Avid readers of this blog (and we trust there are many of you!) will recall that the UK government recently published a white paper. The white paper sets out the UK government’s approach to regulating the internet to tackle online harms. The Information Commissioner’s Office (ICO) has just published the Information Commissioner’s (Commissioner) full response to the white paper.

Key takeaways

The Commissioner acknowledges the need for the white paper. She notes the declining amount of trust placed by users in large technology companies to protect them online. However, the Commissioner believes that the white paper’s approach is too fragmented. The response explains how more needs to be done to ‘knit together’ disparate regulatory regimes, which are overlapping in the white paper.

Other key takeaways include:

  • The Commissioner is disappointed that the white paper does not do more to address electoral interference and a lack of transparency in online political advertising. In particular, the Commissioner highlights micro-targeting as a key risk that should be addressed.
  • The Commissioner also underlined the fact that GDPR has only been in force for a little over a year. In particular, “understanding of the effectiveness of some of its new principles and measures” and the ICO’s enforcement powers “will become clearer over time”. Despite this, the Commissioner acknowledges that the first year of GDPR has seen organisations noticeably improve their data accountability systems and transparency disclosures. The Commissioner expects that these processes can be leveraged to align with any future regulatory regime that results from recommendations in the white paper. The Commissioner is particularly supportive of the proposal to allow certain bodies to bring ‘super complaints’ to regulators.
  • The Commissioner acknowledges that more can be done to promote digital literacy. The Commissioner described current efforts as “disparate” and not “fully cutting through to the wider population”. The Commissioner recommends that more should be done to coordinate efforts in this area to ensure coherence and avoid duplication.
  • The Commissioner is hesitant about the creation of an online harms regulator dealing directly with user complaints. She believes that the “sheer volume” of first-line complaints would make direct intervention by a regulator impractical. Instead, the Commissioner recommends that first-line complaints be dealt with by platforms themselves. Any new regulator could review the systems and controls put in place by those platforms. Alternatively, the Commissioner moots bringing together existing regulators under the auspices of a single committee which can coordinate the regulation of online harms. This approach would maintain clear independence between different regulators. It would also address the problem that a single new regulator would “be victim to a number of conflicts within its huge range of overlapping regulatory remits”.
  • The most attention-grabbing provision in the white paper is the proposal for a new duty of care to be imposed on online platforms. The Commissioner acknowledges that it will take time to implement and develop case law around any new duty of care. This delay means that visible and immediate action in the interim is necessary. The Commissioner recommends introducing “specific regulation with effective sanctions for the regulator”, possibly based on the codes of practice mechanism outlined in the white paper.


The Commissioner’s response vividly demonstrates how there is much still to do to rationalise the UK government’s recommendations before any can be implemented. However, a lot of regulatory energy has recently been spent on this topic, with input from Ofcom, the Competition and Markets Authority, and the Centre for Data Ethics and Innovation. As such, we expect further developments in this area. In the meantime, keep an eye on this blog for further updates on this and other developments with privacy regulation in both the UK and EU.