


























While this affair is appalling, it cannot become an excuse to overshadow the deeper issues surrounding the ICO and its regulatory function. The fish may be smelling from its head, but it must be reckoned that the whole institution is suffering from deep problems, especially around its timidity in enforcing data protection law, which existed in similar forms during the last Commissioner’s tenure, and long beforehand.
As pointed out by a previous letter, convened by ORG and supported by over 70 experts, the ICO is experiencing a collapse in enforcement action. Data protection is a key instrument to regulate Artificial Intelligence and promote online safety, children protection, workers’ rights, and public service delivery. More and more evidence shows that, without proper regulation and policing of data practices, harms ensue, public trust erodes, and markets fail. Technology is a layer that spreads across all areas of society, and what may look as abstract issues such as data protection can easily undercut government ambitions where it matters.
As the new government moves in, selecting a new Commissioner cannot become a convenient exit door for sweeping the ICO under the proverbial rug. A change of leadership can, however, become a first step to fix the ICO, and bring about meaningful change.
In 2022, the Ministry of Defence (MoD) leaked sensitive personal data of 18,700 Afghan nationals who had assisted UK forces, and up to 100.000 of their family members. At least “49 relatives or colleagues of affected Afghans have been killed in incidents linked to Taliban reprisals following the leak”, and a “survey of those notified found that 87% had received direct threats to their safety”. The ICO, however, their new “public sector approach” and left the MoD off the hook. First, by reducing a monetary penalty against the MoD. Then, by refusing to take any further action after the repeated nature of the Afghan data breach was revealed.
In 2025, 19 civil society organisations complained to the ICO, asking to take action against endemic data security incidents that have affected the eVisa scheme since 2020. A FOI response revealed that the ICO had already received 851 complaints against the Home Office. The ICO have taken no remedial action to this date, but they have adopted a new complaints handling policy, formalising an approach under which most complaints will be shelved away “for information purposes only”.
In 2025, HMRC carried out a data-driven crackdown on child-benefits, using travel data to suspend payments of recipients deemed to be residing abroad. As a result, 15.000 families were unjustly targeted and accused of fraud. The pilot scheme, which presented obvious red flags, was approved during a DEA Review Board meeting, in the presence of ICO staff. The ICO recently signed a Memorandum of Understanding with the government, promising to adopt a less oppositional stance toward the government.
These examples reveal how the ICO failings are closely linked to its policy choices, and have enabled malpractices to thrive within the public sector. Following the ICO new approach, complaints against public sector bodies have soared, the government were left unchallenged when opposition and accountability was needed. As Dame Chi Onwurah, Chair of the Science, Innovation and Technology (SIT) Select Committee, pointed out, “the use of technology to help grow the economy and improve public services requires the public to trust that their data is being kept secure”. The ICO failure to hold public bodies to account and drive up data protection standards has become a systemic risk that affects these bodies’ ability to carry out their tasks in a safe and effective manner.
Algorithmic management systems and Artificial Intelligence (Automated Decision-Making, or ADM) are exposing workers to heightened risks of discrimination and wage-theft, hidden under opaque algorithms. These issues are not new to the ICO: their report on the use of ADM in recruitment has concluded “that employers have more work to do to ensure that the use of automated recruitment tools respects people’s information rights”. According to their audit report, the ICO made “almost 300 recommendations to improve compliance”. However, the ICO have taken no enforcement action to remedy the infringement of workers’ rights they found in their audit.
On top of that, workers have successfully challenge discriminatory robo-firings and wage-theft with their right not to be subject to solely automated decision-making, as enshrined in the UK data protection law. When Boris Johnson’s government proposed to remove such right, the ICO lashed against it, and made the counter-proposal to expand such protections “to also cover partly automated decisions”. This critical stance, adopted under the previous Information Commissioner, was quickly shelved after John Edwards took over. The Conservatives’ proposal to gut ADM rights survived the change of government and became law with the Data (Use and Access) Act. As a result, workers in the UK lost the right not to be subject to ADM in most circumstances.
Protecting children online, tackling online harms and curbing the spread of disinformation are hot political topics. The UK government has signalled the intention to restrict children’s access to social media, a move that would expand existing requirements to age-gate internet services. At the same time, the SIT Committee’s recent report on social media harms identified data-driven recommendation systems and online advertising as major drivers of online harms. Before then, the government has been running the Online Advertising Taskforce with the aim of addressing “illegal harms and the protection of children in relation to online advertising”.
However, the ICO has been pushing for the adoption of age verification systems at all costs and, notably, at the expense of privacy. This does not only risk undermining trust in age assurance policies, but represents an overly-narrow approach to regulation that fails to address the exploitation of personal data which, from age verification, are being repurposed to target online advertising. In turn, advertising data is used to drive up engagement, exploit addictions, and target harmful content.
On top of that, seven years ago the ICO published an update adtech report acknowledging widespread unlawful practices in the sector. As their recent advice to DSIT on how to reform online advertising rules read, “many of the issues associated with RTB that we identified in 2019 still exist today”. The ability to target individuals based on personal data is what exposes problem gamblers to being targeted with ads that exploit their addiction. It allows exclusion from life-changing opportunities on the basis of someone’s gender, sexual preferences, ethnicity or other sensitive characteristics. It exposes children and those in a more vulnerable status to be targeted and taken advantage of.
Against this background, the ICO are shying away from taking regulatory action to address these issues, but they are instead proposing to lower legal protections against online tracking and profiling. Likewise, the ICO gave the green light to Meta to rely on consent or pay, against their own guidance and in stark contrast to the European Union, where Meta’s practice was deemed unlawful on the basis of equivalent data protection rules. Estimates have shown that, if consent or pay takes hold, “keeping your phone private could soon cost around € 8,815 a year”. Whereas privacy ought to be a right, lack of proper regulation of the digital economy risks turning it into a cost of living issue.
The upcoming government has signalled appetite to move beyond a laissez-fair approach to digital regulation, and toward a more direct intervention to ensure markets and the public sector deliver. The ICO have a role to play in materialising this vision, but the government will need to promote bold changes and learn from past mistakes. In particular, the previous government quickly moved in to politicise regulators’ work and appease US big business. As we have seen with the ICO, this approach is, ultimately, a recipe for failure: lacking sufficient arms length from the government, the ICO has been failing to properly supervise public bodies, allowing data malpractices to spread. Also, weak regulation around harmful advertising comes as a direct consequence of the commitments the ICO have taken with the government. The next government will need to reverse this pernicious direction of travel and restore the independence of the ICO. As proposed by Gordon Brown’s report, the government should consider transferring responsibility for the ICO to Parliament.
The meltdown of the ICO leadership underscores the need to restore integrity at the top. This goes beyond workplace behaviour: the ICO have a long track record of revolving doors, where senior staff and leadership members often end up working for the industries or companies they were meant to police. Establishing proper boundaries against corporate influence is necessary to preserve the integrity of the ICO regulatory action. As we have long advocated for, the UK could draw from the California Privacy Agency and introduce a stay-period during which senior ICO figures are prevented from accepting jobs from the organisations and sectors they regulated.
Finally, the ICO need an overhaul of its regulatory and enforcement posture. ORG and others have previously called on the SIT committee to open an inquiry to explore what these changes could be. In the meanwhile, there are some obvious, low-hanging fruits the new government can reach to. As we argue in our petition, the government needs to clarify that effective monitoring and enforcement of regulatory requirements are the main objective of the ICO, and should take precedence over other considerations. This should include a clear duty to investigate complaints, and to remedy non-compliant behaviour. Individuals should also be given a clear and functioning avenue to appeal against ICO decisions when they fall short of upholding their information rights.
The government have an opportunity ahead. By restoring effective oversight of data protection rule, they can set the stage for trustworthy public sector delivery, innovation that benefits workers, and a digital economy that works for the British public, not a bunch of US tech companies. It is now up to them to seize it.

For more than a decade, UK governments have introduced successive child safety measures, responding to public concern about the availability of content that is either unsuitable or harmful to children, or due to harmful interactions ranging from bullying.
If you live in the UK and have a Facebook or Instagram account, you have probably received a message when you’ve logged in asking you if you “Want to subscribe or continue to use our Products for free with ads?
Musk’s latest venture, image generation in Grok that until Wednesday lacked sufficient guardrails to prevent the easy production of non-consensual sexual images and even child abuse images, provoked an Ofcom investigation and further EU Commission action as well as the promise of UK emergency legislation against apps that provide such images in less than a week.
Our report, “Hostile and Broken” released today, explains why e-Visas risk creating tens or hundreds of thousands of errors, with people potentially turned down for jobs, or unable to enter the country, as the result of electronic failures of the new online, real time re-checking inherent in the UK e-Visa scheme.
Meta, the company that runs Facebook and Instagram, has announced plans to repurpose most of the personal data that they ever collected about you, to train their “artificial intelligence (AI) technologies” — without, of course, asking your permission to do so.
As the House of Lords finally begins scrutiny of the UK data protection reform, Open Rights Group urges peers to support amendments that would strengthen the independence and effectiveness of the UK data protection authority, and bolster the public’s right of seeking a remedy against an infringement of their rights.
On a cycling forum, members who are rightly worried that their forum may be blocked by default filters, Skydancer posted a response he was given by Diane Abbott: I do not believe that the arrangements to protect children from hard core porn online will affect a forum to discuss cycling!
The motion laid down by Labour says: That this House deplores the growth in child abuse images online; deeply regrets that up to one and a half million people have seen such images; notes with alarm the lack of resources available to the police to tackle this problem; further notes the correlation between viewing such images and further child abuse; notes with concern the Government’s failure to implement the recommendations of the Bailey Review and the Independent Parliamentary Inquiry into Online Child Protection on ensuring children’s safe access to the internet; and calls on the Government to set a timetable for the introduction of safe search as a default, effective age verification and splash page warnings and to bring forward legislative proposals to ensure these changes are speedily implemented.
The Digital Surveillance report – to be launched at a public event on Monday – gives a history of surveillance policy, looks at the current state of the law, examines why technology poses a problem and offers alternative, more targeted and more accountable approaches.
Since we published our report ‘Mobile Internet censorship: what’s happening and what to do about it‘, jointly with LSE Media Policy project, a number of people have been in touch with us asking what to do if they discover their site is blocked incorrectly by mobile networks’ child protection filters.
Open Rights Group and Tor have established that UK mobile networks such as Vodafone, O2 and 3 are filtering UK users’ access to Tor’s primary website (meaning the HTTP version of the Tor Project website, rather than connections to the Tor network) on pre-paid contractless accounts.
To coincide with the start of the London Conference on Cyberspace, eleven organisations and experts on freedom of expression and privacy online have today written to the Foreign Secretary stating that Britain’s desire to promote these ideals internationally is being hampered by domestic policy.
In the sixth of our series on the challenges facing the new government, Jason Kitcat looks at proposals for changes to the way our elections are run, including dangerous calls for e-voting.
Wikipedia have announced that they are blocking Phorm as they consider the scanning and profiling of our visitors’ behavior by a third party to be an infringement on their privacy.
It’s difficult to tell which of today’s developments the UK’s major ISPs should be more worried about – the fact that Sir Tim Berners-Lee has publicly stated that he would change his ISP if it started employing systems, like Phorm, which could track his activity on the internet, or the news that UK digital rights gurus the Foundation for Information Policy Research (FIPR) have today written an open letter to the Information Commissioner, urging him to look at the legality of Phorm.
The Electoral Commission and the separate review by Ron Gould that the Commission instituted have published their reports on the Scottish elections of May 2007 The Gould Review in particular identifies a number of important issues, many of which ORG addressed in our own report on the elections published this June.
In a speech to the National Council of Voluntary Organisations this morning, Gordon Brown announced he would be convening a Speaker’s conference on voting reform: Today I am proposing to the Speaker that he calls a conference to consider, against the backdrop of a decline in turnout, a number of important issues, such as electoral registration, weekend voting, and the representation of women and ethnic minorities in the House of Commons.
While the Department for Constitutional Affairs have left us in the dark with no news at all about the e-voting pilots due for May 2007, The Open Rights Group and FIPR have been hard at work.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。