A large coalition of over 70 civil liberties advocacy groups, academics, and legal experts is demanding a formal inquiry into the United Kingdom’s primary data protection body, the Information Commissioner’s Office (ICO), citing what they describe as a “collapse in enforcement activity.” Their letter to Parliament’s Science, Innovation and Technology Committee contends that the ICO is suffering from profound “structural failures” that have undermined its ability to regulate effectively. The signatories allege that this consistent failure to pursue enforcement actions, particularly against public sector agencies, has coincided with an 11% rise in reported data breaches and an 8% increase in data protection complaints.
The group’s immediate demand for an inquiry focuses heavily on the regulator’s decision not to investigate the Ministry of Defence (MoD) for a 2022 data leak involving Afghans who had worked alongside the British government. This decision was defended by Information Commissioner John Edwards despite research submitted to a parliamentary committee indicating that at least 49 people were reportedly killed as a result of the breach, research produced by a refugee advocacy group and British university academics. Open Rights Group’s legal and policy officer, Mariano delli Santi, stated that the ICO’s inaction in what he termed the “most serious data breach in UK history” served as “the final straw” after years of failing to hold public sector organizations to account.
While the coalition also complained about the ICO’s lack of enforcement in the private sector, their greatest frustration is directed at the regulator’s lenient approach toward government bodies. The ICO’s public sector strategy emphasizes avoiding severe penalties and fines for agencies involved in breaches, a practice the signatories argue must end before further harm is caused by data lapses within government and public authorities. The regulator has defended its decisions, stating the Afghan data breach was a “one-off occurrence” that didn’t reflect a wider culture of non-compliance. However, documents obtained via freedom of information requests revealed there were actually 49 separate data breaches at the MoD over the preceding four years.
The signatories’ letter to Parliament describes a pervasive culture of passivity within the ICO, arguing that the handling of the Afghan incident is not an anomaly, but one example of many failures to effectively use its corrective powers. Instances of this perceived leniency include when the ICO issued mere reprimands or drastically reduced fines in serious cases. These include a reduced fine against the Police Service of Northern Ireland (PSNI) after the personal data of 9,400 officers and staff was leaked in 2023, and a reprimand for the Electoral Commission despite its lack of appropriate security measures, which allowed malicious actors to access 40 million UK residents’ election records.
This systemic retreat from enforcement is also evident in the investigation of cyber incidents, particularly ransomware attacks. In 2019 and 2020, the ICO investigated over 99% of 605 reported ransomware incidents. By contrast, only 87 of 1,253 incidents reported in 2023 were investigated, and the trend continued into the first half of 2024 with only 19 of 440 cases probed. The coalition concluded that change seems improbable unless the Science, Innovation and Technology Committee steps in and utilizes its oversight powers to compel accountability and reform.
Reference:
