ICO chief: Fines not the best way to check Big Tech's power

Sharp contrast to the European approach

John Edwards, head of the UK's data privacy regulator, has said that imposing heavy fines is not the most effective way to regulate Big Tech.

In an interview with The Times, Edwards, who leads the Information Commissioner’s Office (ICO), said the large penalties used by European regulators often result in lengthy legal battles. These drain regulators’ resources and ultimately weaken their ability to enforce meaningful changes.

"I don't believe that the quantum or volume of fines is a proxy for impact," Edwards said. "You know, they get a lot of headlines. It's easy to compile league tables but I actually don't believe that that approach is necessarily the one that has the greatest impact."

He explained that the ICO prefers engaging with companies to encourage compliance, rather than issuing fines in the hundreds of millions of pounds. This doesn’t always work.

However, Edwards cited the ICO's success in implementing the Children's Code, which regulates how businesses handle data for young users, as evidence.

The ICO's approach contrasts sharply with its European counterparts, particularly Ireland's Data Protection Commission, which has fined tech firms €3.2 billion since 2018.

Before the introduction of GDPR, the General Data Protection Act (1998) only permitted the ICO to levy a maximum punishment of £500,000.

However, while the ICO now has the power to levy fines of up to 4% of a company's global turnover, its largest penalty to date is a £20 million fine imposed on British Airways in 2020.

Critics have labelled the regulator’s approach overly lenient.

Ben Rapp, CEO of data privacy firm Securys, argued that stricter enforcement, including significant fines and other legal measures, is essential to ensure compliance and deterrence.

"Vigorous and exemplary enforcement remains a necessary part of assurance and deterrent," he said, adding that the effectiveness of the US Securities and Exchange Commission demonstrates the need for tougher measures.

Privacy advocates have also voiced concerns.

Madeleine Stone of Big Brother Watch criticised the ICO's methods as being "strikingly at odds with the public's growing concern" over Big Tech's power and use of sensitive personal data.

In defence of the ICO's stance, Edwards says major tech firms are generally mindful of the legal environment and do not engage in blatant lawbreaking.

"Google employs hundreds of privacy-focused engineers, hundreds of lawyers," he said. "These, I think, are not the companies that are blatantly breaching the law. They are very mindful of the legal environment in which they are operating at the margins."

AI systems will challenge regulators

A key challenge ahead, however, lies in regulating the use of personal data for training AI systems, a complex issue that the ICO is currently addressing through consultations.

Despite concerns about the volume of data already harvested, Edwards insisted it is not too late for regulators to act.

On a personal note, Edwards revealed that he primarily uses Apple products, believing them to be more privacy-conscious than Android devices. He advised Android users to be cautious about location-sharing settings.

Edwards also noted that while he used VPNs in the past, he has since abandoned them, citing ethical concerns related to his role as a regulator.

Last month, Edwards called on organisations to take greater action to support clients and customers impacted by the "devastating impact" of data breaches.

In a new research, Edwards suggested that 55% of UK adults have experienced some form of data breach.

He highlighted the need for organisations—including businesses, local authorities, and the NHS—to strengthen their data protection measures and provide better assistance to those affected by security incidents.