Under John Edwards’ leadership, the ICO has seen a steady erosion of independence and regulatory integrity. This has affected their ability to effectively oversee public bodies use of personal data.

On top of that, the ICO adopted a new, underwhelming policy to deal with data protection complaints, and signed a Memorandum of Understanding that further reduces their arms-length from government. It has also emerged that the ICO is advising the government on how to undercut the Freedom of Information Act, a pillar of government transparency and accountability.

Due to changes introduced by the Data (Use and Access) Act, the ICO is also due to be restructured into an Information Commission. Left to their own devices, however, there is little to suggest the ICO would self-heal with a change of leadership, or depart from the path they have been set upon.

This is why Open Rights Group has launched a petition calling for an overhaul of the ICO.

So how did we get here? And what do we need to do?

IT STARTED WITH POLITICAL SHIFT…

With GDPR coming into force, the ICO gained new powers to investigate and issue substantial fines. This led to some early and high-profile interventions, such as a record fine to British Airways, or the investigation into Facebook and Cambridge Analytica. These early, positive signals were short-lived.

Post Brexit, the Johnson government signalled that it wanted to dismantle meaningful data protection in favour of business monetisation, in its strategy, Data: a New Direction. The ICO’s behaviour was already too close too government, as ORG noted during the pandemic.

In 2021, the department for digital published the Data: a New Direction consultation, outlining a wholesale deregulation of UK data protection law and the biggest attack to this date on the British public’s right to data protection. That same year, Elizabeth Denham left the post of Information Commissioner, despite being only 5 years into her 7 year term.

ACCELERATED BY A POLITICAL APPOINTMENT…

Oliver Dowden, then minister for digital under Boris Johnson’s government, announced the selection of a new Information Commissioner as a first step toward reshaping the country’s approach to data protection. The move fitted a broader trend toward the politicisation of public appointments. The resulting vacancy notice stated that the Commissioner was expected to “support the government deregulatory agenda”. A cross-party group of 30 MPs and Lords called on the government “to halt the recruitment process and restart it”, after removing “recruitment criteria pertaining to matters of policy that are outside of the remit of this statutory regulator”.

Following the appointment of John Edwards, our worst fears materialised already during the debate around the UK data protection reform. The ICO muted some of its previous criticisms toward the reform, and quickly became the only regulator to fully support the government’s proposals against the concerns raised by the Equality and Human Rights Commission, the National Data Guardian, the Biometrics Commissioner, the Scottish Biometrics Commissioner, and the Northern Ireland Human Rights Commission.

When the 2024 election was called, the UK data protection reform was dropped. A response to a Freedom of Information request revealed that John Edwards expressed huge disappointment about the news, but explained the ICO would be reviewing what proposals of the reform could be salvaged “where legislative changes were not strictly required”. John Edwards was quick to cheer the new Labour government when they resurrected the reform.

PLACED A LEASH ON THE WATCHDOG…

Soon after his appointment, John Edwards announced the new, so-called public sector approach to enforcement, under which the ICO began to heavily rely of reprimands. These are non-enforceable, written notices where the ICO points out that the law has been broken without taking any regulatory action to remedy an infringement or holding law-breakers to account. This move was presented as part of the ICO25 strategy, shifting the focus away from the monitoring and application of UK data protection law, and toward “empowering people through information” instead.

As ORG’s alternative ICO annual report 2023-24 showed, reprimands lacked effectiveness and deterrence. Indeed, the ICO post-implementation review of the public sector approach will later reveal how the volume of complaints raised by UK residents about public sector organisations’ use of their data has increased substantially as a result.

The weakness of this approach reached its climax with the Afghan data breach: an unprecedented incident that, reportedly, led to the death of at least 49 people in the aftermath of the Taliban’s takeover of Afghanistan. The ICO decision to not even open an investigation led to a Parliamentary inquiry from the DSIT Select Committee, and an open letter from 70+ data protection experts lamenting a collapse in enforcement action. Dame Chi Onwurah, the Chair of the Committee, acknowledged the “institutional failure” of the ICO.

AND MADE THINGS WORSE NOT BETTER

The ICO are supposed to be a countervailing power, that ensures government policies are implemented without unjustly sacrificing our right to privacy and data protection. However, independence has historically been a weak spot. ORG’s report on data protection oversight during the pandemic already found that the ICO looked more interested in acting as the government’s “critical friend” rather than as a regulator. Since then, the UK data protection reform further tightened the government’s grip over the ICO. Then John Edwards capitulated to the Labour government’s demands to direct regulatory activities toward removing “barriers for businesses” and submitted to a number of pledges to “promoting growth”.

In fact, the ICO have recently taken steps to make things worse. By signing a new Memorandum of Understanding with the government, the ICO are moving toward what ministers have described as a “relationship of partnership rather than opposition”. By adopting a new complaints-handing policy, the ICO are effectively telling they will not be acting to investigate or remedy data protection infringement reported by the public.

Most recently, it has emerged that the ICO are advising the government on how to water down the Freedom of Information Act, and undercut the public’s ability to demand transparency. Like with the data protection reform before, the ICO are providing intellectual cover for the government’s plans to curtail the regulatory framework they are tasked to enforce.

NOW WE NEED CHANGE

As the Commissioner’s tenure comes to an end, it is time to acknowledge that the direction the ICO has taken is, for the greater part, negative. However, is is also true that the ICO current faults are rooted in government interference and lack of the necessary arms-length to carry out their job as written in the law. The faults which characterised the ICO under its current leadership will survive unless the ICO are shielded from executive pressures, and made accountable to Parliament and the law, rather than government.

This is why we are launching a campaign to reset the new Information Commission. We want the ICO to:

• Be accountable, with a clear right to appeal for individuals who are let down by inaction.

• Put the public first with a clear responsibility to enforce the law.

• Be independent from government and directly accountability to Parliament.

• Put rules in place that prevent revolving doors or other undue corporate influences in the Information Commission’s functioning.

• Let public interest organisations like ORG represent the public, giving individuals alternative avenues to pursue justice when their data protection rights are infringed.

Things don’t need to get worse before they get better: sign up to our petition or join us in our fight to protect our rights in the digital age.

Digital Privacy

Reset the ICO

Find Out More