Written by The UK’s data protection watchdog – the Information Commissioner’s Office (ICO) – was once seen as a champion of information rights. Today, its alarming decline in performance and credibility has critics calling for it to be dismantled and replaced. From a collapse in handling public complaints, to courtrooms overturning its few enforcement actions, to egregious failures to protect victims of serious crimes, the evidence paints a picture of a regulator beyond repair. This Legal Lens opinion piece examines why the ICO is no longer fit for purpose and why only a wholesale overhaul – not superficial tweaks – will suffice.
A Year of Decline and Delay
Nothing illustrates the ICO’s dysfunction more starkly than its own performance data. The ICO’s latest scorecard reveals that in Q3 2024/25, a mere 12.3% of data protection complaints were assessed and answered within 90 days – a catastrophic drop from 88.2% in the same quarter a year earlier . In other words, nearly 9 in 10 people who turned to the ICO for help with a data issue in late 2024 were left waiting over three months for any response. This collapse marks an all-time low for the regulator , far off its target of resolving 80% of complaints in 90 days. Even complaints open over a year old have surged (279 cases, up from 66 the previous quarter) , suggesting systemic backlog issues.
The ICO itself admits its performance has “declined” due to surging demand and reduced capacity . In Q3 alone it received over 10,000 new complaints, an 8% year-on-year increase. A spokesperson publicly apologised for the delays, acknowledging that current response times “are not where we want them to be” and pledging to hire more staff . Plans to automate complaint handling by March 2025 and “transform” processes have failed. In the meantime, justice delayed is justice denied – and delays are now the norm. By the ICO’s own measure, it is failing the vast majority of people who seek its help.
Worse, simply closing a complaint doesn’t mean the ICO took meaningful action. In fact, enforcement has virtually ground to a halt. Out of 36,000+ data protection complaints completed in 2024, the ICO issued only 12 reprimands – an enforcement rate of a pathetic 0.033% . For context, that’s roughly 1 enforcement out of every 3,000 complaints. The regulator’s reluctance to wield its powers has turned it into what one observer called a “paper tiger”, or perhaps more aptly, a watchdog that won’t bite. Under Information Commissioner John Edwards’ approach of “advisory first” and “proportionality”, the ICO has become increasingly toothless, erring so far on the side of caution that it rarely sinks its teeth into wrongdoing at all.
Enforcement Reversals: When the Watchdog Does Bite, It Bites Itself
On the rare occasions the ICO has attempted bold enforcement, the results have been embarrassing. High-profile cases in recent years saw the ICO’s actions overturned by the courts – exposing serious errors in the regulator’s judgment and legal strategy.
Take the case of Clearview AI, a controversial facial recognition firm. In May 2022 the ICO issued Clearview a £7.5 million fine and ordered it to delete UK residents’ photos from its massive face database, citing breaches of data law. But Clearview appealed, and in late 2023 the First-tier Tribunal overturned the ICO’s enforcement in its entirety. The tribunal found the ICO lacked jurisdiction to enforce UK GDPR against the US-based company, since Clearview’s services were provided exclusively to overseas law enforcement and thus fell outside UK law . This was a stinging rebuke: the watchdog had overreached legally, resulting in a complete reversal of a flagship penalty.
A similar story played out with Experian, one of the UK’s largest data firms. After a lengthy investigation, the ICO issued an enforcement notice in 2020 accusing Experian of unfairly processing personal data for marketing. Experian fought back in court – and won. In early 2023, the tribunal largely ruled in Experian’s favour, quashing most of the ICO’s demands . The judges criticised the ICO for misunderstandings and overreach, noting the regulator “failed to recognise” the benefits of Experian’s data processing and had “fundamentally misunderstood” aspects of the case . Once again, the ICO’s judgement was found wanting. Rather than strike a blow for data subjects’ rights, the case ended up strengthening the hand of data controllers by affirming how legitimate interests can justify large-scale personal data use .
Rewinding further, even the ICO’s early enforcement record has blots. A decade ago, the ICO issued a then-record £250,000 fine against Scottish Borders Council after sensitive pension records were dumped in a public recycling bin. But in 2013 a tribunal overturned that fine too, ruling the ICO “should not have imposed” such a penalty for the data breach . The council’s failings were real, but the tribunal found the legal threshold for the fine wasn’t met – exposing that the ICO had overstepped its authority.
These cases – Clearview, Experian, Scottish Borders – are all very different, yet they underscore a common theme: the ICO’s enforcement is faltering when tested. Either the regulator is so gun-shy it almost never takes action, or when it does act, it bungles the job, resulting in reversals that let offenders off the hook. Each tribunal defeat not only erodes the ICO’s deterrent power but also emboldens other organisations to challenge or ignore the regulator. It sends a message that the ICO’s decisions won’t stick. A watchdog that can be so easily defanged in court offers little threat to would-be data law violators.
Inaction with Real-World Consequences
Statistics and court cases tell one side of the ICO’s decline. But behind every complaint or breach lies a human story – often one of profound harm made worse by the ICO’s inaction. Perhaps the most chilling example is an incident described in a previous Legal Lens report: a woman who was raped, and whose attack was captured on CCTV . Both the police and a car park owner held video evidence of her being dragged into a car by the attacker. Yet, disturbingly, this crucial footage was never turned over to the victim. When she exercised her data rights by filing a Subject Access Request (SAR) to obtain the CCTV of her own assault, her request was rejected. She then turned to the ICO – the very body tasked with enforcing individuals’ right to access their personal data. The ICO was presented with this blatant violation of the law and a plea for help in a situation with life-altering stakes. And it did nothing. The ICO failed to issue any enforcement order or sanction, effectively allowing authorities to suppress evidence of a rape and leaving the victim with no recourse . Justice was not just delayed; it was flat-out denied.
This is not an isolated anecdote. Every unresolved complaint of a data breach, every ignored subject access request, represents a person potentially denied their rights – sometimes in situations of serious wrongdoing or abuse. Whistleblowers have reported employer data deletions, victims of hacking have sought help, employees have faced blacklisting – and too often, the ICO’s response is a form letter or deafening silence. In that silence, wrongdoers find impunity. As I argued back in January, “the ICO isn’t just failing to protect the public; it’s actively enabling wrongdoing by refusing to act.” When organisations learn that Britain’s data regulator will likely do nothing even when faced with egregious violations, it creates a perverse incentive: break the law, ignore individuals’ rights, and chances are you’ll get away with it.
The ICO’s inaction has thus become an enabler of harm. Companies and public bodies that want to skirt data protection rules know the risk of punishment is minimal. Personal data can be misused, lost or denied to its rightful owners, and the regulator will likely just “advise” or close the case quietly. This is more than a bureaucratic failing – it is a moral failing. Lives are being affected. As each month passes without improvement, trust in the ICO erodes further. How can the public have confidence in digital privacy and information rights if the very watchdog meant to guard those rights is asleep at the wheel?
The upshot is a dangerous climate of accountability deficit. The ICO’s softness (whether through slow processes or no enforcement) creates a safe haven for data abuse. This was precisely the warning sounded in January’s “ICO: Enabling Crime Through Inaction” piece – that by refusing to act, the ICO was effectively facilitating crime . Now, halfway through 2025, that grim assessment looks more valid than ever. The public is left asking: if the ICO won’t step up to defend our rights and enforce the law, who will?
Structural Dysfunction and Superficial Fixes
Faced with mounting criticism, ICO leadership has offered a litany of excuses – budget constraints, increasing caseloads, the need to focus on “education” over punishment – along with assurances that change is coming. Commissioner John Edwards (appointed in 2022) has repeatedly emphasised “proportionality” and prefers to advise rather than fine, especially for public bodies. But critics argue that this philosophy has backfired spectacularly, sending precisely the wrong signal to those who would play fast and loose with people’s data. The ICO’s culture now prioritises conciliation over confrontation, even when confrontation (through strong enforcement) is what the law and the public interest demand. Internally, there are reports of an overstretched staff, high turnover, and an institution that simply cannot cope with its broad mandate – from data breaches and privacy complaints to freedom of information and nuisance calls. In short, the ICO’s problems are structural, not just a run of bad luck.
Westminster appears to have recognised that the ICO in its current form isn’t working – but the proposed cure has prompted further debate. The government is pushing forward the Data (Use and Access) Bill, which contains a slate of reforms to the data regulatory regime. Notably, this bill would overhaul the ICO itself. Under the legislation, the ICO (and the singular role of Information Commissioner) would be abolished and replaced by a new body called the Information Commission (IC), structured more like a traditional regulator with a multi-member board and a chief executive . It’s essentially a governance makeover: the aim is to modernise the regulator’s structure (bringing it in line with bodies like Ofcom or the Financial Conduct Authority) and equip it with some new investigatory and enforcement powers.
On paper, this sounds like a dramatic shake-up – effectively “replacing” the ICO – which aligns with the idea that the current office is not fit for purpose. However, experts and campaigners are warning that these changes may amount to superficial fixes rather than a true solution. Digital rights groups point out that simply renaming the ICO and adding a board won’t magically fix its enforcement malaise or rebuild trust. In fact, some provisions of the Data Bill raise concern that the new “Information Commission” could be less independent, not more. Under the proposals, the government would retain full control over appointing the new Commission’s members and setting their pay . That gives ministers significant influence over the supposedly impartial watchdog. Open Rights Group and others argue this could undermine independent oversight and entrench political influence on data regulation . Notably, there’s no plan for Parliament to approve appointments or for citizens to more easily challenge the regulator’s decisions in court . In other words, the reforms may shuffle the organisational chart but fail to address the ICO’s core accountability and performance issues.
Beyond governance tweaks, the Data (Use and Access) Bill also tinkers with rules around automated decision-making, data sharing, and subject access requests. The government touts it as a way to “harness data for economic growth” while cutting red tape. Yet critics see a missed opportunity to bolster individual rights and enforcement. For example, the bill would loosen requirements on responding to subject access requests and allow more exemptions, which could make it harder for people to get their data – arguably moving in the wrong direction given the ICO’s poor record on SARs. The bill’s focus on economic benefit has drawn fire for potentially prioritising business interests over privacy . All of this has led to skepticism that the reforms are more about giving the appearance of action than fundamentally empowering the regulator to protect the public.
A Watchdog Beyond Repair – Time to Replace It
The trajectory of the ICO in recent years leads to an uncomfortable conclusion: this watchdog isn’t merely underperforming; it has lost its bite entirely. A regulator that resolves barely one in ten complaints on time, that enforces in only a vanishing fraction of cases, and that even then often fumbles the enforcement it does attempt, cannot be said to be effective. In the arena of data rights – where tech giants, scammers, and negligent organisations hold immense power over our personal information – a weak regulator amounts to no regulator at all. The ICO’s failings are undermining public trust in data protection law and leaving citizens exposed. As one tribunal judge noted in an Experian ruling, the ICO appeared to “fundamentally misunderstand” the very matters it was regulating . Such an institution, critics argue, is simply not fit for purpose.
Is the solution to give the ICO more time and resources to reform itself? Or has the time come to rebuild from scratch? In a January commentary, I argued that “incremental reform will not suffice. The ICO must be dismantled and rebuilt from the ground up with a renewed focus on enforcement and accountability.” That call is even more urgent now. The Data (Use and Access) Bill’s planned “Information Commission” could provide a vehicle for change – but only if coupled with the right leadership and mandate. It’s not enough to reshuffle titles; the new regulator must embrace a culture of action. It needs statutory clarity that its job is to use its teeth, not just its tongue. It needs independence from political meddling, adequate funding, and a laser-focus on outcomes that matter to the public. Crucially, it may need new leadership: John Edwards’ experiment in soft-touch regulation has, by any objective measure, failed to deliver results, and confidence in his approach is irretrievably shaken. Fresh blood at the top of the new Commission – ideally someone willing to be a tough enforcer – could signal a clean break from the ICO’s era of inaction.
Britain desperately needs a data watchdog that commands respect and fear in equal measure – respect from the public that their rights will be upheld, and fear from would-be data abusers that they will face real consequences. That will not happen under the ICO’s current trajectory. As it stands, the ICO has become a byword for ineffectual oversight, to the point that scrapping it and starting over is not a radical idea but a reasonable one. Parliament should resist the temptation to settle for half-measures. The Information Commissioner’s Office, as currently constituted, is broken. To protect citizens in the digital age, it’s time to replace it with a regulator that is truly equipped – and determined – to uphold the law.
Disclaimer: This is an opinion piece reflecting the author’s own views, based on publicly available information and cases.