How long does it take to close an ICO complaint?

Viewpoints
December 9, 2022
2 minutes

“Will the regulator investigate or enforce against us?”  It’s one of the most common questions that clients ask me — and it's still one of the most interesting.  Common because the spectre of regulatory enforcement focuses the mind, and rightly so. And interesting because the answer is never quite the same.

So my eyes widened when reading a recent English High Court decision involving a judicial review about how the Information Commissioner’s Office (ICO) reviews the complaints it receives from individuals alleging an organisation’s non-compliance with the UK GDPR.  

The essence of the litigation concerned the following question: is the ICO obliged to investigate and reach a conclusion on every complaint it receives?  According to the High Court, the answer is no.  Article 57(1)(f) of the UK GDPR — which requires the ICO to “investigate [complaints] to the extent appropriate” — does not mean that it must investigate each complaint to the extent necessary to reach a conclusive determination.  Rather, Mr Justice Mostyn said, it is for the Information Commissioner (i.e., his staff) to assess what is required on a case-by-case basis.

This may come as news to the businesses who imagine that each complaint involves — indeed, requires — a detailed assessment of their practices, involving correspondence with and representations to the ICO.  And in some cases that certainly is the process.  

But to put things into context, in 2020/21 the ICO received 36,607 new complaints, of which it closed 31,055.  That means, on average, the 140 staff members responsible for handling complaints devoted less than five hours to each closed complaint.  As Mr Justice Mostyn put it, if the ICO had to “investigate every complaint fully and reach a final conclusion on each and every one, the delays in dealing with, and the pressure imposed on the workload would become extreme and take the system to breaking point, if not beyond”.

So that’s good news for organisations, right?  Well, yes and no.  If nothing else, it should help to give some perspective to your business’s calculus when facing the threat of a complaint to the ICO.  That’s of course not to say that any allegation of non-compliance should be taken lightly; the ICO took forward more than 15% of complaints last year, so it’s not something about which to be blasé.  Still, the ICO simply doesn’t have the time or resources to fully investigate all claims.  As Mr Justice Mostyn acknowledged, that is clearly problematic — but the solution is political, not legal.  

In the meantime, if individuals take the view that complaints to the ICO will inevitably be lost in the system, we may see an increased willingness for them to bypass the regulator and sue businesses directly.  That can in some cases be more challenging to deal with than a regulatory investigation, so it's something to bear in mind the next time you're contacted by an individual threatening to complain to the ICO.