The ICO describes itself as the UK’s “independent authority” for upholding information rights. Yet, when faced with clear evidence of obstruction and bad faith by Balliol Property Services (BPS) and Burnetts Solicitors LLP, the ICO has chosen inaction. Their recent response to my complaint demonstrates a troubling abdication of responsibility, raising serious questions about whether the regulator is fit for purpose.
This article exposes the ICO’s failures, drawing on the history of my dispute with BPS and Burnetts to illustrate how the regulator’s inaction undermines GDPR and the rights of data subjects.
The Context: A Prolonged Legal Battle
My experience with BPS and Burnetts began as a lease dispute involving my business, Flashback Toys Ltd. Issues ranged from rent arrears to unreturned deposits, but it quickly became clear that BPS and Burnetts were employing procedural tactics to obstruct resolution.
By April 2024, their conduct escalated when they began weaponising GDPR against me. My Subject Access Request (SAR) to BPS was redirected to Burnetts without my consent, and both entities demanded unnecessary ID verification despite having verified my identity multiple times in prior correspondence.
This stalling tactic not only delayed my access to critical data but also obstructed my ability to pursue legal action. Despite my repeated efforts to engage, BPS and Burnetts continued to evade compliance.
ICO Inaction: Excuses, Not Enforcement
After months of frustration, I sought intervention from the ICO, believing they would hold BPS and Burnetts accountable. Instead, the ICO’s response compounded the problem.
On 13 December 2024, the ICO informed me that they had finally secured an agreement from BPS to provide my SAR response without further ID verification. While this resolution is welcome, it comes far too late, only after the ICO allowed endless procedural delays to fester.
Even more troubling were the ICO’s justifications for refusing to issue a compliance order under GDPR Article 58(2):
- Separation of Data Controllers: The ICO argued that each organisation is an independent data controller and can set its own ID requirements. This ignores the reality that Burnetts acted as BPS’s legal representatives and had already verified my identity. Treating their demands as independent is not just absurd but wilfully blind to their close collaboration.
- Limited Obligations: The ICO claimed its role is limited to providing an outcome to complaints, not enforcing compliance. This misinterpretation of their duties under GDPR reduces the ICO to a passive mediator, undermining its regulatory mandate.
- Deflection to Civil Courts: By suggesting I pursue legal action for a compliance order, the ICO abdicated its responsibility. Regulators exist to prevent individuals from bearing the burden of enforcement. Deflecting cases to the courts only reinforces systemic inequities.
These excuses expose the ICO’s reluctance to wield its powers, allowing obstructive organisations like BPS and Burnetts to exploit procedural loopholes and delay justice.
A Dangerous Precedent: The ICO’s Abdication of Enforcement
The ICO’s handling of this case highlights a systemic failure in regulatory enforcement. By refusing to issue a compliance order despite clear evidence of non-compliance, the ICO sends a dangerous message:
- Obstruction Pays Off: BPS and Burnetts repeatedly used unjustified ID verification demands to delay my SAR. The ICO’s refusal to penalise this behaviour rewards bad faith tactics, emboldening other organisations to adopt similar practices.
- Individuals Bear the Burden: The ICO’s suggestion that I pursue legal action to enforce compliance is impractical and undermines the entire purpose of GDPR enforcement. Regulators exist to protect data subjects, not to leave them at the mercy of the courts.
- Erosion of Trust: Public confidence in the ICO is eroded when it fails to act decisively. If the regulator cannot enforce GDPR in such a clear-cut case, what hope do individuals have when facing less straightforward breaches?
The ICO’s Justifications: Weak and Inconsistent
The ICO’s reliance on the separation of data controllers to excuse their inaction is not just unconvincing—it’s harmful. BPS and Burnetts worked in concert throughout this process, with Burnetts acting as BPS’s representatives in SAR-related correspondence. Treating their ID demands as independent disregards the realities of their collaboration.
Furthermore, BPS admitted to sending personal data to my verified email address—without requiring additional ID—when it suited their interests. This stark contradiction underscores the bad faith at play and undermines the ICO’s decision to accept their excuses.
The ICO’s willingness to overlook such glaring inconsistencies highlights a disturbing lack of scrutiny and enforcement.
The Cost of ICO Inaction
The ICO’s delays and deflections have had real-world consequences:
- For Individuals: For me, this case has meant months of frustration, stress, and financial harm. The withheld data is critical to pursuing legal action, and the ICO’s inaction has obstructed my ability to seek justice.
- For GDPR Enforcement: The ICO’s refusal to act weakens GDPR itself, reducing it to little more than a set of optional guidelines for data controllers.
- For Public Confidence: When regulators fail, trust erodes. The ICO’s inaction undermines public confidence in its ability to uphold data rights.
What Must Change
To regain credibility and ensure GDPR’s effectiveness, the ICO must adopt the following reforms:
- Enforcement Powers Must Be Used: The ICO must routinely issue compliance orders where evidence of non-compliance exists. Anything less emboldens bad actors and undermines data protection law.
- Stop Shifting Responsibility: Directing individuals to the courts for enforcement is not a solution. The ICO exists to hold organisations accountable and must stop deflecting its responsibilities.
- Restore Public Confidence: The ICO must demonstrate that it takes data protection seriously by acting decisively and transparently. Clear enforcement and accountability are essential to rebuilding trust.
Conclusion: A Regulator in Crisis
The ICO’s handling of this case reflects a regulator unwilling to regulate. By refusing to enforce GDPR, they have allowed BPS and Burnetts to obstruct my rights with impunity. This is more than a failure of process—it is a failure of principle.
If the ICO cannot fulfil its mandate, then its role as a regulator must be called into question. Data protection laws are only as strong as the institutions that enforce them, and right now, the ICO is failing.
It is time for the ICO to step up—or step aside. The public deserves a regulator that protects their rights, not one that enables their erosion.
John Barwell is the founder of Legal Lens, an advocacy initiative supporting Litigants in Person within the UK justice system. He writes about legal and regulatory issues, transparency, and accountability.
Disclaimer
The information provided in this article is based on personal experiences and publicly available information. It is intended for informational purposes only and does not constitute legal advice. Readers are advised to seek independent legal counsel for specific legal concerns. The views expressed are those of the author and do not represent the opinions of any organisations or entities mentioned.