Who Regulates the Regulators? The Information Commissioner’s Office



Post-pandemic prospects for global trade


No 1: The Information Commissioner's Office

  • The Information Commissioner has wide ranging functions and powers. They are not always parameterised clearly in the relevant legislation. The Information Commissioner’s reporting shows little evidence that objectives are being met, or even measured. The Parliamentary Committee responsible has not performed its scrutiny function of the Information Commissioner’s Office (ICO) well and a forum appears to be lacking for detailed examination of its actions at a technical and legal level.

  • In practice the current data protection regime is not working as had been foreseen by the European Commission in its impact assessment for the General Data Protection Regulation. The costs to businesses have been much greater than expected and there appear to have been negative effects on competition and investment. Many businesses are not fully compliant and some believe full compliance is not possible, suggesting that the Information Commissioner is not succeeding in its functions of promoting public awareness and understanding, and monitoring and enforcing compliance.

  • There is insufficient oversight and review of fines and enforcement actions taken by the Information Commissioner. Challenging a decision is costly, there are serious procedural defects and imbalances, and the fines that can be levied are out of all proportion to the harm or loss caused.

  • The Information Commissioner can issue guidance that is of uncertain legal effect but has serious consequences – and does so without producing impact assessments. This has negative consequences for the rule of law and accountability.

  • The ICO is well regarded internationally and by business organisations for its role in data protection law and policy, but there are reforms that could usefully be made to improve its accountability and effectiveness, while maintaining its independence.

Fullscreen Mode

Head of Regulatory Affairs

Victoria joined the IEA’s International Trade and Competition Unit in Spring 2018. She is a lawyer and practiced for 12 years in the fields of technology and financial services, before joining the Legatum Institute Special Trade Commission to focus on trade and regulatory policy. She has published work on the implications and opportunities of Brexit in financial services and movement of goods and the issues in connection with the Irish border. Before entering the legal profession Victoria worked for Procter & Gamble in the UK and Germany.

James Tumbridge is a partner of Venner Shipley. He has extensive experience  in  commercial  litigation, intellectual property and alternative  dispute  resolution (ADR).  James is particularly known for his government relations and data protection practice. He is one of the authors of the UK Data Protection Act 2018 that implemented the General Data Protection Regulation. He has extensive experience of regulatory compliance in matters of data protection in Europe and globally. James has been an ad hoc advisor to various UK Members of Parliament and Members of the European Parliament on this subject, as well as a range of IP and dispute issues. As a Chair of Police Tribunals, James has considered and ruled on data protection issues arising in the context of data and policy breaches. He has also trained three police forces on data compliance.