Deeper problems
While this affair is appalling, it cannot become an excuse to overshadow the deeper issues surrounding the ICO and its regulatory function. The fish may be smelling from its head, but it must be reckoned that the whole institution is suffering from deep problems, especially around its timidity in enforcing data protection law, which existed in similar forms during the last Commissioner’s tenure, and long beforehand.
As pointed out by a previous letter, convened by ORG and supported by over 70 experts, the ICO is experiencing a collapse in enforcement action. Data protection is a key instrument to regulate Artificial Intelligence and promote online safety, children protection, workers’ rights, and public service delivery. More and more evidence shows that, without proper regulation and policing of data practices, harms ensue, public trust erodes, and markets fail. Technology is a layer that spreads across all areas of society, and what may look as abstract issues such as data protection can easily undercut government ambitions where it matters.
As the new government moves in, selecting a new Commissioner cannot become a convenient exit door for sweeping the ICO under the proverbial rug. A change of leadership can, however, become a first step to fix the ICO, and bring about meaningful change.
OVERSIGHT MELTDOWN AND THE PUBLIC SERVICE DELIVERY
In 2022, the Ministry of Defence (MoD) leaked sensitive personal data of 18,700 Afghan nationals who had assisted UK forces, and up to 100.000 of their family members. At least “49 relatives or colleagues of affected Afghans have been killed in incidents linked to Taliban reprisals following the leak”, and a “survey of those notified found that 87% had received direct threats to their safety”. The ICO, however, their new “public sector approach” and left the MoD off the hook. First, by reducing a monetary penalty against the MoD. Then, by refusing to take any further action after the repeated nature of the Afghan data breach was revealed.
In 2025, 19 civil society organisations complained to the ICO, asking to take action against endemic data security incidents that have affected the eVisa scheme since 2020. A FOI response revealed that the ICO had already received 851 complaints against the Home Office. The ICO have taken no remedial action to this date, but they have adopted a new complaints handling policy, formalising an approach under which most complaints will be shelved away “for information purposes only”.
In 2025, HMRC carried out a data-driven crackdown on child-benefits, using travel data to suspend payments of recipients deemed to be residing abroad. As a result, 15.000 families were unjustly targeted and accused of fraud. The pilot scheme, which presented obvious red flags, was approved during a DEA Review Board meeting, in the presence of ICO staff. The ICO recently signed a Memorandum of Understanding with the government, promising to adopt a less oppositional stance toward the government.
These examples reveal how the ICO failings are closely linked to its policy choices, and have enabled malpractices to thrive within the public sector. Following the ICO new approach, complaints against public sector bodies have soared, the government were left unchallenged when opposition and accountability was needed. As Dame Chi Onwurah, Chair of the Science, Innovation and Technology (SIT) Select Committee, pointed out, “the use of technology to help grow the economy and improve public services requires the public to trust that their data is being kept secure”. The ICO failure to hold public bodies to account and drive up data protection standards has become a systemic risk that affects these bodies’ ability to carry out their tasks in a safe and effective manner.
ICO GUTTING WORKERS’ RIGHTS
Algorithmic management systems and Artificial Intelligence (Automated Decision-Making, or ADM) are exposing workers to heightened risks of discrimination and wage-theft, hidden under opaque algorithms. These issues are not new to the ICO: their report on the use of ADM in recruitment has concluded “that employers have more work to do to ensure that the use of automated recruitment tools respects people’s information rights”. According to their audit report, the ICO made “almost 300 recommendations to improve compliance”. However, the ICO have taken no enforcement action to remedy the infringement of workers’ rights they found in their audit.
On top of that, workers have successfully challenge discriminatory robo-firings and wage-theft with their right not to be subject to solely automated decision-making, as enshrined in the UK data protection law. When Boris Johnson’s government proposed to remove such right, the ICO lashed against it, and made the counter-proposal to expand such protections “to also cover partly automated decisions”. This critical stance, adopted under the previous Information Commissioner, was quickly shelved after John Edwards took over. The Conservatives’ proposal to gut ADM rights survived the change of government and became law with the Data (Use and Access) Act. As a result, workers in the UK lost the right not to be subject to ADM in most circumstances.
PROTECTING CHILDREN AND ONLINE SAFETY
Protecting children online, tackling online harms and curbing the spread of disinformation are hot political topics. The UK government has signalled the intention to restrict children’s access to social media, a move that would expand existing requirements to age-gate internet services. At the same time, the SIT Committee’s recent report on social media harms identified data-driven recommendation systems and online advertising as major drivers of online harms. Before then, the government has been running the Online Advertising Taskforce with the aim of addressing “illegal harms and the protection of children in relation to online advertising”.
However, the ICO has been pushing for the adoption of age verification systems at all costs and, notably, at the expense of privacy. This does not only risk undermining trust in age assurance policies, but represents an overly-narrow approach to regulation that fails to address the exploitation of personal data which, from age verification, are being repurposed to target online advertising. In turn, advertising data is used to drive up engagement, exploit addictions, and target harmful content.
On top of that, seven years ago the ICO published an update adtech report acknowledging widespread unlawful practices in the sector. As their recent advice to DSIT on how to reform online advertising rules read, “many of the issues associated with RTB that we identified in 2019 still exist today”. The ability to target individuals based on personal data is what exposes problem gamblers to being targeted with ads that exploit their addiction. It allows exclusion from life-changing opportunities on the basis of someone’s gender, sexual preferences, ethnicity or other sensitive characteristics. It exposes children and those in a more vulnerable status to be targeted and taken advantage of.
Against this background, the ICO are shying away from taking regulatory action to address these issues, but they are instead proposing to lower legal protections against online tracking and profiling. Likewise, the ICO gave the green light to Meta to rely on consent or pay, against their own guidance and in stark contrast to the European Union, where Meta’s practice was deemed unlawful on the basis of equivalent data protection rules. Estimates have shown that, if consent or pay takes hold, “keeping your phone private could soon cost around € 8,815 a year”. Whereas privacy ought to be a right, lack of proper regulation of the digital economy risks turning it into a cost of living issue.
WHAT THE GOVERNMENT CAN DO
The upcoming government has signalled appetite to move beyond a laissez-fair approach to digital regulation, and toward a more direct intervention to ensure markets and the public sector deliver. The ICO have a role to play in materialising this vision, but the government will need to promote bold changes and learn from past mistakes. In particular, the previous government quickly moved in to politicise regulators’ work and appease US big business. As we have seen with the ICO, this approach is, ultimately, a recipe for failure: lacking sufficient arms length from the government, the ICO has been failing to properly supervise public bodies, allowing data malpractices to spread. Also, weak regulation around harmful advertising comes as a direct consequence of the commitments the ICO have taken with the government. The next government will need to reverse this pernicious direction of travel and restore the independence of the ICO. As proposed by Gordon Brown’s report, the government should consider transferring responsibility for the ICO to Parliament.
The meltdown of the ICO leadership underscores the need to restore integrity at the top. This goes beyond workplace behaviour: the ICO have a long track record of revolving doors, where senior staff and leadership members often end up working for the industries or companies they were meant to police. Establishing proper boundaries against corporate influence is necessary to preserve the integrity of the ICO regulatory action. As we have long advocated for, the UK could draw from the California Privacy Agency and introduce a stay-period during which senior ICO figures are prevented from accepting jobs from the organisations and sectors they regulated.
Finally, the ICO need an overhaul of its regulatory and enforcement posture. ORG and others have previously called on the SIT committee to open an inquiry to explore what these changes could be. In the meanwhile, there are some obvious, low-hanging fruits the new government can reach to. As we argue in our petition, the government needs to clarify that effective monitoring and enforcement of regulatory requirements are the main objective of the ICO, and should take precedence over other considerations. This should include a clear duty to investigate complaints, and to remedy non-compliant behaviour. Individuals should also be given a clear and functioning avenue to appeal against ICO decisions when they fall short of upholding their information rights.
The government have an opportunity ahead. By restoring effective oversight of data protection rule, they can set the stage for trustworthy public sector delivery, innovation that benefits workers, and a digital economy that works for the British public, not a bunch of US tech companies. It is now up to them to seize it.
