ICO challenged over GDPR complaints record

The Good Law Project and the Open Rights Group are challenging the Information Commissioner's Office (ICO) over its handling of data protection complaints. Under the UK General Data Protection Regulation (GDPR), the ICO has a legal duty to enforce data protection laws and investigate complaints. However, the rights groups argue that despite receiving nearly 40,000 complaints last year, the ICO issued only two fines. Over the last six years, the regulator received more than 220,000 complaints but issued fewer than 7 fines a year.

The groups criticise a new complaints framework introduced by the ICO in February, which categorises submissions based on the regulator's definitions of harm. Complaints deemed to represent low or moderate harm are stored for information purposes only, without investigation or any challenge to the responsible companies.

The ICO defended its screening and sorting process, arguing it legally constitutes an investigation and claiming exclusive discretion over resource deployment. In contrast, the rights organisations argue that the ICO's framework allows companies to disregard their data protection obligations without fear of facing sanctions. In effect, this forces the public to accept data subject rights violations or pursue expensive legal action. The Good Law Project has said it will monitor the ICO's handling of cases and initiate legal action if the current system persists.

Training announcement: Freevacy provides comprehensive training for new and existing practitioners on the changes introduced by the DUA Act to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Privacy and Electronic Communications Regulations 2003 (PEC-Regulations). Our courses are always up to date and provide a forum for learning and discussing how to ensure your data protection processes remain compliant. Find out more.