UK knowledge regulator slammed over lack of motion on complaints

The Good Legislation Challenge and Open Rights Group have threatened the UK knowledge regulator with authorized motion after accusing it of “brushing apart” 1000’s of knowledge safety complaints from the general public, a scenario they declare might be made worse by its new method to grievance dealing with.

Below the UK’s Basic Knowledge Safety Regulation (GDPR), the ICO has a authorized responsibility to safeguard privateness by implementing knowledge safety legal guidelines and investigating complaints. However regardless of being “flooded” with almost 40,000 complaints in 2025, the regulator ended up issuing solely a handful of fines.

Based on the GLP and ORG, that is a part of a sample: regardless of receiving greater than 220,000 complaints over the previous six years, the ICO has handed out a mean of lower than seven fines a yr. They stated this creates an setting the place organisations can “trip roughshod” over knowledge safety guidelines with virtually no prospect of a sanction.

The teams stated issues will solely be made worse by the ICO’s new grievance dealing with framework, which they declare will make it more durable for many complaints to be taken significantly. Below that framework, printed 5 February 2026, complaints are triaged based mostly on the ICO’s evaluation of how dangerous the alleged apply is, which the regulator stated will assist “focus our restricted sources the place we will make the most important distinction”.

Outdoors the extent of hurt, the ICO will even take into accounts the influence on weak people, the variety of individuals “considerably” affected by the grievance, the relevance of the problem to the regulator’s strategic priorities, and most people curiosity in investigating the grievance.

The framework is the results of modifications to UK knowledge safety legislation ushered in by the DUAA, which requires organisations to have an information safety complaints course of in place by 19 June 2026.

Nevertheless, the GLP and ORG stated that if the watchdog decides the impacts of a grievance are of both low or reasonable hurt, it robotically cabinets them away “for info functions solely”, with no investigation or problem to the businesses accountable.

They added if there are zero penalties for almost all of knowledge safety legislation breaches, then UK GDPR primarily turns into an “non-obligatory additional” that leaves members of the general public in a scenario the place they both need to let companies trample over their privateness rights, or take the danger of an costly battle with them in courtroom.

Based on pre-action correspondence from the GLP and ORG – authored with the assistance of knowledge safety legal professionals from Mischon de Raya – the ICO’s grievance dealing with framework is “inconsistent” with the UK GDPR and the excessive stage of safety for private knowledge it’s designed to attain.

“Because of the operation of the framework, it’s envisaged that important variety of complaints are triaged and logged for info functions however by no means investigated,” they wrote, including whereas no precise figures have been supplied within the ICO’s influence evaluation, it’s anticipated that this quantity might be substantial.

The correspondence additional outlined how there may be “a fabric distinction between the triaging of complaints and their investigation”, which implies sure components of UK GDPR can’t be glad underneath the brand new framework; how the framework undermines the legislations complaints mechanisms; and the way it will finally preclude the ICO from taking “corrective measures” in opposition to corporations, which it should usually accomplish that when there was an infringement, save for “distinctive” instances.  

In response, the regulator advised GLP and ORG that its preliminary screening and sorting course of legally counts as an “investigation”, and maintained that it has “unique discretion” over easy methods to deploy its sources.

For Duncan McCann, Good Legislation Challenge’s tech and knowledge lead, the ICO’s framework makes clear the regulator was “by no means occupied with defending our knowledge rights”.

“The ICO has lastly stated the quiet half out loud,” McCann stated. “Until you’re dealing with severe and ongoing hurt, the regulator will simply chuck your grievance in a digital bin. This places each certainly one of us in danger from unscrupulous corporations who’re cavalier with our knowledge.”

The GLP added that “shuffling a grievance right into a digital submitting cupboard is a bureaucratic box-ticking train, not a significant evaluation of info”, and dedicated to taking authorized motion if the ICO “carries on utilizing this technique as a protect to disregard legitimate complaints”.

Laptop Weekly contacted the ICO concerning the potential authorized motion from GLP and ORG, in addition to claims made about its inactivity on complaints.

“The quantity of complaints we obtain is at a document excessive. We should be strategic in how we deal with them, focusing our finite sources on complaints the place there may be the best threat of hurt and the place our intervention could make the most important influence,” stated an ICO spokesperson.

“We ran a session on our proposed new method final yr, giving each organisations and the general public the chance to supply suggestions and form the ultimate framework. We stay dedicated to delivering proportionate and well timed responses for each buyer, whereas driving knowledge safety compliance and accountability from organisations.”

The regulator was beforehand accused in April 2026 of dragging its toes on a call on whether or not to formally examine the House Workplace’ digital visa (eVisa) system for knowledge safety points, with digital rights teams highlighting the “excessive quantity” of knowledge high quality and integrity errors linked to the scheme which have prevented individuals from having the ability to reliably show their immigration standing.

In a single case solely reported on by Laptop Weekly, the technical errors with knowledge held by the House Workplace have been so extreme that the regulator beforehand discovered there had been a breach of UK knowledge safety legislation.

Talking with Laptop Weekly, the individual affected stated that ongoing technical errors with the eVisa system meant his account continued to show an expired pupil visa, as a substitute of his new partner visa, and fallacious passport info for nearly half a yr.

Figures launched throughout a judicial evaluate in opposition to the system – which was finally dismissed – present that between April and October 2025, 116,011 eVisa enquiries have been submitted by members of the general public to the House Workplace, 81,461 (70.2%) of which associated to errors that subsequently needed to be addressed.