For more ideas on how deficiencies in monitoring and enforcing #UKGDPR might be tackled see my new working paper at papers.ssrn.com/sol3/papers.... 3/3
17.02.2026 10:37 — 👍 0 🔁 0 💬 0 📌 0@daviderdos.bsky.social
Trinity Hall Fellow, Professor of Law & Open Society & CIPIL Co-Director Cambridge University. Interested in #dataprotection #GDPR information law, legal history & public and private international law. Viewpoints personal & RT≠endorsement
For more ideas on how deficiencies in monitoring and enforcing #UKGDPR might be tackled see my new working paper at papers.ssrn.com/sol3/papers.... 3/3
17.02.2026 10:37 — 👍 0 🔁 0 💬 0 📌 0The ICO's discretion was limited to the "manner" in which a lawfulness assesment was carried out, not whether to do one:
decisions.ombudsman.org.uk/decision?id=... Individuals with significant concerns which are only logged should therefore considering lodging a complaint with the Ombudsman. 2/3
The ICO's new policy to just "record" many UK #GDPR complaints is at serious odds with a @phsombudsman.bsky.social ruling from 11/2025 which held complainants had a right to "an assessment under section 165 of the DPA as to whether it is likely or unlikely that the processing" was lawful. 1/3
17.02.2026 10:37 — 👍 0 🔁 0 💬 1 📌 0Here's my new open-access article providing first comprehensive #law & #policy analysis of #Commonwealth #citizenship from end of WW2 to the present, also looking at its proposed future as a mechanism to faciliate short-term esp. #business mobility: www.tandfonline.com/doi/full/10....
10.02.2026 11:09 — 👍 1 🔁 1 💬 0 📌 0In the wake of the egregious #Afghan UK #GDPR #databreach and many others, Government Ministers are finally grilled before the Commons' Science, Innovation and Technology Committee today committees.parliament.uk/event/26457/... following on from ICO's appearance last October #DataProtection
10.02.2026 09:52 — 👍 0 🔁 0 💬 0 📌 0And further that “the processing of personal data by the controller in compliance with that regulation" must be "ensured” & that “such non-exercise on the part of the supervisory authority" must not be "liable to undermine the requirement of strong enforcement of the rules”
09.02.2026 10:47 — 👍 0 🔁 0 💬 0 📌 0ICO approach bears no resemblance to persuasive holding in Land Hessen (2024) that a #GDPR authority could only “exceptionally” refrain from “exercise of a corrective power” & even then only “provided that the situation in which the GDPR was infringed has already been made good”
09.02.2026 10:47 — 👍 0 🔁 0 💬 1 📌 0This is despite obvious correlation between rising complaints & recent degrading of enforcement & also clear fact that if ICO refuses even to investigate then enforcement is categorically being refused without any controller undertaking whatsoever being received.
09.02.2026 10:47 — 👍 0 🔁 0 💬 1 📌 0Despite widespread concern in the consultation responses and such specific points being made, none of this is recognised in the ICO’s response. ICO also refuse to recognise the link between serious defects in relation to complaints handlings and failings vis-à-vis #enforcement.
09.02.2026 10:47 — 👍 0 🔁 0 💬 1 📌 0The ICO additionally maintains that cost considerations (significantly the result of its own decision to channel resources away from its core investigatory tasks) can justify a lack of prompt handling even of “high-harm cases”, despite this being explicitly rejected in Delo.
09.02.2026 10:47 — 👍 0 🔁 0 💬 1 📌 0In EW (2021) the Upper Tribunal even specifically ordered the ICO to take the concrete investigate steps necessary to achieve this (overruling its categorical refusal to do previously).
09.02.2026 10:47 — 👍 0 🔁 0 💬 1 📌 0Case law has been clear that “appropriate” investigation ordinarily means that the ICO must investigate to the extent necessary to “reach and express a view about the likelihood” of compliance (Delo (EWCA) at [80])
09.02.2026 10:47 — 👍 0 🔁 0 💬 1 📌 0Lamentable that Information Commissioner will now refuse to investigate as opposed to "log" many (perhaps most) UK #GDPR complaints despite law stating that they must “investigate, to the extent, appropriate” & inform on “the outcome of the investigation” (art. 51(1)(f)). ico.org.uk/make-a-compl...
09.02.2026 10:47 — 👍 0 🔁 0 💬 1 📌 0Lovely to see hard copy of new book on the #dataprotection & #humanitarian action & proud to have contributed chapter exploring role of the #unitednations guidelines from 1990 in shaping regulation here. It's all open access so please do check it out! www.taylorfrancis.com/books/oa-edi...
05.02.2026 14:35 — 👍 5 🔁 2 💬 0 📌 0The Administrative Review Tribunal affirmed the Privacy Commissioner’s finding that Bunnings contravened Australian Privacy Principles (APP) 1 and 5 (notification of the collection of personal information) when rolling out FRT in its stores. See lnkd.in/etqgmguY.
04.02.2026 23:30 — 👍 1 🔁 3 💬 0 📌 0Please join me at CIPIL's first seminar of 2026 this Thursday
at 5.30pm with Tim Pitt-Payne KC talking at Cambridge Law Faculty on future of UK #GDPR automated individual decision-making rights under the Data (Use & Access) Act. More including Zoom link at www.cipil.law.cam.ac.uk/press/events...
In contrast to its heavy reliance on C-252/21 Bundeskartellamt (2023) when pushing "pay or consent", @iconews has not made any mention of Land Hessen or the line of cases law emphasising the mandatory duty of "strong enforcement" under #GDPR which proceeded it.
13.01.2026 12:46 — 👍 0 🔁 0 💬 0 📌 0(ii) “the processing of personal data by the controller thereof in compliance with that regulation is ensured”, and (iii) “such non-exercise on the part of the supervisory authority is not liable to undermine the requirement of strong enforcement of the rules”.
13.01.2026 12:46 — 👍 0 🔁 0 💬 1 📌 0C-768/21 Land Hessen (2024) found “exercise of a corrective power” should always follow infringement except on a truly exceptional basis and even then only (i) “provided that the situation in in which the GDPR was infringed has already been made good” ...
13.01.2026 12:46 — 👍 0 🔁 0 💬 1 📌 0Such an "advise and persuade" approach has been widely criticised within the regulatory literature and lacks empirical support. Treating use of formal corrective powers as an exceptional act is also strongly contrary to the guarantees set down in the #GDPR.
13.01.2026 12:46 — 👍 1 🔁 0 💬 1 📌 0Following many egregious Government #dataprotection breaches over the past few years it's v disappointing to see ICO-Government MoU doubles-down on the ICO's flawed "public sector approach" which "priortises enagement" rather than corrective powers use: ico.org.uk/media2/m15nb...
13.01.2026 12:46 — 👍 2 🔁 1 💬 1 📌 1Neglect of unique #Commonwealth collection never ceases to amaze! The old CW Institute was told not to give items to ailing Museum but did www.theguardian.com/uk/2002/nov/..., +140 Museum items were then illegally sold bbc.co.uk/news/uk-engl... before closure & now... www.bbc.co.uk/news/article...
11.12.2025 18:10 — 👍 3 🔁 0 💬 0 📌 0The final straw – the Information Commissioner's Office has decided NOT to investigate the Afghan data leak. It's time to investigate them!
Over 70 organisations and experts back ORG's call for an inquiry into the regulator's chronic failure to enforce data law.
www.theguardian.com/technology/2...
What’s happened to the ICO’s enforcement regime?
We’ve signed @openrightsgroup.org’s letter calling for an inquiry after the data regulator declined to formally investigate the MoD over the Afghan data breach.
https://bit.ly/48gc9ZZ
A teddy bear equipped with AI was meant to be a child’s chat companion, but it eagerly jumped into topics like BDSM and “where to find knives.” The manufacturer stopped sales and cut off access. AI toys need strict filters, testing, and oversight or ot ends in a plush sewer. #AIact #GDPR
20.11.2025 09:52 — 👍 24 🔁 10 💬 1 📌 5With no investigation even of Afghan #databreach despite grave risk to c100K & just 2 UK #GDPR fines in 24/25, I'm proud to join 70+ orgs & experts call on Commons Sci & Tech Committee, which oversees the ICO, to investigate #dataprotection enforcement probs www.openrightsgroup.org/press-releas...
24.11.2025 15:24 — 👍 2 🔁 0 💬 0 📌 0"Munich regional court sided in favour of Germany’s music rights society GEMA, which said ChatGPT had harvested protected lyrics by popular artists to “learn” from them" Paying for the lack of respect and permission
www.theguardian.com/technology/2...
Good to give input on @AJEnglish piece on barriers to #Trump action against #BBC. US #defamation law shields speech about public officials unless can show publisher knew was false or showed a reckless disregard for this. BBC is clear was unintentional. x.com/AJEnglish/st...
15.11.2025 13:18 — 👍 2 🔁 1 💬 0 📌 0The PAC's findings raise further Qs about about the lack of ICO investigation or any formal regulatory action (even a mere reprimand) in response to this egregious #databreach which clearly arose from a long period of #dataprotection practices in grave violation of UK #GDPR.
14.11.2025 10:13 — 👍 0 🔁 0 💬 0 📌 0The Committee is also clear that even now the MoD "has not done enough to stop future similar incident": committees.parliament.uk/committee/12... The cost of these errors, even only financially, dwarfs any impact which early and dissuasive use of penalties by ICO would have entailed.
14.11.2025 10:13 — 👍 0 🔁 0 💬 1 📌 0