Skip to main content
  • View basket
    • Latest 13 June 2026

    We’re challenging the ICO for ignoring thousands of data complaints

    Violka08 / Getty Images

    Good Law Project exists to hold power to account.

    We bring together legal action, investigations and campaigning to fight for a fairer, greener future. We’re powered by people across the UK.

    Donate now

    The UK’s data watchdog received nearly 40,000 data protection complaints last year, but only issued two fines – so we’re holding it to account

    Good Law Project and Open Rights Group are challenging the Information Commissioner’s Office (ICO) for brushing aside thousands of public data complaints.

    Under UK GDPR, the ICO has a legal duty to safeguard our privacy by enforcing data protection laws and investigating complaints. But despite being flooded with nearly 40,000 complaints last year, the regulator only issued two fines.

    The wider picture isn’t any better. In the face of over 220,000 complaints over the last six years, the data watchdog has handed out an average of less than seven fines a year – creating a landscape where organisations can ride roughshod over data protections with almost no prospect of any sanction.

    To make matters worse, the ICO has now introduced a new complaints framework, which makes it even harder for complaints to be taken seriously.

    Under the new framework, complaints are first sorted by the ICO’s own vague definitions of harm. If the watchdog decides impacts are of either low or moderate harm, it shelves complaints away “for information purposes only”, with no investigation or challenge to the companies responsible.

    When huge swathes of data breaches carry zero consequences, UK GDPR law becomes an optional extra. This leaves the public facing a stark choice: either watch corporations trample over our privacy rights, or take on the expensive risk of fighting them in court.

    When we wrote to the ICO outlining these failings, the regulator tried to sweep them aside as well, claiming that its preliminary screening and sorting process legally counts as an “investigation”, and maintaining that it has “exclusive discretion” over how it deploys its resources.

    But shuffling a complaint into a digital filing cabinet is a bureaucratic box-ticking exercise, not a meaningful assessment of facts.

    For Duncan McCann, Good Law Project’s tech and data lead, the ICO’s framework makes clear the regulator was “never interested in protecting our data rights”.

    “The ICO has finally said the quiet part out loud,” McCann said. “Unless you’re facing serious and ongoing harm, the regulator will just chuck your complaint in a digital bin. This puts each and every one of us at risk from unscrupulous companies who are cavalier with our data.”

    Good Law Project won’t stand by while the regulator tries to rewrite its legal obligations at the expense of our privacy.

    We’ll be watching how the ICO handles these cases over the coming months and if it carries on using this system as a shield to ignore valid complaints, we’ll take legal action.

    Our data rights are not optional. It’s time the ICO started doing its job.

    Good Law Project is powered by people across the UKDonate now

    Together we can stand against hate

    Join the fight

    Donate now

    Stay up to date and be the first to hear about how to take action