“2018 was the year that people have woken up to the importance of privacy and have begun to bite back at big tech”.

This was the view expressed by James Dipple-Johnstone, Deputy Commissioner (Operations) at the UK Information Commissioner’s Officer (ICO), during his recent speech at the Institute of Directors in London.

The speech focused on the ICO’s regulation of tech giants in the digital age. It highlighted the many benefits of big tech and big data, indicating that their influence and importance is only likely to grow. However, his speech also stressed that there are deep public concerns about the business models of some tech giants and their increasingly opaque uses of personal data.

Three main topics were addressed:

  1. The need for balance between privacy and innovation.

As technology advances, it will become more difficult for individuals to obtain a clear explanation about how their data is used, or even when it is being processed. It is important that the public know what their legal rights to privacy are and are reassured that technology is not racing ahead without regard to those rights.

The Deputy Commissioner made it clear that bigger organisations present some of the greatest risks to individuals’ rights and freedoms.

2. Enforcement.

The Deputy Commissioner highlighted the flexibility of the ICO’s enforcement regime and how the ICO will use this flexibility to achieve the balance between privacy and innovation.

By way of example, when the Royal Free NHS Trust (the Royal Free) allowed a third party access to 1.6 million patient records for the purpose of trialling a new alert, diagnosis and detection system for acute kidney injury, the ICO required the Royal Free to sign an undertaking committing it to a range of measures in order to safeguard public data rather than imposing a fine. Why? Because the ICO did not want to stifle the potential for creative uses of patient data, allowing innovation to proceed while still protecting privacy.

Examples of the ICO’s recent enforcement activities were provided to demonstrate how the ICO will also take a preventative approach where necessary. This preventative approach includes identifying unreasonable risks and using its powers to prevent problems before they became more serious.

3. Collaboration.

Recognising the multinational scope and reach of big tech firms, the Deputy Commissioner commented that data does not recognise borders. Consequently, the ICO is focusing on even greater collaboration and innovation, domestically and internationally, with other regulatory bodies and governments. This strategy will continue post-Brexit.


The Deputy Commissioner’s speech provides an insight into the ICO’s enforcement approach in regulating the tech industry.

Moving forwards, organisations, and tech giants in particular, can expect to see more of the ICO’s preventative approach in the future. A close eye will be kept on the bigger tech organisations, which process the largest volumes of personal data. However, the speech reinforces the ICO’s preference for collaboration over sanctions, and the ICO continues to encourage organisations to engage with it to resolve issues at an early stage.