Regulatory Matters
Whistleblowing and Public Interest

The ICO’s AI Hypocrisy: A Toothless Watchdog Playing with Algorithms

Written by John Barwell

Regulatory governance · ICO · internal AI policy

The Information Commissioner’s Office has unveiled its Internal AI Use Policy — a 30-page internal guide on how Britain’s data watchdog intends to “responsibly” embrace artificial intelligence. The policy speaks the language of transparency, fairness, governance and accountability. The question is whether the regulator has earned the authority to lead by example.

  • Source referred to: ICO Internal AI Use Policy, August 2025
  • Format: independent regulatory commentary
  • Focus: AI governance, enforcement credibility and public trust

Publication snapshot

  • The article critiques the ICO’s Internal AI Use Policy as an example of governance language without sufficient public accountability.
  • It contrasts the policy’s stated ambitions on AI ethics with wider criticism of the ICO’s regulatory performance.
  • The commentary argues that self-certification is not the same as enforceable accountability.
Publication caution: this is critical opinion about a public regulator. Factual claims about delay, enforcement decline, complaint outcomes, privilege, FOI redaction and regulatory performance should be supported by source links or softened as commentary before publication.
Contents

The watchdog that couldn’t bite, now wants to code

In his foreword, Chief Executive Paul Arnold declares himself “an enthusiastic daily user” of AI tools, praising their “astonishing pace” and “positive impact”.

It is a remarkable statement from the head of an organisation better known, in the eyes of many complainants and observers, for delay than for innovation. For years, the ICO has been criticised for slow response times, reluctance to tackle systemic data breaches, and limited action in the face of alleged government misuse of personal data.

Now it wants to pioneer responsible AI.

Editorial distinction: the policy may be well-intentioned. The public-interest question is whether a regulator criticised for weak enforcement can credibly present itself as a model of AI governance without first addressing its own accountability deficits.

Governance by template: bureaucracy as a substitute for control

The policy is a bureaucrat’s paradise — packed with annexes, checklists and flowcharts. There is an “AI Screener”, an “AI Use Case Specification”, an “AI Inventory”, and no shortage of boards and committees to review them.

On paper, it looks like governance. In practice, it risks becoming an illusion of governance — a paper shield against accountability.

Visible process

The policy tells staff to mark AI-generated text, ensure human review and conduct impact assessments.

Missing enforcement detail

The harder question is how those requirements will be enforced, audited and challenged if the regulator fails to follow its own rules.

The irony is sharp: a regulator that has struggled to hold others to account now trusts itself to self-certify compliance.

Ethics for optics

The policy warns against using AI in any way that may cause “significant risk of harm to individuals, groups or the reputation of the ICO”.

That last phrase is revealing. The concern is not only public harm, but institutional image. Ethics can become performance art when safety is defined by reputational risk rather than measurable outcomes.

This is the same regulator that critics say refuses to disclose meaningful complaint outcomes, relies on legal privilege to resist scrutiny, and heavily redacts responses under the Freedom of Information Act.

Transparency problem: transparency has limited value if it is projected outward as a standard for others but not applied inward to the regulator’s own complaint handling, decision-making and accountability records.

Automation without accountability

The ICO speaks of “accountability for AI governance” as though this were something new. Yet accountability has been missing from its own operations for years, according to complainants who report months of silence and limited visibility over how their complaints are handled.

Fines against large organisations may be publicly announced, but the practical deterrent effect remains contested. Critics argue that enforcement action has declined while corporate non-compliance remains widespread.

Verification point: before publication, add current official statistics or ICO annual-report figures for enforcement activity, complaint handling, response times and regulatory outcomes. Do not publish specific performance claims without those sources.

Against that backdrop, the notion that the ICO can responsibly automate itself risks sounding less like innovation and more like institutional self-protection with new software.

Artificial intelligence, genuine hypocrisy

The ICO’s AI policy reads less like a statement of ethics than a confession of insecurity — a glossy internal memo designed to make a fading regulator look futuristic.

It references standards, government playbooks and data-ethics frameworks as if citations could replace credibility. But no number of footnotes can answer the central question: can a regulator credibly lead on future-facing technology if it cannot convincingly account for its present-day enforcement failures?

Standards are not outcomes

Citing frameworks is useful only if compliance is tested, failure is recorded, and accountability follows.

Human review is not accountability

Human review must have consequences. Otherwise it becomes a checkbox attached to automated decision-making.

Governance must be auditable

An AI inventory or screener is meaningful only if outsiders can understand how use cases are approved, monitored and challenged.

The final irony

When a regulator that has lost public confidence starts boasting about its AI strategy, the question is not only how it will regulate the technology. It is how the technology will regulate the institution.

The ICO has spent years being accused of barking at the powerless and bowing before the powerful. Now, armed with AI, it risks becoming something even worse: a digital pantomime of oversight, run by a machine that believes its own press releases.

The AI problem is not only whether the ICO can control the tool. It is whether the ICO can be trusted to control itself.

Right of reply

Before publication, the ICO should be offered a fair opportunity to comment on the criticisms raised in this article, including complaint handling, enforcement performance, FOI transparency, legal privilege, AI governance enforcement and auditability.

Legal disclaimer

This article represents the author’s independent analysis and opinion based on publicly available information, including the Information Commissioner’s Office’s Internal AI Use Policy, August 2025. It is published in the public interest to promote transparency, accountability and informed debate on matters of regulatory governance.

No statement herein should be interpreted as alleging misconduct by any individual unless expressly stated and supported by evidence. References to organisations, officials or policies are made in the context of critical commentary and fair reporting, including principles reflected in sections 30 and 31 of the Defamation Act 2013 and Article 10 of the European Convention on Human Rights.

Legal Lens is an independent publication. It is not affiliated with, endorsed by, or acting on behalf of the Information Commissioner’s Office or any public authority. Readers are encouraged to verify cited sources and form their own conclusions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar