The Information Commissioner’s Office (ICO) will need to adapt its approach to regulation as simply expanding to meet the rate of demand is unsustainable, the Information Commissioner, John Edwards, has warned.
In his last address to the IAPP Conference in London in February, the outgoing Commissioner highlighted the scale of operational pressure on the regulator, with data protection complaints rising sharply from 40,000 in 2024/25 to 66,000 so far in 2025/26, and potentially reaching 75,000 by year‑end.
He warned that it would be “unsustainable or irresponsible” to increase resources at the same pace, despite growing public expectations.
He acknowledged competing demands from stakeholders: calls for more enforcement, more guidance, more upstream engagement, and even proposals from Parliament for the ICO to audit all government use of third‑party IT and cloud services. But he stressed that the regulator must make deliberate choices about where to intervene.
“If we tried to respond to all the possible calls on our time and resources at once, we’d be reacting to noise instead of making meaningful interventions,” he said.
The Information Commissioner defended the strategic choices made during his four‑year tenure. The Commissioner defended the ICO’s decision to prioritise areas with the greatest potential for public harm and benefit. These include AI and biometrics, children’s privacy, and online tracking - domains where the regulator has combined guidance, upstream engagement and enforcement.
He pointed to the Children’s Code as a major success, with improved online privacy for an estimated 11 million children. Enforcement has been central: TikTok was fined over £12m in 2023, while Imgur and Reddit were sanctioned for failing to verify the ages of UK users. The ICO also intervened when Snap made its AI chatbot available to under‑13s.
The Commissioner linked this work to wider societal debate about whether under‑16s should be on social media at all, arguing that safeguarding children online remains one of the regulator’s most important responsibilities.
Reflecting on enforcement strategy, he cited the Clearview AI case as emblematic of both the importance and the limitations of litigation. The ICO fined the company £7.5m in 2022 for unlawfully scraping billions of images and ordered it to delete UK data. But years of appeals have delayed final resolution.
The case, he said, demonstrates the need to choose enforcement tools carefully: litigation can be slow and resource‑intensive, even when the underlying issues - biometric data, jurisdiction, and public protection - are critical.
The Commissioner also emphasised the need for agility in the face of fast‑moving technological developments. When he first attended IAPP London, he noted, “ChatGPT didn’t exist.” Today, AI systems such as Deepseek and agentic AI models are reshaping the regulatory landscape at unprecedented speed.
He highlighted the ICO’s Tech Horizons programme, live investigations such as the probe into Grok AI, and the Regulatory Sandbox as examples of proactive and collaborative approaches to emerging risks.
The corporation sole model that has defined the ICO since 1984 will shortly be replaced by a statutory board structure and the Commissioner confirmed that the ICO will undergo further change in 2026, including the move of its head office to Manchester and the development of a new corporate strategy.
Despite this, and the other challenges facing the regulator, the Commissioner stressed that the its core duties remain constant: upholding the law, protecting people’s privacy, and supporting responsible data use.

