Lawmakers urged to act on 'severe' failings of the ICO

UK and European lawmakers must take a long hard look at the record of the Information Commissioner’s Office, following “a severe and serious weakening of information rights regulation” under the current regime, which is threatening its primary role to “robustly protect people’s personal data”.

That is the rallying cry of Cambridge Don, Professor David Erdos whose remarks come as Brussels has embarked on a major consultation on whether to renew the UK’s data adequacy deal with the EU, which expires in December this year and is estimated to be worth £161bn year to the British economy.

This week, the European Commission concluded that the UK’s new Data (Use & Access) Act continues to provide data protection safeguards that are equivalent to those provided by the EU, but it now faces a much sterner examination by the European Data Protection Board, the European Data Protection Supervisor, and the European Parliament.

And, in a stinging attack on the regulator, Professor Erdos maintains that the ICO’s annual report – published last week – exposes a catalogue of failures in terms of enforcement action, made even more pertinent following the regulator’s refusal to act over the “egregious data breach” which put up to 100,000 Afghans at risk of grave harm and possibly even caused death.

In a blog post, Professor Erdos, who is co-director of the Centre for Intellectual Property & Information Law in the Faculty of Law and WYNG Fellow at Trinity Hall, as well as an associate member of Matrix Chambers, unleashes a highly detailed analysis of what he claims are the ICO’s failings.

He writes: “Despite even last year’s [annual report] generally revealing formal enforcement such as fines, criminal prosecutions and criminal cautions which were in the single digits only, [this year’s] report now omits any reference to UK GDPR enforcement notices (as there were none at all during 2024/25) and states that there were just two UK GDPR fines during the year (which compares to over 200 in both Germany and Spain) and that even the number of outcomes resulting in reprimands fell from 31 to just 9 (a 70% reduction).

“It also reveals that the number of reported data breaches which even resulted in a GDPR investigation (let alone enforcement action) dropped from a mere 6% to just 3%.”

Professor Erdos points out that, at the same time, the number of data protection complaints which received no response during the expected 90-day timeframe soared from just 15.2% in 2023/24 to 70% in 2024/25 (a 360% increase).

He argues that binding European Court of Justice case law has affirmed that a data protection authority’s “primary responsibility is to monitor the application of the GDPR and to ensure its enforcement”, that it must handle complaints received from data subjects “with all due diligence” and that, using its formidable investigatory and corrective powers, it must “execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence”.

However, unlike Germany and Spain, where this strong duty to enforce has led to hundreds of fines and other formal regulatory actions, Professor Erdos believes the ICO’s accelerating stance points strongly away from any expectation of regular and concrete regulatory action.

He once again cites the ICO’s Annual Report for 2024-25, which reveals that there were only 43 UK GDPR investigations in this year compared to 285 in 2023-24 (less than a fifth of the previous year’s total), that not a single UK GDPR enforcement notice.

Meanwhile, as Decision Marketing reported last week, just two UK GDPR fines were issued totalling £3.8m (compared to three fines totalling £13m in 2023/24), while PECR fines (and related notices) were down to nine and £890,000 compared to 26 and £2.59m in 2023/24 which again represents an approximate 65% decrease.

Professor Erdos maintains that these issues have been primarily driven by “a deeply rooted ICO internal culture which has been fuelled by a lack of effective accountability mechanisms for data subjects and by an Information Commissioner who has publicly set his face against full use of the UK GDPR’s powers”.

He concedes that this has not been helped by the Government pressuring regulators to prioritise growth “despite, in the ICO’s case, abundant evidence of a need for it to do far more to prioritise its core responsibility which is to robustly protect people’s personal data”.

Professor Erdos concludes: “Whilst taking into the account the positive guidance and publicity which has been forthcoming from the UK ICO over recent years, it is imperative that the UK Parliament, the European Data Protection Board, the European Data Protection Supervisor, and the European Parliament all ask some tough questions about the practical reality of regulatory enforcement in the UK during the upcoming [data adequacy] review, including what can be done to reverse some very worrying trends.”