Information Commissioner Warns Of "Culture Clash" Between Reddit And British Lawmakers
John Edwards was previously the New Zealand Privacy Commissioner from 2014 to 2021 (Alamy)
10 min read
As worries mount over children’s consumption of social media, UK information commissioner John Edwards tells Zoe Crowther that Reddit’s ‘hands-off’ approach does not match up to MPs’ expectations
Sitting in his London office overlooking Southwark Bridge, the information commissioner, John Edwards, lays out his priorities for the year: protecting children online, regulating online traffic and advertising, and tackling the emerging risks of artificial intelligence and biometrics.
The regulator he chairs, now more than 40 years old, has collected plenty of critics, from government to industry, unhappy at the burdensome data protection and Freedom of Information laws it upholds. It can also appear hopelessly outgunned: a small quango up against the might of Silicon Valley.
But the New Zealand lawyer insists that the Information Commissioner’s Office (ICO) looks to “punish” those who do not adhere to data protection laws and that that includes some of the biggest, most powerful tech companies in the world.
The data protection watchdog has recently launched investigations into how TikTok uses personal information to recommend content to teenagers, and into how Reddit and the image-sharing site Imgur verify the ages of their UK users and handle children’s personal data.
These investigations have become all the more timely since the airing of the Netflix drama Adolescence, which sparked widespread discussion in Westminster and beyond about the dangers of children being exposed to extreme online content.
Ofcom, which is headquartered one floor above the ICO’s London workspace, regulates the types of content being shown to young people. Edwards explains that the ICO looks at it “from the other end of the telescope”.
“We want to understand how the data, particularly of young people between the ages of 13 and 18, is being used to keep people on the platform, to maximise the engagement, to keep them on the device,” explains the regulator, who took over the role three years ago after serving in a similar capacity in New Zealand.
“And if we find that there are harms which have gone unmitigated, then that is something that we could treat as a breach of the law and punish.”
What people don’t realise is just how all-encompassing data protection is
While these cases are still ongoing, Edwards clearly believes these platforms are putting children at risk. While he refuses to say which tech giants are the worst culprits, he suggests there are companies for whom “part of their brand is being quite hands-off and non-interventionist”.
He describes Reddit – headquartered in San Francisco – as being one such site: “That’s a platform that does say: ‘We will provide the infrastructure, you come and you have your communities, and you have your content and your conversations.’
“If you’re so open that children can get onto the platform and see things which could be harmful to them, then that’s something that the law in the UK does address, and it doesn’t reflect the expectations of lawmakers here. We are concerned that they don’t appear to be doing anything to prevent children under 13 getting access and keeping them safe if they do.”
A Reddit spokesperson said: “We have been working closely with the ICO... We have plans to roll out changes this year that address updates to UK regulations around age assurance.”
The information commissioner claims that the business model of websites like Reddit leads to a “clash of cultures”, as they say they do not want to “ask questions” about the people who come to their platform.
“We’re in the process of investigating that particular case now, so I can’t say definitively that they are in breach of the law, but it is an example where a different approach that’s come from a different culture may not align entirely with the expectations of British lawmakers.”
He adds that while they have started with TikTok, Reddit and Imgur, the ICO will also be looking into X (formerly Twitter), Tumblr, Pinterest, and “the full range of systems that process data in order to maximise engagement”. The ICO’s investigations will be informed by the growing body of new research exploring the impact of these technologies on young people.
Reddit was founded and launched in 2005 in the US (Alamy)
The ICO is an executive public body that few outside Westminster will have heard of. But Edwards points out that it wields power “right across the economy”.
“What people don’t realise is just how all-encompassing data protection is. If you are an organisation processing personal data, almost without exception, you are subject to GDPR,” he says, referring to General Data Protection Regulation.
Just over four in 10 businesses (43 per cent) reported having experienced some form of cybersecurity breach or attack in the last 12 months, according to a government report in April.
“Public trust is a key issue across the whole ecosystem,” Edwards says.
The main weapon in the ICO’s arsenal is its ability to issue fines, along with the power to hand out enforcement notices and force the deletion of data by public bodies and private companies. In November, the ICO gave a £750,000 fine to the Police Service of Northern Ireland after it shared a spreadsheet detailing personal information of every single member of the service and where they were stationed.
“Given the security environment in Northern Ireland, we decided that was a really significant harm. There were potential threats to life,” Edwards explains.
Where does the revenue from fines go?
“Like most fines in the economy, it just goes back in the government’s coffers. It’s not a money-maker for us. It’s intended to be a signal to the economy that you cannot scrimp on cybersecurity.”
He explains that while the fines themselves are not a hugely significant deterrent for large organisations or companies, the reputational risks are.
With the Labour government keen to emphasise a growth-led policy agenda, Edwards says he does not see a conflict between privacy protection and technological innovation.
“Data protection laws do not prevent innovation,” he insists. “They describe how you adopt it. They set out the guardrails.
“Our preference is that we find solutions to some of these problems, that allow the privacy and data protection benefit without necessarily intruding on competition law and allowing exploitation of market dominant positions.”
People don’t like ‘creepy’ uses of data
But as new technologies emerge, the ICO is presented with new threats across the digital sphere. While the ICO does not currently get “virtually any” AI-related complaints, Edwards says the body spends “a lot of time preparing for and making sure that new deployments of AI are undertaken reasonably”.
He points to potential challenges down the road with ‘agentic’ AI – those systems that can make decisions and perform tasks autonomously, with limited human intervention.
“There are some challenges which I wouldn’t begin to say are fully understood,” he says. “One of the core elements of data protection law is understanding who the data controller is. Who do we hold to account? With agentic AI, that can get a bit murky.”
However, when it comes to the government’s deployment of AI, Edwards is favouring a relatively hands-off approach. He believes there are many ways that No 10 and the Department for Science, Innovation and Technology can find efficiencies through AI that are “fairly low-risk”. In his view, it will be the ICO’s job to continually remind the government of its responsibility to carry out data protection impact assessment and have a good understanding of what “meaningful human intervention” means.
“There’s a lot of low-hanging fruit out there, and I think that’s what Peter Kyle is getting quite excited about,” he says of the Tech Secretary.
Peter Kyle is the Science, Innovation and Technology Secretary (Alamy)
The ICO has also carried out work on making it easier for people to block third-party cookies when they enter websites.
“People don’t like ‘creepy’ uses of data,” he says. “They don’t like the fact that you had one interaction, you gave up personal data, and that led to something that you simply weren’t expecting. So, a lot of data protection is about ensuring that there is transparency and people are informed.”
He claims that by making it easier for internet users to reject cookies, the ICO has freed up “millions of hours of people’s lives that were consumed by clicking these buttons”.
There is still work to be done, however: when you accept online cookies and your data is collected, it can then be sent on to third-party companies, which are able to profile you. “That opaque, underlying industry is something that we’re interested in revealing a little bit more,” Edwards says.
One of the ICO’s more controversial responsibilities is the enforcement of the Freedom of Information (FOI) Act, which entitles members of the public to request information from public authorities. With the 25th anniversary of the FOI Act marked this year, Edwards tells The House that many users of the act find it “doesn’t work as seamlessly as perhaps you might hope”.
An investigation by OpenDemocracy in 2022 revealed that the Cabinet Office operated an FOI ‘Clearing House’ to block FOI requests to government departments. This has since been disbanded, but there are still concerns among transparency activists that government departments and bodies over-use exemptions to avoid releasing information to the public.
“Sometimes things slow down a bit,” Edwards admits. “It shouldn’t happen that way, it should be second nature, but a lot of departments and authorities find the burden really significant – it just takes a lot of resources. There is scope to increase the amount of proactively released information.”
Asked whether he is concerned that FOI laws could be eroded in the future, Edwards says simply: “FOI is the law – it’s not optional that you resource it.”
The ICO also provides training to new MPs on the use of FOIs and the challenges of data protection, as Edwards says “their job is to hold the government to account”.
Processing around 40,000 data complaints a year, the ICO’s work is never done, and its regulatory workload is growing. In the 2023-24 financial year, the ICO received over 15,300 complaints concerning subject access requests (SARs), which allow individuals to request access to the personal data that an organisation holds about them. This marked a 13.5 per cent increase from the previous year. The ICO employs around 1,000 staff and had a total expenditure of just under £90m last year, a 15.3 per cent increase from the previous year’s £75.7m.
With AI and big data increasingly pervasive across nearly every industry, Edwards says it can be a challenge to take on the cases that are most likely to have a wider impact across the economy while also balancing resources to cover emerging issues.
“We have to be very thoughtful about how we allocate our resources,” he says. “If I just took all of our resources – £90m this year – and divided that by 40,000, and spent that much on each of those complaints, that would not have a very useful impact across the economy.
“It would also reward people who are aware of us and who are vocal, and it would not take into account emerging issues.”
Have the ICO’s resources kept up with demand for its work? “You can always do more with more,” he replies.
Following the abolition of NHS England, is Edwards worried that the Labour government could embark on another “bonfire of the quangos”, putting the ICO at risk?
“I think our independence is really important, and the government recognises that,” he says. “But this is not just a thing that depends on whether the government of the day recognises it or not. There are international consequences. Having an independent data protection authority is critical to being considered a safe place for data from other countries.”
