Tech Beetle briefing GB

Civil liberties groups call for inquiry into UK data protection watchdog

Essential brief

Key facts

Civil liberties groups and experts demand an inquiry into the UK Information Commissioner’s Office due to declining enforcement actions.

The ICO faced criticism for not formally investigating the Ministry of Defence after a serious Afghan data breach that endangered individuals’ lives.

Campaigners highlight a broader pattern of weak enforcement in both public and private sectors, undermining data protection compliance.

The ICO’s current approach often results in non-binding reprimands or reduced penalties, which critics say lack deterrent effect.

The Science, Innovation and Technology Committee is urged to use its oversight powers to address these systemic enforcement failures.

Highlights

Civil liberties groups and experts demand an inquiry into the UK Information Commissioner’s Office due to declining enforcement actions.

The ICO faced criticism for not formally investigating the Ministry of Defence after a serious Afghan data breach that endangered individuals’ lives.

Campaigners highlight a broader pattern of weak enforcement in both public and private sectors, undermining data protection compliance.

The ICO’s current approach often results in non-binding reprimands or reduced penalties, which critics say lack deterrent effect.

A coalition of 73 civil liberties campaigners, legal experts, and academics have called for a formal inquiry into the UK's Information Commissioner's Office (ICO), citing a significant decline in enforcement actions following major data breaches.

The call, coordinated by the Open Rights Group and supported by organisations such as Statewatch and the Good Law Project, was addressed to Chi Onwurah, chair of the Commons science, innovation and technology committee.

The campaigners expressed concern over the ICO's decision not to formally investigate the Ministry of Defence (MoD) after a serious data breach involving Afghan nationals who had worked with British forces.

This breach exposed sensitive personal information, putting individuals at risk after the Taliban's takeover of Afghanistan in 2021.

The letter highlights that this incident is not isolated, pointing to other breaches including those related to the Windrush scandal victims.

Critics argue that the ICO’s "public sector approach"—which often results in non-binding reprimands or reduced financial penalties—lacks sufficient deterrence and fails to promote robust data management across government bodies.

Furthermore, the campaigners warn of broader structural failures within the ICO, noting that private sector enforcement is also declining as organisations deprioritise compliance, anticipating limited regulatory consequences.

The letter stresses that Parliament has empowered the ICO with strong enforcement tools, yet these powers have not been fully utilised, particularly in high-profile cases like the Afghan data breach.

The campaigners urge the Science, Innovation and Technology Committee to exercise its oversight role to address these systemic issues.

In response, an ICO spokesperson emphasized the organisation’s range of regulatory tools and expressed willingness to engage with civil society and parliamentary committees to discuss its enforcement strategies.

This controversy raises important questions about the effectiveness of data protection enforcement in the UK and the ICO’s role in safeguarding individuals’ privacy and security in both public and private sectors.