David Erdos

For more ideas on how deficiencies in monitoring and enforcing #UKGDPR might be tackled see my new working paper at papers.ssrn.com/sol3/papers.... 3/3

The ICO's discretion was limited to the "manner" in which a lawfulness assesment was carried out, not whether to do one:
decisions.ombudsman.org.uk/decision?id=... Individuals with significant concerns which are only logged should therefore considering lodging a complaint with the Ombudsman. 2/3

The ICO's new policy to just "record" many UK #GDPR complaints is at serious odds with a @phsombudsman.bsky.social ruling from 11/2025 which held complainants had a right to "an assessment under section 165 of the DPA as to whether it is likely or unlikely that the processing" was lawful. 1/3

Here's my new open-access article providing first comprehensive #law & #policy analysis of #Commonwealth #citizenship from end of WW2 to the present, also looking at its proposed future as a mechanism to faciliate short-term esp. #business mobility: www.tandfonline.com/doi/full/10....

10 February 2026 - Science, Innovation and Technology Committee - Oral evidence session - Committees - UK Parliament 09:00 - The Macmillan Room, Portcullis House

In the wake of the egregious #Afghan UK #GDPR #databreach and many others, Government Ministers are finally grilled before the Commons' Science, Innovation and Technology Committee today committees.parliament.uk/event/26457/... following on from ICO's appearance last October #DataProtection

And further that “the processing of personal data by the controller in compliance with that regulation" must be "ensured” & that “such non-exercise on the part of the supervisory authority" must not be "liable to undermine the requirement of strong enforcement of the rules”

ICO approach bears no resemblance to persuasive holding in Land Hessen (2024) that a #GDPR authority could only “exceptionally” refrain from “exercise of a corrective power” & even then only “provided that the situation in which the GDPR was infringed has already been made good”

This is despite obvious correlation between rising complaints & recent degrading of enforcement & also clear fact that if ICO refuses even to investigate then enforcement is categorically being refused without any controller undertaking whatsoever being received.

Despite widespread concern in the consultation responses and such specific points being made, none of this is recognised in the ICO’s response. ICO also refuse to recognise the link between serious defects in relation to complaints handlings and failings vis-à-vis #enforcement.

The ICO additionally maintains that cost considerations (significantly the result of its own decision to channel resources away from its core investigatory tasks) can justify a lack of prompt handling even of “high-harm cases”, despite this being explicitly rejected in Delo.

In EW (2021) the Upper Tribunal even specifically ordered the ICO to take the concrete investigate steps necessary to achieve this (overruling its categorical refusal to do previously).

Case law has been clear that “appropriate” investigation ordinarily means that the ICO must investigate to the extent necessary to “reach and express a view about the likelihood” of compliance (Delo (EWCA) at [80])

Lamentable that Information Commissioner will now refuse to investigate as opposed to "log" many (perhaps most) UK #GDPR complaints despite law stating that they must “investigate, to the extent, appropriate” & inform on “the outcome of the investigation” (art. 51(1)(f)). ico.org.uk/make-a-compl...

Lovely to see hard copy of new book on the #dataprotection & #humanitarian action & proud to have contributed chapter exploring role of the #unitednations guidelines from 1990 in shaping regulation here. It's all open access so please do check it out! www.taylorfrancis.com/books/oa-edi...

The Administrative Review Tribunal affirmed the Privacy Commissioner’s finding that Bunnings contravened Australian Privacy Principles (APP) 1 and 5 (notification of the collection of personal information) when rolling out FRT in its stores. See lnkd.in/etqgmguY.

Please join me at CIPIL's first seminar of 2026 this Thursday
at 5.30pm with Tim Pitt-Payne KC talking at Cambridge Law Faculty on future of UK #GDPR automated individual decision-making rights under the Data (Use & Access) Act. More including Zoom link at www.cipil.law.cam.ac.uk/press/events...

In contrast to its heavy reliance on C-252/21 Bundeskartellamt (2023) when pushing "pay or consent", @iconews has not made any mention of Land Hessen or the line of cases law emphasising the mandatory duty of "strong enforcement" under #GDPR which proceeded it.

(ii) “the processing of personal data by the controller thereof in compliance with that regulation is ensured”, and (iii) “such non-exercise on the part of the supervisory authority is not liable to undermine the requirement of strong enforcement of the rules”.

C-768/21 Land Hessen (2024) found “exercise of a corrective power” should always follow infringement except on a truly exceptional basis and even then only (i) “provided that the situation in in which the GDPR was infringed has already been made good” ...

Such an "advise and persuade" approach has been widely criticised within the regulatory literature and lacks empirical support. Treating use of formal corrective powers as an exceptional act is also strongly contrary to the guarantees set down in the #GDPR.

Following many egregious Government #dataprotection breaches over the past few years it's v disappointing to see ICO-Government MoU doubles-down on the ICO's flawed "public sector approach" which "priortises enagement" rather than corrective powers use: ico.org.uk/media2/m15nb...

Hundreds of items taken in high-value Bristol Museum archive raid More than 600 artefacts from the museum's British Empire and Commonwealth collection are taken.

Neglect of unique #Commonwealth collection never ceases to amaze! The old CW Institute was told not to give items to ailing Museum but did www.theguardian.com/uk/2002/nov/..., +140 Museum items were then illegally sold bbc.co.uk/news/uk-engl... before closure & now... www.bbc.co.uk/news/article...

Civil liberties groups call for inquiry into UK data protection watchdog Campaigners including Good Law Project describe ICO ‘collapse in enforcement activity’ after Afghan data breach

The final straw – the Information Commissioner's Office has decided NOT to investigate the Afghan data leak. It's time to investigate them!

Over 70 organisations and experts back ORG's call for an inquiry into the regulator's chronic failure to enforce data law.

www.theguardian.com/technology/2...

Civil liberties groups call for inquiry into UK data protection watchdog Campaigners including Good Law Project describe ICO ‘collapse in enforcement activity’ after Afghan data breach

What’s happened to the ICO’s enforcement regime?

We’ve signed @openrightsgroup.org’s letter calling for an inquiry after the data regulator declined to formally investigate the MoD over the Afghan data breach.
https://bit.ly/48gc9ZZ

A teddy bear equipped with AI was meant to be a child’s chat companion, but it eagerly jumped into topics like BDSM and “where to find knives.” The manufacturer stopped sales and cut off access. AI toys need strict filters, testing, and oversight or ot ends in a plush sewer. #AIact #GDPR

70+ organisations and experts demand action over failing ICO Over 70 civil society organisations, academics and data protection experts have urged the Chair of the Select Committee for Science Information and Technology to open an inquiry into the collapse in e...

With no investigation even of Afghan #databreach despite grave risk to c100K & just 2 UK #GDPR fines in 24/25, I'm proud to join 70+ orgs & experts call on Commons Sci & Tech Committee, which oversees the ICO, to investigate #dataprotection enforcement probs www.openrightsgroup.org/press-releas...

ChatGPT violated copyright law by ‘learning’ from song lyrics, German court rules OpenAI ordered to pay undisclosed damages for training its language models on artists’ work without permission

"Munich regional court sided in favour of Germany’s music rights society GEMA, which said ChatGPT had harvested protected lyrics by popular artists to “learn” from them" Paying for the lack of respect and permission
www.theguardian.com/technology/2...

Al Jazeera English on X: "Would Trump’s $1bn lawsuit against the BBC hold up in court? https://t.co/QczYzdg6L9 https://t.co/sPOoIiduda" / X Would Trump’s $1bn lawsuit against the BBC hold up in court? https://t.co/QczYzdg6L9 https://t.co/sPOoIiduda

Good to give input on @AJEnglish piece on barriers to #Trump action against #BBC. US #defamation law shields speech about public officials unless can show publisher knew was false or showed a reckless disregard for this. BBC is clear was unintentional. x.com/AJEnglish/st...

The PAC's findings raise further Qs about about the lack of ICO investigation or any formal regulatory action (even a mere reprimand) in response to this egregious #databreach which clearly arose from a long period of #dataprotection practices in grave violation of UK #GDPR.

Afghan data breach: MoD has not done enough to stop future similar incident, PAC warns - Committees - UK Parliament The Public Accounts Committee (PAC) is not confident that the MoD has done enough to reduce the risk of future incidents like the 2022 Afghan data breach.

The Committee is also clear that even now the MoD "has not done enough to stop future similar incident": committees.parliament.uk/committee/12... The cost of these errors, even only financially, dwarfs any impact which early and dissuasive use of penalties by ICO would have entailed.