Data protection 'shake-up' takes aim at cookie pop-ups

The UK's new Information Commissioner will be charged with a post-Brexit "shake up" of data rules, including getting rid of cookie pop-ups.

John Edwards has been named the next head of data regulator the ICO.

The government said Mr Edwards, currently the New Zealand Privacy Commissioner, would "go beyond the regulator's traditional role".

The job would now be "balanced" between protecting rights and promoting "innovation and economic growth".

Mr Edwards has been named as the government's preferred candidate, and said it is a "great honour".

"I look forward to the challenge of steering the organisation and the British economy into a position of international leadership in the safe and trusted use of data for the benefit of all," he said.

His predecessor, current Commissioner Elizabeth Denham, said Mr Edwards "will take on a role that has never been more important or more relevant to people's lives."

The government's shake-up of the Information Commissioner's Office was announced alongside planned changes to data protection post-Brexit.

"Light touch"
In an interview with The Telegraph newspaper, Digital Secretary Oliver Dowden said the plans include getting rid of "endless" cookie pop-ups which are common on most large sites, asking for permission to store a user's personal information.

This is widely marketed as a tool for compliance with EU data law the GDPR, although the practice pre-dates it.

He told the newspaper that "high risk" sites would still need similar notices, but that many of them are "pointless".

And he said reform of data protection rules is "one of the big prizes of leaving" the EU.

"There's an awful lot of needless bureaucracy and box ticking and actually we should be looking at how we can focus on protecting people's privacy but in as light a touch way as possible," he said.

The proposed reforms extend to all sorts of data.

In the official announcement, the government said it will prioritise making new "data adequacy" partnerships that will allow it to send people's personal data internationally, to places such as the United States, Korea, Singapore, Dubai and Colombia, among others.

Data adequacy in this sense means an agreement that the protections in place are similar in two countries, with the idea of ensuring that personal information remains safe. It is a key part of EU regulations and was a minor sticking point in the Brexit negotiations.

EU approves data flow to UK but adds sunset clause
No-deal Brexit - the data dilemma
The UK currently has a data adequacy agreement with the EU, though it needs to be renewed in future and could change if the law in the UK diverges too far from EU rules.

Other details remain light, with the government promising to launch a consultation on what future data laws will look like.

The government said that as much as £11bn of trade "goes unrealised around the world due to barriers associated with data transfers".

"Now that we have left the EU I'm determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK," Mr Dowden said.

"It means reforming our own data laws so that they're based on common sense, not box-ticking."

Andrew Dyson, a data protection expert at law firm DLA Piper, said these announcements amounted to the "first evidence" of "a bold new regulatory landscape for digital Britain post-Brexit".

"It will be interesting to see the further announcements that are sure to follow on reforms to the wider policy landscape that are just hinted at here," he said.

This is a big moment in the evolution of the UK's data protection policies.

As New Zealand's Privacy Commissioner, John Edwards showed he was anything but timid in taking on the tech giants. After the Christchurch massacre, he described Facebook "as morally bankrupt pathological liars who enable genocide (Myanmar), [and] facilitate foreign undermining of democratic institutions" - in a tweet he later deleted.

The current commissioner, Elizabeth Denham, has been criticised by some privacy campaigners for not being robust enough in protecting data rights. But it looks as though the government wants her replacement to be even more cautious.

Mr Edwards "will be empowered to go beyond the regulator's traditional role of focusing only on protecting data rights, with a clear mandate to take a balanced approach that promotes further innovation and economic growth."

That looks like a clear signal that the interests of those businesses complaining about the burden of what they regard as excessive data regulations will be given a hearing.

Oliver Dowden's told the Daily Telegraph that EU rules on cookies - which, by the way, predate the GDPR data laws - could be the first target of the new slimmed down approach to regulation. With many web users frustrated by the constant need to click "accept" on cookie banners every time they visit a new site, this could prove a popular move.

But data protection specialists warn that it's easy to generate headlines about a bonfire of regulations, much harder to frame new laws diverging from what applies across the English Channel.

And the tech companies themselves may complain about EU data laws - but may see this as just adding another layer of complexity to their global policies, rather than a big opportunity.