Campaigners Sound Alarm Over UK Data Protection Enforcement
Dozens of civil liberties organisations and legal professionals are demanding an urgent parliamentary inquiry into Britain's data protection watchdog, following what they describe as a dramatic collapse in enforcement activity. The move comes in the wake of the highly sensitive Afghan data breach scandal that potentially endangered lives.
A coalition of 73 signatories, including prominent groups like the Good Law Project and Statewatch alongside leading academics and senior lawyers, has written to Chi Onwurah MP, who chairs the cross-party Commons Science, Innovation and Technology Committee. They are calling for her committee to investigate the operations of the Information Commissioner's Office (ICO) and its commissioner, John Edwards.
The Afghan Breach and ICO's 'Extraordinary' Decision
The letter highlights the ICO's controversial handling of the Afghan data breach as a primary concern. This serious incident involved the leak of personal information belonging to Afghans who had worked with British forces before the Taliban takeover in August 2021. Those who discovered their names had been disclosed say it has put their lives at risk.
Despite the gravity of the situation, the ICO decided against launching a formal investigation into the Ministry of Defence. The signatories describe this as an 'extraordinary' decision, compounded by the watchdog's failure to properly record its reasoning. They argue this represents a failure to use the considerable powers granted to it by Parliament.
'Data breaches expose individuals to serious danger and are liable of disrupting government and business continuity,' the letter states. It further criticises Commissioner Edwards for showing an 'unwillingness to reconsider his approach to data protection enforcement' even when confronted with one of the most serious breaches in UK history.
A Pattern of Failing to Act on Serious Breaches
The campaigners contend that the Afghan case is not isolated. They point to a pattern where the ICO applies a lenient 'public sector approach' to major data failures. This approach has seen the regulator issue mere reprimands – written notices without legal force – or significantly reduce financial penalties for government bodies.
Other serious cases cited include data breaches affecting victims of the Windrush scandal. The letter warns that this soft-touch strategy lacks deterrence and fails to drive the adoption of robust data management practices across government and the public sector.
Alarmingly, this shift away from enforcement appears to be spreading. The latest ICO report statistics indicate that private sector enforcement is also becoming rarer. The campaigners suggest this creates a dangerous environment where organisations may divert resources away from compliance, knowing the regulator is unlikely to pursue them.
'The picture that emerges is one where the ICO public sector approach lacks deterrence, and fails to drive the adoption of good data management across government and public bodies,' the signatories state.
The letter concludes with a direct appeal to the parliamentary committee, asserting that 'Change appears to be unlikely unless the Science, Innovation and Technology Committee uses their oversight powers and steps in.'
In response, an ICO spokesperson said: 'We have a range of regulatory powers and tools to choose from when responding to systemic issues in a given sector or industry. We respect the important role civil society plays in scrutinising our choices and will value the opportunity to discuss our approach during our next regular engagement.'
