ICO’s Collapse Shows It’s No Longer Fit for Purpose

Data protection · ICO accountability · public-interest opinion

The Information Commissioner’s Office was once seen as a champion of information rights. Critics now argue that delay, weak enforcement, tribunal reversals and failures to protect vulnerable complainants show a regulator no longer fit for purpose.

Jurisdiction: United Kingdom
Focus: ICO performance, enforcement and proposed replacement
Audience: data subjects, complainants, policy-makers and campaigners
Format: Legal Lens opinion piece

Publication snapshot

The article argues that the ICO’s complaint-handling performance and enforcement record have deteriorated sharply.
It considers tribunal reversals involving Clearview AI, Experian and Scottish Borders Council.
It highlights the human impact of ICO inaction, including failures around subject access requests.
It argues that replacement by a genuinely independent and enforcement-focused Information Commission is required.

Contents

A watchdog in decline

The UK’s data protection watchdog, the Information Commissioner’s Office, was once seen as a champion of information rights. Today, its decline in performance and credibility has led critics to call for it to be dismantled and replaced.

From the collapse in public complaint handling, to courtrooms overturning enforcement actions, to failures alleged in cases involving vulnerable victims, the picture painted by critics is stark: a regulator that no longer commands confidence.

Core argument: the article does not merely call for better resourcing or cosmetic reform. It argues that the current regulatory model is beyond repair and needs wholesale replacement.

A year of decline and delay

Nothing illustrates the ICO’s dysfunction more starkly than its own performance data. The draft records that in Q3 2024/25, only 12.3% of data protection complaints were assessed and answered within 90 days, down from 88.2% in the same quarter a year earlier.

That means nearly nine in ten people who turned to the ICO for help with a data issue in late 2024 were left waiting more than three months for a response. The figure sits far below the ICO’s stated target of resolving 80% of complaints within 90 days.

Complaint backlog

The draft notes that complaints open for more than a year surged to 279 cases, up from 66 in the previous quarter.

Capacity pressures

The ICO has attributed declining performance to surging demand and reduced capacity, while apologising for delays.

Automation failure

Plans to automate complaint handling and transform processes are criticised as failing to produce timely relief for the public.

Weak enforcement

The draft says that, out of more than 36,000 data protection complaints completed in 2024, the ICO issued only 12 reprimands.

The criticism is simple: closing complaints is not the same as enforcing rights. Under an “advisory first” and proportionality-focused approach, the ICO is accused of becoming a watchdog that rarely bites.

Enforcement reversals: when the watchdog does bite, it bites itself

On the rare occasions the ICO has attempted bold enforcement, the draft argues that the results have sometimes been embarrassing. High-profile enforcement actions have been overturned by tribunals, exposing weaknesses in judgment and legal strategy.

Clearview AI

In 2022, the ICO fined Clearview AI £7.5 million and ordered deletion of UK residents’ images. In 2023, the First-tier Tribunal overturned the enforcement, finding the ICO lacked jurisdiction on the facts before it.

Experian

The ICO issued an enforcement notice in 2020 concerning Experian’s processing of personal data for marketing. In 2023, the tribunal largely ruled in Experian’s favour and quashed most of the ICO’s demands.

Scottish Borders Council

A decade earlier, a tribunal overturned a £250,000 ICO fine after sensitive pension records were found in a public recycling bin, finding that the monetary penalty should not have been imposed.

These cases are different, but the article argues they share a common theme: the ICO’s enforcement appears either too rare, or when pursued, too vulnerable to legal challenge.

Deterrence point: each tribunal defeat risks weakening deterrence by suggesting that ICO enforcement may not withstand scrutiny when challenged.

Inaction with real-world consequences

Statistics and court cases tell only one side of the ICO’s decline. Behind every complaint or breach lies a human story, often involving significant harm.

The draft refers to a previous Legal Lens report concerning a woman who was raped, where CCTV evidence was allegedly held by the police and a car park owner but not turned over to the victim. When she exercised her data rights through a subject access request, her request was rejected. She then turned to the ICO.

According to the draft, the ICO failed to issue an enforcement order or sanction, leaving the victim without effective regulatory recourse.

Human-impact issue: where subject access rights intersect with serious crime, safeguarding or whistleblowing, regulatory inaction can have consequences far beyond ordinary data administration.

The broader concern is that every ignored or unresolved subject access complaint tells organisations that risk is low. In that environment, wrongdoers may learn that refusing access, deleting evidence or mishandling personal data carries little consequence.

Structural dysfunction and superficial fixes

Faced with mounting criticism, ICO leadership has pointed to budget constraints, increasing caseloads, and the need to prioritise education over punishment. Critics argue that this philosophy has backfired.

The draft describes the ICO as an institution whose culture now prioritises conciliation over confrontation, even where strong enforcement is needed. It also refers to reports of stretched staff, high turnover and a mandate too broad for the current structure.

The government’s Data (Use and Access) Bill proposes to abolish the ICO and replace it with a new Information Commission, structured more like a conventional regulator with a board and chief executive.

What the bill may change

The Information Commissioner role would be replaced by a new Information Commission structure.
The new body would be organised more like other regulators.
The stated aim is to modernise governance and equip the regulator with updated powers.

What critics say remains unresolved

Renaming the ICO may not fix weak enforcement culture.
Government control over appointments may weaken perceived independence.
Individual rights may be diluted if subject access and automated decision rules are loosened.

The article’s position is that governance changes alone will not rebuild trust unless they are matched by independence, adequate funding and a clear enforcement mandate.

A watchdog beyond repair — time to replace it

The trajectory of the ICO in recent years leads to an uncomfortable conclusion. On this analysis, the watchdog is not merely underperforming; it has lost its bite.

A regulator that resolves barely one in ten complaints on time, enforces in a vanishing fraction of cases, and sometimes loses when it does enforce, cannot be said to be effective in the way the public needs.

The article argues that incremental reform will not suffice. The ICO should be dismantled and rebuilt from the ground up with a renewed focus on enforcement and accountability.

Real independence

The new regulator should be insulated from political influence and professional capture.

Enforcement culture

Its mandate should make clear that rights are not protected by advice alone where unlawful conduct persists.

Adequate resources

Complaint handling and enforcement should be funded to match the scale of modern data harms.

Public-facing outcomes

The regulator should be measured by whether complainants obtain timely and meaningful protection.

Britain needs a data watchdog that commands respect from the public and fear from would-be data abusers. That will not happen if reform stops at renaming the ICO.

Parliament should resist half-measures. The Information Commissioner’s Office, as currently constituted, is broken. To protect citizens in the digital age, it must be replaced by a regulator equipped — and determined — to uphold the law.

Legal disclaimer

This is an opinion piece reflecting the author’s own views, based on publicly available information and cases. It is provided for general information and public-interest commentary only and does not constitute legal advice.

What the ICO are failing to understand is it is their own failures to enforce that are leadings to its increasing workload. Organizations know that they can refuse legitimate data requests and blatantly abuse personal data.

With so much demand for personal data under this guise or that and false promises of protection there are more and more breaches.

I used to be pro identification cards to keep us safe. Now I understand that the UK can not be trusted with ID cards like other countries. They will be used to commit crimes like fraud, identity theft and more worrying help controlling and coercive type behavior to track individuals. People have already died from failures to protect individuals data from customer service staff and they see this as isolated incidents rather than data protection is a tool of protecting victims before they become victims. It is not an administrative exercise.

The courts are also an issue. I understand the argument above that the ICO lost a case due to ‘legitimate interest’ but if the law is vague how can the ICO uphold spam / marketing which is is done to defraud .. this then gets pushed to the police after the event. In reality it would depend on the judge and the barristers .. the legal system is failing in the country also. Lord help us if criminal cases are taken away from the public, judges are not what they used to be either.

This country is no longer safe after years of failures. It is making of laws that are neither enforced or enforceable against wealth, all that has increased crime … put too much pressure on the police, the Justice system and victims.

The ICO’s failures and in reality the failures of all so called regulators that have caused their own problems .. and it is victims that are paying the price whilst they create reasons to be paid for not doing very much.

The people of this country deserve a lot better than the people who are purportedly doing jobs that are in effect doing the job of an automated mail-shot. There is little or no indication anyone reads any of the complaints let alone evaluate them.

2 thoughts on “ICO’s Collapse Shows It’s No Longer Fit for Purpose”

Phil Woodward says:
12 February 2026 at 2:52 pm
One fantastically bad decision was made a few years ago when the government managed to put down an amendment that would have extended the time limit for prosecuting s77 Freedom of Information Act offences. Given that the current time limit runs from when the offence is committed and is rather shorter than the time it takes the ICO to allocate a case to a case officer, never mind investigate a potential breach. Deliberately concealing and/or blocking the release of information to which the requestor is entitled has, therefore, effectively been decriminalised through the introduction of administrative delay.
A Victim says:
23 April 2026 at 10:10 am
What the ICO are failing to understand is it is their own failures to enforce that are leadings to its increasing workload. Organizations know that they can refuse legitimate data requests and blatantly abuse personal data.
With so much demand for personal data under this guise or that and false promises of protection there are more and more breaches.
I used to be pro identification cards to keep us safe. Now I understand that the UK can not be trusted with ID cards like other countries. They will be used to commit crimes like fraud, identity theft and more worrying help controlling and coercive type behavior to track individuals. People have already died from failures to protect individuals data from customer service staff and they see this as isolated incidents rather than data protection is a tool of protecting victims before they become victims. It is not an administrative exercise.
The courts are also an issue. I understand the argument above that the ICO lost a case due to ‘legitimate interest’ but if the law is vague how can the ICO uphold spam / marketing which is is done to defraud .. this then gets pushed to the police after the event. In reality it would depend on the judge and the barristers .. the legal system is failing in the country also. Lord help us if criminal cases are taken away from the public, judges are not what they used to be either.
This country is no longer safe after years of failures. It is making of laws that are neither enforced or enforceable against wealth, all that has increased crime … put too much pressure on the police, the Justice system and victims.
The ICO’s failures and in reality the failures of all so called regulators that have caused their own problems .. and it is victims that are paying the price whilst they create reasons to be paid for not doing very much.
The people of this country deserve a lot better than the people who are purportedly doing jobs that are in effect doing the job of an automated mail-shot. There is little or no indication anyone reads any of the complaints let alone evaluate them.