Numerous civil liberties advocates and legal professionals are demanding an inquiry into the UK’s data protection regulator. The regulator has referred to the situation as a “collapse in enforcement activity” following a significant scandal, specifically the Afghanistan data breach.
A group of 73 individuals—including academics, leading lawyers, data protection specialists, and organizations like Statewatch and the Good Law Project—have sent a letter to Chi Onwurah, the chair of the bipartisan Commons Science, Innovation and Technology Committee. This effort was coordinated by the Open Rights Group and calls for an investigation into the actions of Information Commissioner John Edwards’ office.
“We are alarmed by the failure in enforcement actions by the Directorate of Intelligence, which has resulted in not formally investigating the Ministry of Defense (MoD) after the Afghanistan data breach,” stated the signatories. They caution that there are “more serious structural flaws” beyond just data breaches.
The Afghanistan data breach represented a grave leak involving information about Afghan individuals who collaborated with British forces prior to the Taliban’s takeover in August 2021. Those whose names were disclosed indicated that this exposure endangered their lives.
“Data breaches can pose serious risks to individuals and disrupt the continuity of government and business,” the letter emphasized. “However, during a recent hearing conducted by your committee, Commissioner John Edwards suggested he has no intention of reassessing his approach to data protection enforcement, even in light of the most significant data breach ever in the UK.”
The signatories also referenced other notable data breaches, including those affecting the victims of the Windrush scandal.
They argue that the ICO has adopted a “public sector approach” to such incidents, issuing disciplinary actions characterized by unenforceable written warnings and substantially lowering fines.
“The ICO’s choice not to initiate any formal action against the MoD, despite ongoing failures, is as remarkable as its lack of documentation regarding its decisions. This paints a picture in which the ICO’s public sector approach provides minimal deterrence and fails to encourage effective data management across government and public entities.”
“The response to the Afghanistan data breach signifies a broader issue. Many have been left disillusioned by the ICO’s lack of use of its remedial powers and its continual shortcomings.”
The letter warns that the trend of declining enforcement in the public sector will inevitably reflect in the accompanying statistics. Latest ICO report Enforcement actions by the private sector are also becoming increasingly rare, as the ICO fails to pursue matters and organizations redirect resources away from compliance and responsible data practices.
“Instead of simply hoping for a positive outcome, Congress has endowed the ICO with ample authority to ensure compliance with legally binding orders. During the hearing you conducted, it was clear that the ICO opted not to exercise these powers regarding the Afghan data breach.”
“Regrettably, the Afghanistan data breach is not an isolated case but rather an indication of deeper structural issues in the operations of ICOs.”
The letter concludes with the assertion that “change seems improbable unless the Science, Innovation and Technology Committee steps in with its oversight capabilities.”
An ICO spokesperson commented: “We possess a comprehensive array of regulatory powers and tools to tackle systemic concerns within specific sectors or industries.”
“We appreciate the essential role civil society plays in scrutinizing our decisions and look forward to discussing our strategies in our upcoming regular meeting. We also welcome the opportunity to clarify our work when engaging with or presenting before the DSIT Selection Committee.”
Source: www.theguardian.com
