Faculty of law blogs / UNIVERSITY OF OXFORD

UK Regulatory Enforcement of Data Protection: Current Concerns and Pathways to a More Effective Framework


David Erdos
David Erdos is Professor of Law and the Open Society and Co-Director of the Centre for Intellectual Property and Information Law at the University of Cambridge


Time to read

3 Minutes

The General Data Protection Regulation (GDPR) is widely acknowledged as having in theory established a very high level of personal data protection applicable to vast swathes of the socio-technological landscape.  The GDPR also seeks to entrust and empower Data Protection Authorities (DPAs) to secure 'strong enforcement' (Recital 7) of these provisions.  Indeed, Article 83 requires DPAs to administrative ‘effective, proportionate and dissuasive’ fines of up to €20 million or 4% of annual global turnover (if higher) and Recital 148 clarifies that fines should be imposed for any infringement unless minor or involving a disproportionate burden to a natural person where it is stated that a reprimand can be administered instead.  In practice, notwithstanding recent fines of €746m against Amazon and €225m against WhatsApp, regulatory enforcement has generally been limited across Europe.  Part of the reason for this has been the ongoing difficulty of administering the EU GDPR’s so-called One-Stop Shop (OSS) cooperation mechanism.

Following the implementation of Brexit on 1 January 2021, the UK continued to mirror the substance of the GDPR but the Information Commissioner’s Office (ICO) became fully and directly responsible for all UK data protection regulation without the need to coordinate this through the OSS.  Despite or, as a cynic might argue, because of the absence of this pan-European oversight data protection enforcement has been especially limited in the UK.  Indeed, during the 2021-22 period the ICO secured no enforcement notices or criminal prosecutions and issued just four GDPR fines, all of which concerned data security and which came to a grand total of just £183k (down from £633k following the ICO’s decision in November 2022 to reduce its fine against the Cabinet Office by an order of magnitude to just £50k).

In contrast to these very low enforcement numbers, the ICO indicates that it handled over 40,000 data subject complaints in 2021-22.  However, as in previous years, the overwhelming majority of these were closed without any formal action.  Moreover, despite the advent under the Data Protection Act 2018 of a new Order to Progress Complaints mechanism, avenues to challenge ICO inaction which are open even to respected civil society groups are extremely limited.  This is principally because the mechanism’s policing of the duty placed on ICO to take ‘appropriate steps in response’ to a complaint (DPA 2018, s. 165(5)) has been interpreted, including by the Upper Tribunal in Killock and Veale, EW and Coghlan (2021), to be of a purely procedural as opposed to substantive nature (a holding further narrowed by the Administrative Court decision of R (on the application of Delo) v Information Commissioner (2022)).  Holistic scrutiny has also been lacking, with the House of Commons’ Digital Culture Media and Sport (DCMS) Committee failing to carry out a single formal review of the ICO during the (almost) half a decade since the GPDR has been in effect.  An Inquiry into the Work of the ICO did commence in April 2019 but was discontinued after a single oral session and without any output from the Committee at all.

Unfortunately, whilst there is merit in some of the changes proposed including reconstituting the ICO as a multi-member Commission, the Data Protection and Digital Information Bill (including as re-released earlier this month) could further undercut the ICO’s de jure responsibilities to act as an independent and comprehensive upholder and champion of core data protection rights.  In the first place, the Bill ignores binding case law establishing that the ICO’s ‘primary responsibility’ (at [108]) is to monitor and enforce the law and would establish the promotion of ‘public trust and confidence in the processing of personal data’ as an independent and coequal ICO objective alongside ‘secur[ing] an appropriate level of data protection’ (s. 27).  It would also empower the Secretary of State to issue a potentially skewed and very partial list of strategic priorities which the ICO would then need to have regard including in relation to enforcement (s. 28).  Finally, it would grant the ICO broad discretion to refuse to act on complaints unless the controller has been given 45 days to respond, notwithstanding that there are clearly scenarios where this would be unreasonable or impracticable for the data subject.

As well as comprehensively analysing the UK experience under the GDPR including post-Brexit, my working paper proposes an alternative way forward which could be incorporated into the Bill through the moving of amendments especially in the House of Lords. First, the Order to Progress Complaints mechanism should be amended so that it clearly requires the Tribunal to police the appropriateness of the ICO’s substantive as well as procedural actions and inactions.  Civil society groups should also be permitted to lodge representative complaints even without the mandate of data subjects in order to encourage well-argued, strategically important cases.  Second, and at least as importantly, a duty should be placed on the Equality and Human Rights Commission to carry out periodic holistic scrutiny of the ICO’s enforcement track-record from a human rights perspective, within which data protection rights ultimately sit. The House of Commons’ DCMS Committee should also be reminded that engaging in comprehensive scrutiny of authorities such as the ICO is a core part of its tasks.  Such complementary forms of accountability and scrutiny could incentivise more effective data protection regulation which is necessary to a building a trustworthy and safe digital environment.  These changes would also complement the liberalising substantive reforms included in the Data Protection and Digital Information (No 2) Bill and thereby go some way to closing the enormous gap between formal provisions and actual practice in this area of the law.

David Erdos is Professor of Law and the Open Society and Co-Director of the Centre for Intellectual Property and Information Law at the University of Cambridge.


With the support of