UK privacy regulator has seen ‘collapse in enforcement activity,’ rights coalition says

More than 70 civil liberties advocacy groups, academics and legal experts are calling for an investigation into a “collapse in enforcement activity” by the United Kingdom’s principal data protection regulator.

The group’s letter to Chi Onwurah, who chairs Parliament’s Science, Innovation and Technology Committee, contends that the Information Commissioner’s Office is plagued by deep “structural failures.”

It also alleges that a lack of enforcement actions by the ICO, particularly against public sector agencies, has led to an 11% increase in reported breaches and an 8% increase in data protection complaints.

The group’s call for an inquiry from the technology committee focuses on the regulator’s failure to investigate the Ministry of Defence (MoD) for the 2022 leak of data belonging to Afghans who had worked for the British government.

Information Commissioner John Edwards defended the decision not to probe the MoD last month despite research submitted to a Parliament committee probing the incident suggesting that at least 49 people have been killed as a result of the leak. That research was produced by a nonprofit advocacy group for refugees, as well as academics at two British universities.

“After years of failing to hold public sector organisations to account, the failure of the ICO to investigate the most serious data breach in UK history is the final straw,” Mariano delli Santi, Open Rights Group’s legal and policy officer, said in a statement. 

The signatories complained that the ICO has also failed to enforce private sector data breaches, but focused their ire on the regulator’s approach towards the public sector, which emphasizes avoiding fines and serious enforcements for agencies affected by breaches.

“The ICO’s public sector approach must end before more people are harmed by data breaches at the hands of the government and public authorities,” delli Santi said in the statement. 

The ICO has said that the Afghan data breach was a “one-off occurrence following a failure to [adhere to] usual checks, rather than reflecting a wider culture of non-compliance,” but documents provided to the BBC under freedom of information requests revealed 49 separate data breaches at MoD in the last four years. 

In their letter to Onwurah, the signatories complained of a culture of passivity, saying “the handling of the Afghan data breach is not an isolated case; many are being let down by the ICO and its numerous failures to use corrective powers.”

“Change appears to be unlikely unless the Science, Innovation and Technology Committee uses their oversight powers and steps in,” they said.

The ICO has merely issued reprimands or drastically reduced fines in several cases, including when a contractor at Home Office recorded victims of the Windrush scandal “without recorded consent on a private phone and uploaded the films to her personal YouTube account, outside of Home Office systems,” Open Rights Group said. 

The Windrush scandal involved the wrongful detentions and deportations of Caribbean immigrants.

The ICO also slashed a fine against the Police Service of Northern Ireland (PSNI) after data belonging to 9,400 police officers and civilian staff were leaked in 2023, the group said, and it  only issued a reprimand to the country’s Electoral Commission after malicious actors accessed 40 million U.K. residents’ election records. 

“This was despite the fact that the Electoral Commission did not have appropriate security measures in place and had not kept its servers up to date with the latest security updates,” they said.

There has also been a marked decrease in investigations of ransomware incidents by the ICO in recent years. 

Only 87 of the 1,253 incidents reported to the regulator in 2023 were investigated. Nineteen of 440 incidents reported in the first half of 2024 were probed.

In 2019 and 2020, more than 99% of 605 ransomware incidents were investigated by the ICO.