惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
B
Blog RSS Feed
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
Recent Announcements
Recent Announcements
A
About on SuperTechFans
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Google DeepMind News
Google DeepMind News
S
Schneier on Security
S
Secure Thoughts
T
The Exploit Database - CXSecurity.com
Martin Fowler
Martin Fowler
P
Proofpoint News Feed
Security Latest
Security Latest
Jina AI
Jina AI
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Recorded Future
Recorded Future
T
Tor Project blog
有赞技术团队
有赞技术团队
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News | PayPal Newsroom
博客园 - 三生石上(FineUI控件)
MyScale Blog
MyScale Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Last Week in AI
Last Week in AI
F
Full Disclosure
Hacker News: Ask HN
Hacker News: Ask HN
Forbes - Security
Forbes - Security
D
DataBreaches.Net
人人都是产品经理
人人都是产品经理
NISL@THU
NISL@THU
C
Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Google DeepMind News
Google DeepMind News
Project Zero
Project Zero
IT之家
IT之家
T
Threatpost
Cyberwarzone
Cyberwarzone
O
OpenAI News
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
J
Java Code Geeks
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
月光博客
月光博客
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
Apple Machine Learning Research
Apple Machine Learning Research

Open Rights Group

Wanted: Government to fix the ICO Joint Letter: Protect VPNs Open letter for an investigation into the ICO over eVisas Civil society organisations call for ICO to be investigated over eVisas The end is nigh for US data transfers How AI in asylum decision-making drives failure and cost Dear Andy, we need a complete reset on digital policy John Edwards resignation is opportunity to appoint a regulator with teeth AI in Asylum Decisions: Transparency and Accountability Failures Stop Killing the Internet: New global movement launches MPs urged to vote for a Digital Sovereignty strategy The social media policy ratchet Starmer’s social media ban fails to address root causes of online harms This refugee week, take courage! The rise of copyright trolling Growing up in an online world: ORG Consultation Response Reset the ICO The ICO isn’t doing its job – why the data watchdog needs an overhaul The ICO isn’t doing its job – why the data watchdog needs to be reset ORG response to ICO call for views on our approach to regulating online advertising Companies and civil society warn that UK is undermining open web Papers Please! MPs back mass online digital ID checkpoints MPs call for publication of secret documents that outline chronic risks from UK’s dependence on Big Tech New report: UK needs digital sovereignty strategy to address threats from reliance on big tech The case for Digital Sovereignty and the Digital Commons After the LA Court verdict, the UK must disrupt surveillance capitalism business models 13 year olds could be compelled to use unregulated age verification Children’s Wellbeing and Schools Bill: Analysis of Amendment 38b ICO must investigate Reform ‘competition’ for data protection breaches Break privacy to make privacy? Age verification isn’t the answer Home Office use of AI in asylum cases likely to be unlawful, legal opinion finds Legal Opinion: The use of Artificial Intelligence tools in asylum cases MPs give ministers powers to restrict entire Internet Board Election Results Palestine Action ruling: Human rights organisations call for Ofcom to issue guidance on content takedowns
ORG response to Consultation on the ICO’s approach to data protection complaint handling
Mariano delli Santi · 2026-05-13 · via Open Rights Group

ORG response to the ICO consultation on a new approach to complaints handling

Your views on our approach

7 To what extent to do you agree that ‘our proposed approach to complaint handling’ clearly explains how we’ll handle complaints?

Strongly disagree

If disagree / strongly disagree / not sure, please explain:

The proposal does explain, to an extent, how the ICO would handle complaints. Here, it is worth stressing that the policy outlined in this document is unlawful, as it extends the discretion of the ICO well beyond what case-law has accepted.

Your consultation document states that “In 2023, the Court of Appeal confirmed that we have broad discretion in deciding the appropriate extent of an investigation, including the form of the outcome”. The hyperlink provided refers to Delo vs. The Information Commissioner which, whereas does provide broad discretion to the ICO, also reaffirms the duty to uphold rational decision-making. In the case at hand, the ICO decision to drop the complaint was found to be “rationale” on the basis that “The Commissioner’s assessment that there was nothing to suggest that [the Controller] had operated a blanket approach is legitimate on its face. Mr Delo has not identified any basis for supposing, rather than speculating, that a more detailed investigation might falsify that conclusion”.

In other words, Delo affirmed that the ICO can legitimately close a complaint if there is no evidence of infringements, and that it is not the Commissioner’s duty to pursue an investigation that may, speculatively, overturn the lack of evidence provided by the complaint. The judgement does, however, say that the ICO must “reach and express a view about the likelihood” of an infringement. Further, the judgement does not say, that it would be rationale (and thus lawful) for the ICO not to investigate a complaint where evidence of infringements is provided, or where context clearly suggest that this should be the case. Likewise, the Upper Tribunal found, in Smith vs. The Information Commissioner, that the law imposes an “objective test [of] what is ‘appropriate’ by way of investigation” on the ICO.

The ICO proposed approach to complaints handling, however, does expressly foresee the closing of complaints without any substantive investigation where evidence of rights infringement or harm is provided (or, indeed, is even obvious and established). This contradicts much of what case-law mentioned above establishes, as well as the ICO primary responsibilities under the law.

8 Is there anything else you think we should include in our proposed approach to complaint handling?

Yes

If ‘Yes’, please explain:


The proposed approach to complaint handling should go back to the drawing board.

9 To what extent do you agree that the proposed framework document clearly explains how we will handle complaints.

Strongly disagree

Please explain your response:

Notwithstanding the remarks made in question 7, the proposed framework fails to provide an objective and rational framework to determine which cases would be escalated to an investigation and which would not. In particular, the proposed framework:

– Establishes thresholds which are both vaguely defined and arbitrary, such as “high level of harm”, or “significantly affecting people”, or “substantial number of people”, or “significantly improve the way the organisation uses personal information or enhance data protection rights”.

– Introduces the “ICO strategic priorities” among the criteria used to assess the investigation of a complaint. This is spurious and extra-legal, and suggest the ICO wants discretion not to remedy situations that may cause harm or affect large number of people unless it aligns with its own internal agenda.

– Includes “Is it in the public interest for us to make enquiries?” among the assessment criteria. This is rather odd, as it suggests the ICO is seeking discretion not to investigate complaints unless they relate to a matter of public interest. This would pervert the role of complaints under the GDPR: although individual may decide to use complaints strategically and to pursue matters of public interest, the primary function of a complaint is to remedy and infringement of the rights of the complainant.

Overall, the framework fails to establish clear and substantive criteria upon which the ICO decision-making can be scrutinised against.

Further, complaints are a remedy given to the individual to address infringement of their rights. Their rationale is rooted in the difficulty that individuals may have in collecting evidence and uphold their rights against situations that are technically complex, or in situation where there is an obvious imbalance of power—e.g. because the complaint involves powerful public or private entities. Against this background, the proposed framework takes very little consideration of individuals and their rights, and focuses instead on establishing criteria which are useful to the ICO themselves, or to serve the interest of the organisations against which a complaint may be filed.

10 Is there anything else you think we should include in this proposed framework document?

Yes

If ‘Yes’, please explain: :


The proposed framework should be brought back to the drawing board

11 To what extent do you agree with the ‘criteria’ we’ll consider when assessing complaints:

Strongly disagree

Please explain your response:

See answer to question 9

12 Is there anything else you think we should include in our criteria?

Yes

If ‘Yes’, please explain: :


See answer to question 10

13 To what extent do you agree with the proposed plans of what we would do with the information we collect from complaints?

Strongly disagree


If ‘Yes’, please explain:

There is obvious value in keeping track of number of complaints filed against a controller for the purpose of determining what would constitute an effective and dissuasive enforcement action against them. For instance, repeated offences or infringements of rights are useful criteria to determine the

amount of monetary penalties being issued, or to issue an enforcement notice instead of a reprimand. Counting the number of complaints is not, however, a rational criteria to assess whether the ICO should pursue an investigation or drop and “record” the complaint instead.

Notwithstanding what we explained in our answer to question 7, here it is worth stressing that this policy will lead to Controllers breaking the law and not facing the consequences of their non-compliance until the number of complaints against them hasn’t reached a certain threshold. This is dis-educative, as it favours the adoption of unlawful or substandard data management practices, which would not be challenged until such practices have entrenched into the organisation’s internal culture and developed into a “bad habit”. This would also prevent the ICO from begin effective and dissuasive in their oversight role, as their intervention would become reactive and delayed by default, rather than aiming to educate controllers and prevent infringements from occurring.

Likewise, this policy will inevitably increase the volume of complaints received by the ICO: as Controllers will develop bad habits and break the law more often, individuals’ rights will also be breached more often and the volume of complaints will likely increase.

14 Is there anything else you think we should consider when using the information we collect from complaints?

Yes

If ‘Yes’, please explain: :

As argued before, the number of complaints should not be used a criteria to determine if and to what extent substantive action is needed upon receiving a complaint. Instead, the ICO should consider the available evidence provided to them by the complaint, and determine the likelihood and potential gravity of such infringement.

Questions to assess the impact of our proposed approach

15 Do you agree with the identified list of the affected groups in Section 5.4 of the impact assessment?

Strongly disagree

16 Are there any other groups of stakeholders that you think will be affected by the proposed data protection complaints handling approach?

No

17 Do you agree with the assessment of costs and benefits outlined in the impact assessment?

Strongly disagree

Please explain your response:

The cost-assessment estimates that this policy would have an impact on “c.42,315 – c.55,000 people” who raise complaints with the ICO and “Up to 3.3 million data controllers”. This makes the whole assessment irrational, since:

– Either the ICO wants to measure the impact of their proposal against the UK as a whole, in which case the policy would have an impact on 66,940,559 people (as recorded by the latest census). Or,
– The ICO wants to assume that this policy will impact only those stakeholders who have raised a complaint in the past. In this case, the ICO should factor how many controllers where targeted by a complaint, rather than the whole amount of controllers who reside in the UK.

The decision to measure the whole population of controllers against an arbitrary fraction of UK data subjects who have exercised their right to lodge a complaint under the GDPR is, frankly, extraordinarily suspicious. Indeed, it is obvious that the “cost” of exposing 66 million individuals to repeated data protection harms and until certain arbitrary threshold have been reached would invariably outweigh whatever benefits the ICO claim this may bring to a small fraction of controllers or to themselves.

18 Are there any other costs and/or benefits that you think should be considered?

No

If yes, please provide details below and any evidence you might have to illustrate this: :

See answer to question 17

19 Do you think the proposed data protection complaints handling approach will result in any additional costs or benefits for you / your organisation? (These could be financial or non-financial)

Cost(s)

20 Please describe the types of additional costs and / or benefits you / your organisation might incur, including a rough estimate where possible.

If applicable, please describe the types of additional costs and/or benefits you/ your organisation might incur, including a rough estimate where possible.:

Additional litigation costs (judicial reviews).

21 Is there any other evidence or information on potential impacts that you would like us to consider?

No

23 Are there any terms or sections in the proposed approach you found unclear or overly technical?

Yes

If ‘Yes’, please explain::

The proposed framework as a whole is unclear, as most criteria rest on subjective assessments conducted by the ICO concerning what is “high” or “significant” or reaches a threshold that warrants regulatory oversight.

24 Would you be happy for us to contact you if we have any follow up questions based on your responses to this consultation?

Yes

If ‘Yes’ please provide your name / email address / preferred contact details.:

Mariano delli Santi, mariano@openrightsgroup.org