards seeks ‘agile enforcement’ for final three years as ICO chief

Podcast exclusive:
In cases like Snap AI chatbot, Edwards seeks ‘agile enforcement’ for final three years as ICO chief

Approaching his second anniversary as the UK’s Information Commissioner, John Edwards believes the culture change he has led since taking the job at the start of 2022 has the regulator ready for an “agile” spectrum of responses to data protection problems. Sitting down with MLex recently for an extended conversation at the Global Privacy Assembly meetings in Bermuda, Edwards discussed the need for data protection regulators to have a more assertive response to the privacy risks of generative artificial intelligence than they had to the rise of social media business models more than a decade ago. For companies that want to comply with UK data protection law, Edwards said the ICO now has an array of tools and guidance showing that “we’re there to walk with you and to help you” comply with the law. Edwards believes the UK has a unique and important place on the world’s data protection stage—close to Europe in terms of its privacy law but influenced by the US and the Pacific Rim in terms of its interpretation. “We have potential to act as a bridge between different data protection traditions,” he said.

Tune in below, or read on for a related article.

UK ICO chief Edwards advocates for guidance as well as enforcement in regulation of data

23 October 2023
By Mike Swift, Jakub Krupa, Sam Clark and Frank Hersey

When the UK Information Commissioner's Office hit Snap with a preliminary enforcement notice on Oct. 6 that could result in its AI chatbot being pulled from the UK market, it was an example of the regulator’s new emphasis on “agile” enforcement.

“It's a muscle that we need to become more used to flexing,” said John Edwards, the UK information commissioner.  “The Snap intervention was important because we saw something that we were concerned about back in March, when the product was first deployed into market. We asked questions. We brought together a team and expedited that.”

In the past, getting to that outcome might have taken the ICO three to four years. This time, the agency got there in about six months, based on what Edwards described as a “culture change” that will allow the ICO to engage a wide range of responses to data protection problems.

In some cases, such as Snap’s “My AI” chatbot, that will allow a quicker enforcement response to get ahead of harm from a new technology. But more frequently, Edwards said, the change will allow the regulator to guide willing companies to keep them out of trouble in the first place.

“We are changing our approach to regulatory intervention and recognizing that we don’t measure success by the piles of fines,” Edwards said during an extensive conversation with MLex on the sidelines of the Global Privacy Assembly meetings in Bermuda in recent days.* “We’ve got a number of interventions over a spectrum. And the team are getting more accustomed to using those in deployment, with good effect I think, so I’ve been really heartened by that.”

As he closes in on his second anniversary as information commissioner at the end of this year, Edwards believes his focus on the ICO’s “culture change” has set up the regulator for the remainder of his term. During those three remaining years at the ICO, Edwards’ goal will be to prevent situations such as the one created by Snap’s chatbot by offering industry a range of regulatory tools to stay in compliance with the UK General Data Protection Regulation and other laws.

“I'm proud of the work that we've done in artificial intelligence,” Edwards said. “We've showed that we can demonstrate to industry what our expectations of them are. For those who struggle, we've got guidance. When the gen-AI tsunami swept over, we were there with guidance for businesses about how they could safely deploy it, whether it was appropriate in their business. And we've also shown that we can take enforcement action in relation to those new technologies.”

More broadly, the former New Zealand privacy commissioner believes that post-Brexit, the UK has a unique and important place on the world’s data protection stage — close to Europe in terms of its privacy law but influenced by the US and the Pacific Rim in terms of its interpretation.

“We have potential to act as a bridge between different data protection traditions,” Edwards said. “Obviously, our law will continue to strongly resemble the GDPR, but the approach we take to it might more resemble an Asian Pacific approach, of ensuring that organizations are empowered to get the greatest value out of data, to take the greatest advantage of innovations. I think our approach is not dissimilar in some ways to the [US] Federal Trade Commission. I speak with my colleagues there frequently.”

Edwards said one of the things he's most proud of during his first two years at the ICO is a service called “Innovation Advice,” through which a company can contact the regulator with questions about whether a proposed product would comply with the UK GDPR and receive an answer within 10 days. Another non-enforcement technology guidance mechanism is the ICO’s technology “sandbox,” which the regulator has been running since 2019, before Edwards’ tenure. The sandbox model is “working really well in a collaborative approach with business,” he said. Another round launches early next year for eight more emerging tech participants.

But in situations like the Snap case, in which the ICO didn’t see “eye-to-eye” during a dialogue the regulator had with the Southern California social media company before the preliminary order, Edwards said he wanted to send a clear message to the AI industry that the ICO will not be as passive as he believes many data protection regulators were toward the rise of social media, an advertising business model fueled by personal data.

The ICO's investigation provisionally found that Snap “failed to adequately identify and assess the risks” to several million My AI users in the UK, including children aged 13 to 17. Enforcement could include an order to stop processing data from My AI, which would amount to a ban pending the completion of an adequate risk assessment.

Snap said in its most recent earnings report in July that over 150 million people had used the My AI chatbot, sending over 10 billion messages, “which we believe makes My AI among the largest consumer chatbots available today.”

While Snap will have a chance to reply to the ICO’s preliminary order, “I still thought it was important to signal to the market that these are the kinds of steps that are expected of you, and if you don't take them then you can expect prompt regulatory action,” Edwards said. “We’ve come past the time where innovators and digital industries just forge ahead with their business models and get so far down the track that they are too big to unravel. We're not having that this time.”

Cookie enforcement

Edwards took the ICO post at the start of 2022, succeeding Elizabeth Denham. His five-year term runs through 2026.

Looking at the coming three years, the ICO is concerned that it's too difficult for the UK’s residents to opt out of tracking cookies. Data suggests that a minority of the country’s most popular online properties comply with the proper standards to opt out of cookies.

“It should be as easy to reject all non-essential cookies as it is to accept them. And you know, that's not a complicated message for industry,” Edwards said. “And so we'll be writing to those that don't meet the standards and giving them an opportunity to do so. And then if they don't, we'll come back after a bit and they can get a firsthand taste of what enforcement looks like in this new regime.”

A more controversial policy, particularly in the wake of a breach of personnel data from the police service of Northern Ireland, is the ICO’s practice of reducing enforcement for government agencies. Edwards said it is a “mischaracterization to say that we're not enforcing. We are enforcing.”

He said, however, that he doesn’t believe monetary fines against government agencies for privacy breaches are the best way to achieve compliance, because money paid by a violator may often come out of the budget that might be used to bolster privacy and cybersecurity protections, meaning the victims of a breach in effect would bear the punishment for enforcement of the breach.

“What was happening is that we would issue a fine of half a million pounds to an organization that would write us a check. That check would go into the consolidated fund. That department would go back to the treasury and be reimbursed from the consolidated fund of 500,000 pounds,” he said. “Now, you don't have to be an economics genius to know that there's not a great incentive system working there.”

While fines will continue to be necessary “for the most egregious cases,” Edwards said he wants to find ways to call out bad behavior across government agencies, including public reprimands in lieu of a fine that would provide incentives to comply with the law by demonstrating the potential costs of violations.

“We are also naming; we are issuing reprimands more and we are publishing them more. So that's a new phenomenon under my leadership of the organization,” he said. “And for the people who say, ‘you don't enforce, this is a slap over the wrist with a wet bus ticket,' they should see the threats of litigation we get over the prospect of being publicly named. These are real sanctions, because then there's a public accountability.”

In general, Edwards wants the public and private sector to know that if they are willing to work with the regulator to stay in compliance with the law, the regulator will be partner to help them stay in compliance.

“It's very important I think that we signal to industry that we’re there to walk with you and to help you, if you want to understand your obligations under the law,” he said. “But if you thumb your nose to them, if you don't think carefully enough about the risks in advance of that rush to market, there may will be consequences for them.”

*45th Global Privacy Assembly 2023, Bermuda; Oct. 15-20, 2023.

For access to our Data Privacy & Security news and analysis in real time, start your free trial today.