Surveying a Systematic Trend Away from Adequate Enforcement – UK Constitutional Law Association

The Information Commissioner’s Office (ICO) Annual Report for 2024/25 released last week sadly provides evidence of a severe and serious weakening of information rights regulation compared to the strong enforcement which is (and remains) promised especially under the (UK) General Data Protection Regulation (GDPR). Despite even last year’s Report generally revealing formal enforcement such as fines, criminal prosecutions and criminal cautions which were in the single digits only, the Report now omits any reference to UK GDPR enforcement notices (as there were none at all during 2024/25) and states that there were just 2 UK GDPR fines during the year (which compares to >200 in both Germany and Spain) and that even the number of outcomes resulting in reprimands fell from 31 to just 9 (a 70% reduction). Coming on top of concerns over the lack of enforcement action in response to many egregious data breaches including one which put up to 100,000 Afghans at risk of grave harm and possibly even caused death, the Report also reveals that the number of reported data breaches which even resulted in a GDPR investigation (let alone enforcement action) dropped from a mere 6% to just 3%. At the same time, the number of data protection complaints which received no response during the expected 90 day timeframe sky-rocketed from just 15.2% in 2023/24 to 70% in 2024/25 (a 360% increase). As the review of the UK’s EU data adequacy status commences later this year, questions must be asked about these worrying trends and what (if anything) can be done to address them.

Recital 148 of the (UK and EU) GDPR explicitly states that “in addition to, or instead of appropriate measures” “fines should be imposed for any infringement” by an organisation unless “minor” when a reprimand may be issued instead. This provides authoritative interpretation of the ICO’s Article 83 duty as the UK’s data protection authority to “ensure the imposition of administrative fines” that is “effective, proportionate and dissuasive” (up to £17.5m or, if higher, 4% of annual global turnover in the most serious individual case). More generally, it underscores the GDPR’s solemn promise of “strong enforcement” (Recital 7). Binding European Court of Justice case law has affirmed that a data protection authority’s “primary responsibility is to monitor the application of the GDPR and to ensure its enforcement”, that it must handle complaints received from data subjects “with all due diligence” and that, using its formidable investigatory and corrective powers, it must “execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence” (C-311/18 Schrems at [108]-[109]).

In countries such as Germany and Spain, this strong duty to enforce is at least partially reflected in the many hundreds of fines and other formal regulatory actions that their data protection authorities undertake – often taken in response to data subject complaints – each year. In contrast, this strong duty to enforce and to respond to complaints has generally not been reflected in ICO practice and, even more concerningly, its accelerating stance points strongly away from rather than towards any expectation of regular and concrete regulatory action. Thus, the ICO’s Annual Report for 2024-25 reveals that there were only 43 UK GDPR investigations in this year compared to 285 in 2023-24 (in other words, less than ⅕ of the previous year’s total), that not a single UK GDPR enforcement notice (the main “appropriate measure” in the UK regime) was issued at all and that even the number of reprimand outcomes (which have no direct legal effect) declined from 31 to just 9 (less than ⅓ of the previous year’s total). Meanwhile, just 2 UK GDPR fines were issued totalling £3.8M (compared to 3 fines totalling £13M in 2023/24). Criminal enforcement also decreased by 20% in the case of prosecutions (down from 5 to 4) and by 57% as regards cautions (down from 7 to 3). Similar trends were apparent in the area of e-Privacy with fines (and related notices) here down to just 9 and £890K compared to 26 and £2.59M in 2023/24 which again represents an approximate 65% decrease.

Turning specifically to data breaches, the Report revealed that the percentage of breach reports which even prompted an investigation (let alone enforcement action) halved from just 6% to a mere 3%. Therefore, although the ICO has produced good publicity and guidance focusing on the severe ripple effects which unlawful data breaches can cause individuals, this campaign is unfortunately undermined by the general refusal of the ICO to use the formidable fining and other regulatory powers it has at its disposal to properly incentivise compliance. A particularly serious example of this came a day after the Report’s publication when, as a result of the lifting of a superinjunction, it was revealed that a 2022 incident “in clear breach of strict data protection protocols” had resulted in 33,000 lines of personal data associated with almost 19,000 Afghan applicants for relocation following the Taliban takeover being revealed, put up to 100,000 individuals (the applicants and their family members, some of whom were sometimes also named) at the risk of grave harm and may even have resulted in some deaths. Despite the Information Commissioner having stated as recently as December 2023 (in response to an similar data breach in 2021) that it was “necessary” “to apply the full sanctions of the law” where UK GDPR breaches “are so egregious that they put people’s lives at risk”, the ICO made clear that they had no current plans to issue a fine, enforcement notice, public reprimand or take any other formal regulatory action in response to this (a stance which the Information Commissioner John Edwards subsequently sought to justify in this blog).

Over the same period, the ICO has clearly deprioritised the handling of data protection complaints with the percentage of individuals receiving no response within the three months expected (see UK GDPR, art. 78(2)) ballooning from approximately 15% in 2023-24 to a massive 70% in 2024-25 (a 360% increase). The number of complaints which remained open also increased by over 70% from 9,168 and 15,810. Contrary to what is stated in the Report, this can hardly be explained by “a rising increase in cases” as the complaints received only increased by 6.5%, a figure which is clearly dwarfed by both these other numbers.

Especially post-Brexit, it may be argued that UK regulation as a whole is beset by an serious enforcement gap and that the ICO’s track-record merely reflects this. Even if true, this would in no way demonstrate that such an outcome is acceptable either in the abstract or given the UK GDPR’s very specific expectations. In any case, the ICO’s extremely low (often single digit) enforcement figures and their strong downward trajectory appear to be aberrant when compared to other examples of whole economy and society regulation. To take one comparator, the Food Standards Agency reported that in the area of good food hygiene alone 5,898 formal enforcement actions took place in 2023-24 and that this represented a 7.3% increase on the figure of 5,367 from 2022-23 (the annual numbers for 2024-25 have not been released yet).

On 19 December 2023, Baroness Young of Old Scone, the former head of the UK’s Environment Agency, correctly observed during the House of Lords’ Second Reading of the ill-fated Data Protection and Digital Information Bill that:

The ICO’s enforcement and prosecution record has not been sparkling, with low levels of enforcement notices, prosecutions and fines. If, when I was at the Environment Agency, I had had as low a level of those as the Information Commissioner has had, I would think I had gone to sleep somewhere along the line. 

Unfortunately, rather than heeding this and other similar perspectives, the ICO has doubled-down on its hyper-selective and hyper-discretionary approach which has inexorably led to the extremely troubling picture of little formal regulation of data protection and also ePrivacy that the 2024-25 Annual Report’s facts lay bare. Although monies are never sufficient especially in the area as large as data protection, the ICO’s relative performance cannot be explained by a lack of resourcing as it is likely the single best resourced data protection (and freedom of information) authority in the world with approximately 1,000 members of staff.  Rather it has been primarily driven by deeply rooted ICO internal culture which has been fuelled by a lack of effective accountability mechanisms for data subjects and by an Information Commissioner who has publicly set his face against full use of the UK GDPR’s powers by, for example, peremptorily degrading fines in the public sector in June 2022 and, without clear evidence, stating in November 2024 that neither high value nor high volume fines against companies were the best way to achieve impact.  It has also not been helped by the Government pressuring regulators to “go further to prioritise growth and facilitate growth” despite, in the ICO’s case, abundant evidence of a need for it to do far more to prioritise its core responsibility which is to robustly protect people’s personal data.

As is well known, the UK’s adequacy status which permits the free flow of personal data under both the GDPR and the Law Enforcement Directive will lapse at the end of year unless renewed. Basing itself on Court of Justice case law, the European Data Protection Board has rightly made clear that this standard of essential equivalence requires the provision of “supervision mechanisms allowing for independent investigation of complaints and enabling any infringements of the right to data protection and respect for private life to be identified and punished in practice”. Whilst also taking into the account the positive guidance and publicity which has been forthcoming from the UK ICO over recent years, it is imperative that the UK Parliament, European Commission, European Data Protection Board, European Data Protection Supervisor, and European Parliament all ask some tough questions about the practical reality of regulatory enforcement in the UK during the upcoming review, including what can be done to reverse some very worrying trends.

David Erdos is Professor of Law and the Open Society and Co-Director of the Centre for Intellectual Property and Information Law in the Faculty of Law and WYNG Fellow at Trinity Hall, University of Cambridge.

He is also an associate member of Matrix Chambers.

(Suggested citation: D. Erdos, ‘The UK Information Commissioner’s Annual Report 2024/25: Surveying a Systematic Trend Away from Adequate Enforcement’, U.K. Const. L. Blog (22nd July 2025) (available at https://ukconstitutionallaw.org/))