The Information Commissioner’s Office (ICO)’s data protection complaint handling performance is currently in very clear crisis. Despite its pledge to assess and respond to 80% of such complaints within 90 days, the percentage of cases where such an outcome has not been achieved has ballooned from 15.2% in 2023/ 24 to 70% in 2024/25 (a 360% increase).
Moreover, notwithstanding the UK GDPR’s explicit guarantee of an “effective judicial remedy” where the ICO’s fails to inform the data subject on a complaint’s progress or outcome within 3 months (art. 78(2)), automated emails from the ICO indicate that it is now taking around 29 weeks (203 days) to even assign new complaints to a case officer. Linking this to a much more modest (25%) increase in the number of complaints over the past two years which it peremptorily asserts has arisen from people becoming “increasingly aware of their data protection rights”, the ICO are now proposing to radically curtail its handling of complaints so that many will not be investigated but will merely be “record[ed] for information purposes”. A consultation on this, primarily directed at data controllers rather than data subjects or those who seek to represent them, is currently live (and will close on Friday 31st October).
Given that the law imposes an “objective test [of] what is ‘appropriate’ by way of investigation” on the ICO and ordinarily expects it at least to “reach and express a view about the likelihood” (at [80]) of infringement, any such change would seriously exacerbate the current legal failings. Binding case law also affirms that the ICO’s “primary responsibility is to monitor the application of the GDPR and to ensure its enforcement” (at [108]) and it is the increasing failure of the ICO to act consistently with this which lies at the core of these problems. Thus, not only has complaints handling and investigation clearly been deprioritised but, despite generally being stable since the introduction of General Data Protection Regulation (GDPR), complaints numbers have recently (more modestly) increased alongside a significant drop-off in ICO regulatory action.
This belies any notion that this change has been caused by growing rights awareness and suggests strongly that it has resulted, at least in part, from a growing and widespread lack of respect for the law by controllers. The ICO should therefore abandon its proposed restriction of its complaint-handling function and commit to a proper prioritisation of its monitoring and enforcement tasks including responding appropriately to complaints both at a procedural (including investigatory) level and substantively. Unless this happens, those who rightly understand complaints to be “not similar to that of a petition” but rather “a mechanism capable of effectively safeguarding the rights and interests of data subjects” (at [58]) will have ongoing and increasing cause to complain about the ICO’s track-record and approach.
ICO Complaint and Regulatory Action Trends
As previously stated, the ICO claims that “[a]s people become more aware of their data protection rights, [they] are receiving more complaints about organisations”. In fact, using data drawn from the ICO’s Annual Reports, Chart 1 demonstrates that the volume of complaints has generally proved stable since the introduction of the GDPR (now the UK GDPR).
Chart 1 – Number of Data Protection Complaints ICO Received 2018/19 to 2024/25
This Chart also shows that, notwithstanding this long-term stability, there have been a clear increase in the number of complaints from 2023 onwards. That much shorter period dovetails with a significant and express move away from formal regulatory action by the ICO under John Edwards’ leadership. This has been made most clear in the peremptory degrading of monetary penalties from 2022 onwards vis-à-vis State entities under the so-called ‘public sector’ approach (which was later confirmed in 2024). However, similar trends have been apparent across-the-board including vis-à-vis the private sector. Thus, despite fines lying “at the heart of the enforcement system introduced by the GDPR” (at [25]) and a peak of almost £40m of fines being achieved by the ICO in 2020/21, the quantum of data protection fines issued since has – as Chart Two below indicates – declined significantly.
Chart 2 – Nominal Value of ICO Data Protection Fines 2020/21 to 2024/25
Moreover, using data sourced from the Annual Reports as well as an FOI response, Chart 3 demonstrates that, although the ICO initially shifted to use of the much weaker tool of reprimands (which have no direct legal effect), even these have significantly declined from 2023 onwards.
Chart 3 – Number of ICO Data Protection Reprimands 2020/21 to 2024/25
Therefore, although further exploration of this would clearly be helpful, it appears likely that the rise in complaints has been driven by a visible deprioritisation of formal regulatory action leading to a (perhaps rather rational) deprioritisation of data protection and data rights compliance on the part of UK controllers.
ICO Enforcement and Complaints Duties and Stance
Of course, if the ICO was mandated to deprioritise formal regulatory action in order to fulfil its legal tasks in general, then the evidence cited above could provide no answer to this. In fact, the reverse is true. Binding EU Court of Justice case law from as far back as 2020 made clear that the ICO’s “primary responsibility is to monitor the application of the GDPR and to ensure its enforcement” (at [108]) yet even at this point the ICO was proudly stating that it “devotes around three quarters of its resources” to what it termed “proactive engagement activities”. The written law itself is clear that the ICO must comprehensively respond to infringements of the UK GDPR through “effective, proportionate and dissuasive” fines (art. 83), with Recital 148 stating that as regards organisations alone “fines should be imposed for any infringement” unless “minor” in which case “a reprimand may be issued instead”. These strictures are impossible to square with a reality where the ICO issued just 2 UK GDPR fines in 2024/25, a figure which compares very unfavourably to the (still low) figures of more than 200 in countries like Germany and Spain.
Much the same concerns apply to the ICO’s approach to data protection complaints including, most particularly, its current proposals to degrade its response to many of these. Under the UK GDPR, the ICO is obliged to handle and “investigate, to the extent, appropriate, the subject matter” of all complaints, must “inform the complainant of the progress and the outcome of the investigation within a reasonable period” (art. 57(1)(f)) and, in any case, must “inform the data subject within three months on the progress or outcome of the complaint” (art. 78(2)). Even case law originating from within the UK has confirmed that these time limits are (theoretically) binding (at [33]), that although the law does grant the ICO considerable discretion as to the depth and priority it gives to specific complaints it also imposes an “objective test [of] what is ‘appropriate’ by way of investigation” ( at [84]) and that the ICO is ordinarily expected at least to “reach and express and view about the likelihood” (at [80]) of infringement. Thus, in EW (2021) – which involved the alleged unlawful failure of a Council to respond to interrelated subject access requests (SARs) from a single individual whose status as a young person was deemed “not relevant” (at [32]) – the Upper Tribunal issued an order requiring that (irrespective of its other regulatory priorities or other ongoing investigations) the ICO:
- Must take appropriate steps to respond to EW’s complaints by (i) within 14 days of the promulgating of this decision, initiating correspondence with the relevant officials at the Council with a view to determining the basis on which EW’s SARs were refused and (ii) having considered any responses provided by the Council, assessing whether or not those refusals (or any of them) were lawful
- Must conclude the investigation of EW’s complaints within 2 months of the data of the promulgation of this decision and, having concluded such investigation, inform him by the end of that time of the outcome of his complaints. (at [118])
Turning to the ICO’s complaints track-record, its manifest failure to devote sufficient resources to progress the vast majority of these within anything like the permissible statutory timeframe of three months (UK GDPR, art. 78(2)) has already been noted. Moreover, despite the clear requirement to handle each complaint “with all due diligence” (at [109]), it is far from clear that such a standard is met vis-à-vis investigations even now. What is manifest is that the proposals now announced by ICO would take such concerns to an entirely new level.
The ICO’s New Complaint Proposals
Based on an erroneous understanding that the law only obliges the ICO to investigate “to the extent we [ICO] consider appropriate” rather than laying down an objective standard, the ICO proposes to reject investigation in many cases and just “record the complaint for information purposes”. The proposals as published fail to provide any clarity as to when such a refusal to investigate would occur (and indeed indicates that it would shift over time). Nevertheless, the consultation document makes clear that this would often rest not on the merits of the complaint itself but rather on whether many or increasing complaints are received about the same controller (thresholds of six complaints within two months or a 50% increase compared to the previous month are mentioned). This would mean that many complaints, especially but not only concerning small and medium sized controllers, would simply not be investigated at all let alone investigated to the point of at least enabling an assessment of likely compliance or non-compliance. It should be clear that such an approach would not be consistent with UK GDPR requirements. Thus, as there would have been no investigation, it would clearly not be possible for the ICO to inform the complainant on the “outcome of the investigation” (art. 57(1)(f)). Moreover, it would appear perfectly possible that a complaint such as in EW would not result in an investigation and certainly not the sort of investigation ordered by the Upper Tribunal, despite this case being a clear exemplar of what the objective standard of appropriate investigation set out in the law requires.
The Duty to Use Corrective Powers
Data subjects are entitled not only to be informed of a credible factual finding based on an appropriate level of investigation but also a substantive outcome which is consonant with the ICO’s obligation to ensure that the UK GDPR “is fully enforced with all due diligence” (at [112]). In other words, there is an umbilical relationship between the monitoring of compliance including through complaint-handling and the ICO’s enforcement responsibilities. This follows from the fact that such a complaint is “not similar to that of a petition” but rather “is designed as a mechanism of effectively safeguarding the rights and interests of data subjects” (at [58]).
In the recent persuasive case of Land Hessen, the EU Court of Justice considered the GDPR’s requirement for a supervisory authority to “react appropriately in order to remedy the shortcoming found” (at [33]) following investigation of complaint. It held that where a GDPR breach was established the authority could only “exceptionally and in light of the particular circumstances of the specific case” refrain from “exercise of a corrective power” and even then only “provided that the situation in which the GDPR was infringed has already been made good and that the processing of personal data by the controller in compliance with that regulation is ensured, and that such non-exercise on the part of the supervisory authority is not liable to undermine the requirement of strong enforcement of the rules” (at [46]). It is manifest that the ICO’s response even to complaints which themselves demonstrate manifest and ongoing legal failings far from meets any such standard of appropriateness and, although not focused on substantive outcomes, the proposed framework’s emphasis on the ICO’s own “strategic priorities” suggests that it may intend to adopt an even more discretionary approach in the future. On the other hand, despite this not even being referred to by the parties in the case at issue, the Upper Tribunal in Smith v Information Commissioner has already flagged that “[w]hat the Court of Justice says in Land Hessen may have some bearing on the approach that the High Court might take in future to judicial reviews of decisions of the Commissioner in relation to GDPR compliance” (at [58]). It is to be hoped that this will be so and that rather more accessible oversight bodies such as the Commons’ Science, Innovation and Technology Committee will also take note.
Conclusions
As part of its overarching duty to ensure strong enforcement, the law requires the ICO to respond appropriately to data protection complaints both at a procedural (including investigatory) level and substantively through the use of formal corrective powers. In reality, the vast majority of UK GDPR complaints are not being progressed within anything like the maximum statutory period of three months, it is far from clear that these complaints are subject to appropriate investigation and, even though investigations must often reveal manifest and ongoing legal failings, the ICO has made little and decreasing use of its formal corrective powers. Despite, or perhaps – albeit indirectly through increased noncompliance – because of this, complaints to the ICO have been growing. The ICO is now proposing to refuse to investigate (and therefore only record for information purposes) many complaints unless there is a considerable number or a considerable increase concerning the same controller.
If implemented, the ICO would be unable to discharge its legal obligation to inform the complainant of the “outcome of the investigation” (UK GDPR, art. 57(1)(f)) as there would have been none and it appears quite possible that its refusal to investigate could even capture cases similar to the access request in EW where the Upper Tribunal held that very clear investigatory steps were legally mandatory. The proposed approach would inevitably lead to many noncompliant controllers, especially small and medium-sized ones, not being subject to any form of ICO investigation and this could well exacerbate the lack of respect for legal rights and duties which data subjects often experience. Both through the current consultation and more generally, these proposals should therefore be opposed and the ICO encouraged to genuinely prioritise its monitoring and enforcement functions including in its procedural and substantive response to complaints. Unless and until this happens, data subjects who reasonably expect the ICO’s complaint process to operate not as a form of petition but rather as a mechanism capable of effectively safeguarding their rights will have good cause for concern and indeed complaint.
David Erdos is Professor of Law and the Open Society and Co-Director of the Centre for Intellectual Property and Information Law in the Faculty of Law and WYNG Fellow at Trinity Hall, University of Cambridge. He is also a fixed term member of Matrix Chambers.
Leave a Reply