Friday 14 July 2023

Is the UK data protection authority giving free pass to big tech giants?


Asress Adimi Gikay (PhD), Senior Lecture in AI, Disruptive Innovation and Law (Brunel University London)

Photo credit: 

In the online space, it is perhaps difficult to find a more empty promise than “we value your privacy.“ Businesses promise to preserve our data privacy rights, but in reality, they have neither the carrot, nor enough sticks, to make them respect data protection rules. This holds true even in the European Union (EU), where the most comprehensive data protection legislation—the General Data Protection Regulation (GDPR)— failed to satisfactorily deliver on its promise to protect the fundamental rights of citizens.  As businesses openly flout data privacy laws, regulators either struggle to adequately enforce the law or wilfully ignore infractions.

The UK’s data protection authority— the Information Commissioner's Office (ICO)— has succumbed the most to its ambition of promoting innovation and economic growth while simultaneously protecting data protection rights. Unfortunately, the drive to appeal to businesses has reduced data privacy rights to mere buzzwords, not just in the business world but also within the ICO itself.

As a result, the authority's enforcement record defies the primary objective of protecting the public's data privacy rights, displaying an unexplainable leniency towards corporations. I argue that this indefensible record of the ICO’s underscores the authority’s insistence on operating with failed enforcement policy.

The ICO’s enforcement track record—the numbers don’t lie

During the 2021-2022 fiscal year, the ICO reported receiving 35,558  data privacy violation complaints. The complaints were diverse including companies refusing to delete individuals’ personal data or processing their data without consent. Sometimes, organizations infringed the individual’s right to access their own personal data, contrary to what the data protection legislation requires.

Similarly, in the 2022-2023 financial year, a total of 27,130  complaints were filed with the ICO, excluding data from the most recent financial quarter, yet to be reported by the authority. Out of the 62,688 complaints filed over a span of two years, the authority levied only 59 monetary penalties. This means that only approximately 0.094% of the complaints led to real consequences— organizations being sanctioned for breaching data protection rules.

The ICO closed most of the complaints alleging insufficient information to proceed with the complaints or lack of evidence of infraction. It resolved numerous cases through discussions with infringing companies. In such cases, the authority recognises the presence of  infringement by the organization but does nothing concrete other than what it describes as “informal action taken.”

Due to the ICO’s practice of not disclosing comprehensive details about these cases, except for summaries that serve more statistical purposes, the public tends to perceive the authority as prioritizing business interests over safeguarding data privacy rights. Interestingly, this public perception aligns with the available evidence.

The broader context

The enforcement of the GDPR has been unsatisfactory across the EU, since the implementation of what has been described as a breakthrough law, that promised to empower people in the digital world, through giving them more control on their personal data. Even when applying a more forgiving standard, the ICO's enforcement record remains unsatisfactory. Between 2018 and 2022, it levied around 50 monetary penalties, while German and the Italian authorities imposed 606 and 228 penalties between 2018 and 2021.

The ICO is generally passive compared to its European counterparts. In a notable case, the French authority, Commission Nationale de l’Informatique et des Liberté  (CNIL) fined Meta and Google €60 million and €150 million respectively in 2021 for their illegal use of cookies. Despite engaging in similar unlawful data collection practices in the UK, the companies made changes to their cookie-based data collection practices in the UK only while complying with the French ruling. They faced no threat of sanction in the UK.

The ICO's consistently poor enforcement record clearly undermines public confidence in the authority. In its 2022 annual report, the authority itself acknowledged getting the lowest score in complaint resolution in a 2021 customer survey it backed. An independent review—Trustpilot— rates the authority at 1.1 out of 5. This is based on self-initiated reviews conducted by members of the public, some claiming that the ICO prioritizes business interests rather than protecting privacy rights.

Unfit enforcement policy— corporate free pass

The lack of adequate data protection law enforcement in the EU has been explained by resource constraints.  For example, a report by the Dutch ombudsman highlighted that the relevant authority in the country had 9,800 unresolved privacy complaints at the end of 2020. And according to the Irish Council for Civil Liberties, “almost all (98%) major GDPR cases referred to Ireland remain unresolved”— in part due to lack of budget and sufficient specialist staff.

However, the ICO is considered to be a relatively resourced authority. It also has the ability to impose substantial fines that could finance its operations. So, it is unlikely that resource constraints explain its inadequate enforcement record. The ICO’s enforcement policy is largely culpable. 

The authority’s risk-based approach prioritizes a softer approach to ensuring compliance, reserving enforcement actions to violations that are likely to possess the highest risk and harm to the public. Enforcement action includes requiring an offending organization to end violations and comply with relevant rules through enforcement notice and issuing penalty. The ICO considers several factors in determining whether imposing a penalty is appropriate, including the intentional or repeated nature of the breach, the degree of harm to the public, and the number of people impacted.

In practice however, the authority exercises discretion even in cases of intentional and repeat violations impacting millions of people. For example, numerous companies illegally collect consumers’ personal data using cookies.

By tracking a user's browsing behavior, third-party cookies, known as tracking cookies, usually gather information that is enough to identify the person behind a device. Besides visits to particular web pages, they can record a person’s search queries, goods or services purchased, IP address and location.

From this, it is possible to infer a person's name, nationality, language, religion, sexual orientation, health condition, and other intimate details – most of which are considered special categories of personal data. These types of data cannot be processed without the individual's explicit consent, unless limited exceptions apply. Whilst these data could be used, for example for marketing health products, insurance companies could also use them to assess premiums, in a manner unknown and detrimental to the interest of the individual.

To its credit, the ICO has fined Easylife Ltd £1.35m which has later been reduced to £250,000 for using personal data to profile medical conditions without consent, to target individuals with health-related products. But the authority does not seem to recognise that it takes a simple switch to transition from inferring personal data from browsing behavior using cookies to profiling health conditions.

Cookies-based unconsented data collection is illegal and potentially poses a serious harm to the public, as companies could process special categories of data in a detrimental manner. Unfortunately, companies openly violate cookies-related legislations in the UK with impunity.

The ICO also shows unwarranted leniency towards tech companies repeatedly violating data protection rules. In one fiscal year (2022/2023), the ICO found evidence of Google UK’s potential infringement or infringement of the law more than 25 times,  in separate complaints. But the authority claims to have taken informal actions, essentially advising the company to do better work to comply.

Google UK's infractions include refusal or delaying to delete personal data upon request by individuals exercising their right to be forgotten. Meta Platform(formerly Facebook Inc.) received 20 compliance suggestions, after evidence of its infringement or potential infringement has been found, while Microsoft and Twitter each received the same soft compliance advices 8 times, in the same year.

In all these cases, taxpayers go through the stressful process of demonstrating that their data protection rights were violated, providing evidence of infringement by big tech companies. Yet the ICO consistently chose to be lenient to companies that obviously do not mind being told repeatedly that their data protection practices are non-compliant. The authority has essentially transformed itself into a legal advisory office for tech companies, neglecting its role as an overseer.

Data protection law inherently creates hurdles for individuals seeking compensation for privacy rights violations. In 2021, the UK's highest court ruled that without evidence of material damage or distress, mere loss of control over personal data is not compensable under the GDPR. This effectively forces individuals to wait for a recognized harm to occur due to violation of their data privacy rather than preventing it. The ICO, which should deter privacy violation, is unfortunately impotent as well.

The need for policy change

The ICO's enforcement policy heavily relies on collaboration with regulated entities rather than utilizing effective sanctions to deter repeat violations. This approach aims to support the digital economy by avoiding excessive enforcement of data protection rights and fostering data innovation. In theory, it should attract businesses to the UK, create jobs, and stimulate economic growth. However, the policy is currently being misapplied to serve the interest of big tech companies.

The companies repeatedly violating data protection laws do not necessarily contribute to digital innovation exclusively in the UK, while most of them are not strategically positioned to provide job opportunities in the country. But the UK remains their crucial consumer market. As such, sanctioning them is unlikely to change their business decisions and behaviour.  In the event of firm and measured enforcement actions, these companies will be left with no choice but to adhere to the rule of law, considering the market they operate in is one they cannot afford to lose.

The ICO’s failure to effectively enforce data privacy laws risks eroding public trust. It could also discourage data innovation, as the public might refuse to provide data for research and innovation, which could in turn negatively affect the digital economy. 


  1. The ICO, like its predecessor the Data Protection Registrar, was designed from the start to be a captured regulator. I and others have written about this again and again over the decades, both with my academic hat on and in the context of my NGO work. To give just one example, the ICO is both the enforcer of privacy law, and the adviser on privacy to the public sector. So if you point out a privacy failure in a system run by (say) the Department of Education, the ICO is in a bind: one of their guys approved that system back when it was being specified, and if they now tell the Department to change it, they might be asked to foot the bill.

    There is much, much more. Look at my Security Engineering textbook and the policy papers on my research website.

  2. This confirms what I found in my country report on the UK for the FRA Thematic Study on EU dp law enforcement a decade ago. Plus ca change …