UK data regulator slammed over lack of action on complaints

The Good Law Project and Open Rights Group have threatened the UK data regulator with legal action after accusing it of “brushing aside” thousands of data protection complaints from the public, a situation they claim will be made worse by its new approach to complaint handling.

Under the UK’s General Data Protection Regulation (GDPR), the ICO has a legal duty to safeguard privacy by enforcing data protection laws and investigating complaints. But despite being “flooded” with nearly 40,000 complaints in 2025, the regulator ended up issuing only a handful of fines.

According to the GLP and ORG, this is part of a pattern: despite receiving more than 220,000 complaints over the past six years, the ICO has handed out an average of less than seven fines a year. They said this creates an environment where organisations can “ride roughshod” over data protection rules with almost no prospect of a sanction.

The groups said matters will only be made worse by the ICO’s new complaint handling framework, which they claim will make it harder for most complaints to be taken seriously. Under that framework, published 5 February 2026, complaints are triaged based on the ICO’s assessment of how harmful the alleged practice is, which the regulator said will help “focus our limited resources where we can make the biggest difference”.

Outside the level of harm, the ICO will also take into consideration the impact on vulnerable individuals, the number of people “significantly” affected by the complaint, the relevance of the issue to the regulator’s strategic priorities, and the general public interest in investigating the complaint.

The framework is the result of changes to UK data protection law ushered in by the DUAA, which requires organisations to have a data protection complaints process in place by 19 June 2026.

However, the GLP and ORG said that if the watchdog decides the impacts of a complaint are of either low or moderate harm, it automatically shelves them away “for information purposes only”, with no investigation or challenge to the companies responsible.

They added if there are zero consequences for the majority of data protection law breaches, then UK GDPR essentially becomes an “optional extra” that leaves members of the public in a situation where they either have to let corporations trample over their privacy rights, or take the risk of an expensive fight with them in court.

According to pre-action correspondence from the GLP and ORG – authored with the help of data protection lawyers from Mischon de Raya – the ICO’s complaint handling framework is “inconsistent” with the UK GDPR and the high level of protection for personal data it is designed to achieve.

“As a result of the operation of the framework, it is envisaged that significant number of complaints are triaged and logged for information purposes but never investigated,” they wrote, adding while no actual figures were provided in the ICO’s impact assessment, it is expected that this number will be substantial.

The correspondence further outlined how there is “a material difference between the triaging of complaints and their investigation”, which means certain elements of UK GDPR cannot be satisfied under the new framework; how the framework undermines the legislations complaints mechanisms; and how it will ultimately preclude the ICO from taking “corrective measures” against companies, which it must generally do so when there has been an infringement, save for “exceptional” cases.  

In response, the regulator told GLP and ORG that its preliminary screening and sorting process legally counts as an “investigation”, and maintained that it has “exclusive discretion” over how to deploy its resources.

For Duncan McCann, Good Law Project’s tech and data lead, the ICO’s framework makes clear the regulator was “never interested in protecting our data rights”.

“The ICO has finally said the quiet part out loud,” McCann said. “Unless you’re facing serious and ongoing harm, the regulator will just chuck your complaint in a digital bin. This puts each and every one of us at risk from unscrupulous companies who are cavalier with our data.”

The GLP added that “shuffling a complaint into a digital filing cabinet is a bureaucratic box-ticking exercise, not a meaningful assessment of facts”, and committed to taking legal action if the ICO “carries on using this system as a shield to ignore valid complaints”.

Computer Weekly contacted the ICO about the potential legal action from GLP and ORG, as well as claims made about its inactivity on complaints.

“The volume of complaints we receive is at a record high. We must be strategic in how we handle them, focusing our finite resources on complaints where there is the greatest risk of harm and where our intervention can make the biggest impact,” said an ICO spokesperson.

“We ran a consultation on our proposed new approach last year, giving both organisations and the public the opportunity to provide feedback and shape the final framework. We remain committed to delivering proportionate and timely responses for every customer, while driving data protection compliance and accountability from organisations.”

The regulator was previously accused in April 2026 of dragging its feet on a decision on whether to formally investigate the Home Office’ electronic visa (eVisa) system for data protection issues, with digital rights groups highlighting the “high volume” of data quality and integrity errors linked to the scheme that have prevented people from being able to reliably prove their immigration status.

In one case exclusively reported on by Computer Weekly, the technical errors with data held by the Home Office were so severe that the regulator previously found there had been a breach of UK data protection law.

Speaking with Computer Weekly, the person affected said that ongoing technical errors with the eVisa system meant his account continued to display an expired student visa, instead of his new spouse visa, and wrong passport information for almost half a year.

Figures released during a judicial review against the system – which was ultimately dismissed – show that between April and October 2025, 116,011 eVisa enquiries were submitted by members of the public to the Home Office, 81,461 (70.2%) of which related to errors that subsequently had to be addressed.