The ICO has positioned itself as a champion of information rights in the United Kingdom. Yet, its consistent failure to enforce data protection laws and hold organisations accountable has rendered it not just ineffective but complicit in enabling criminal activity. Under the leadership of John Edwards, the ICO’s decision to prioritise “advisory” roles over enforcement is a dereliction of duty with devastating real-world consequences.
Failing the Public, Enabling Harm
Behind every unresolved complaint or overlooked breach is a human story — and often, a story of profound harm. Take, for example, the case of a woman who was raped, with CCTV footage held by police and the car park owner that showed her being dragged into a car by her attacker. Despite the gravity of this evidence, it is alleged that the footage was suppressed. When she submitted a Subject Access Request (SAR) to obtain this footage, it was rejected. The ICO, presented with this blatant disregard for data protection law, failed to issue an enforcement order or take any meaningful action, leaving the victim without recourse and justice unserved.
Or consider firms that deliberately conceal information to avoid legal accountability. These aren’t just administrative oversights; they are calculated acts that undermine justice. By failing to enforce its own regulations, the ICO is allowing organisations to circumvent the law, shielding them from scrutiny and leaving individuals powerless.
Each inaction by the ICO sets a dangerous precedent, creating an environment where organisations know they can flout the rules without fear of consequences. The ICO’s failure to act in these cases is not just negligence; it is enabling criminal behaviour.
John Edwards’ Approach: A Catastrophic Misstep
In 2022, John Edwards presented a vision of the ICO as a regulator focused on advice rather than enforcement. “We must ensure proportionality,” he claimed, emphasising collaboration over punishment. Three years later, it is painfully clear this approach has failed.
Advisory letters and “slaps on the wrist” do little to deter organisations engaged in systematic violations of data protection laws. In prioritising “gentle guidance” over tangible enforcement, the ICO has abandoned its role as a watchdog. It has become a lapdog — one that barks but never bites. And the consequences of this failure are severe. Lives are being ruined, crimes are being facilitated, and trust in the regulator has all but evaporated.
Ruining Lives Through Inertia
The ICO’s inaction doesn’t exist in a vacuum; it directly affects lives. When organisations refuse to disclose critical data or fail to protect sensitive information, the repercussions are devastating. Victims of crime, whistleblowers, and vulnerable individuals are left stranded, unable to access the information they need to seek justice or protect themselves.
Even more troubling is the ICO’s apparent lack of urgency in addressing systemic abuses. From public sector bodies mishandling sensitive data to private companies evading accountability, the ICO’s inertia is a green light for bad actors. In many cases, it’s not just about incompetence — it’s about enabling harm.
A Regulator Beyond Repair?
“The ICO isn’t just failing to protect the public; it’s actively enabling wrongdoing by refusing to act,” I said in a recent statement. This is not hyperbole. The ICO’s failure to enforce its powers is emboldening criminals and undermining the very laws it is meant to uphold. If John Edwards genuinely believes his “advisory” approach is working, he is either dangerously naive or wilfully blind to the evidence.
But the problem goes deeper than Edwards’ leadership. The ICO as an institution is no longer fit for purpose. It has become a bureaucratic behemoth incapable of fulfilling its mandate. Incremental reform will not suffice. The ICO must be dismantled and rebuilt from the ground up with a renewed focus on enforcement and accountability. And that process should begin with John Edwards’ resignation.
A Call for Action
The ICO’s failure to act is not just a professional failing; it is a moral one. By ignoring legitimate complaints, it is enabling crimes that devastate lives and destroy trust in the justice system. It is time to stop giving the ICO the benefit of the doubt. It is time to demand better.
The ICO must become a regulator with teeth, capable of delivering justice and protecting the public. Until that happens, every moment of inaction becomes another betrayal of trust, another opportunity for harm, another life left in jeopardy. We cannot stand idly by. Lives hang in the balance.
Disclaimer: This article reflects publicly known cases and systemic issues associated with the ICO’s performance under John Edwards. The opinions expressed are based on personal observations and publicly available data.