The problem with the ICO

Your data reveals who you are, what you like, where you live and more. That’s why so many companies, government bodies and criminals want access to it.

Whether it’s to stop profiteering, tracking or fraud, data protection is the answer. But we need a strong regulator who will make sure the law is followed.

The Information Commissioner’s Office (ICO) has a poor track record of issuing weak reprimands instead of fines and acting as a critical friend to government. In 2024, the ICO took “regulatory action” in just one case out of the 25,582 complaints lodged with them. This can’t go on.

We need to fundamentally reform and strengthen the regulator, so that it protects the public not the powerful.

.

Demands for an inquiry into the ICO

70+ organisations and experts demand action.

Find out more

.

Report: Lessons from the pandemic

The ICO’s failures in protecting data rights in the UK.

Find out more

ALternative ICO ANNUAL report

Read ORG’s evaluation of the ICO’s activities and our recommendations.

Find out more

Five steps to an effective regulator

Be accountable
Give people the right to appeal.

Put the public first
Make the ICO’s primary responsibility to enforce the law and to investigate and remedy infringements.

Be independent
Make sure the ICO is protected from government interference.

End corruption
Stop the revolving door between the regulator and Big Tech.

Let public interest organisations represent the public
Groups like ORG should be able to bring challenges.

Sign the petition to demand change

.

Why the ICO needs to be reset

The ICO has consistently failed to protect our data privacy and uphold our rights.

Find out more

Under John Edwards’ leadership, the ICO have seen a steady erosion of independence and regulatory integrity. This has affected their ability to effectively oversee public bodies use of personal data.

On top of that, the ICO adopted a new, underwhelming policy to deal with data protection complaints, and signed a Memorandum of Understanding that further reduces their arms-length from government. It has also emerged that the ICO are advising the government on how to undercut the Freedom of Information Act, a pillar of government transparency and accountability.

Due to changes introduced by the Data (Use and Access) Act, the ICO are also due to be restructured into an Information Commission. Left to their own devices, however, there is little to suggest the ICO would self-heal with a change of leadership, or depart from the path they have been set upon.

This is why Open Rights Group has launched a petition calling for an overhaul of the ICO.

So how did we get here? And what do we need to do?

IT STARTED WITH A POLITICAL SHIFT…

With GDPR coming into force, the ICO gained new powers to investigate and issue substantial fines. This led to some early and high-profile interventions, such as a record fine to British Airways, or the investigation into Facebook and Cambridge Analytica. These early, positive signals were short-lived.

Post Brexit, the Johnson government signalled that they wanted to dismantle meaningful data protection in favour of business monetisation. In 2021, the Department for Digital published the Data: a New Direction consultation, outlining a wholesale deregulation of UK data protection law and the biggest attack to this date on the British public’s right to data protection. That same year, Elizabeth Denham left the post of Information Commissioner, despite being only 5 years into her 7 year term.

ACCELERATED BY A POLITICAL APPOINTMENT…

Oliver Dowden, then minister for digital under Boris Johnson’s government, announced the selection of a new Information Commissioner as a first step toward reshaping the country’s approach to data protection. The move fitted a broader trend toward the politicisation of public appointments. The resulting vacancy notice stated that the Commissioner was expected to “support the government deregulatory agenda”. A cross-party group of 30 MPs and Lords called on the government “to halt the recruitment process and restart it”, after removing “recruitment criteria pertaining to matters of policy that are outside of the remit of this statutory regulator”.

Following the appointment of John Edwards, our worst fears materialised during the debate around the UK data protection reform. The ICO muted some of its previous criticisms toward the reform, and quickly became the only regulator to fully support the government’s proposals—against the concerns raised by the Equality and Human Rights Commission, the National Data Guardian, the Biometrics Commissioner, the Scottish Biometrics Commissioner, and the Northern Ireland Human Rights Commission.

When the 2024 election was called, the UK data protection reform was dropped. A response to a Freedom of Information request revealed that John Edwards expressed his disappointment about the news, but explained the ICO would be reviewing what proposals of the reform could be salvaged “where legislative changes were not strictly required”. John Edwards was quick to cheer the new Labour government when they resurrected the reform.

PLACED A LEASH ON THE WATCHDOG…

Soon after his appointment, John Edwards announced the new, so-called public sector approach to enforcement, under which the ICO began to heavily rely on reprimands. These are non-enforceable, written notices where the ICO point out that the law has been broken without taking any regulatory action to remedy an infringement or holding law-breakers to account. This move was presented as part of the ICO25 strategy, shifting the focus away from the monitoring and application of UK data protection law.

As ORG’s alternative ICO annual report 2023-24 showed, reprimands lacked effectiveness and deterrence. Indeed, the ICO post-implementation review of the public sector approach would later reveal how the volume of complaints raised by UK residents about public sector organisations’ use of their data has increased substantially as a result.

The weakness of this approach reached its climax with the Afghan data breach: an unprecedented incident that, reportedly, led to the death of at least 49 people in the aftermath of the Taliban’s takeover of Afghanistan. The Commissioner’s decision to not even open an investigation led to a Parliamentary inquiry from the DSIT Select Committee, and an open letter from 70+ data protection experts lamenting a collapse in enforcement action. Dame Chi Onwurah, the Chair of the Committee, acknowledged the “institutional failure” that had led to the breach—which, in her own words, “raises serious questions for both the government and regulators like the ICO”.

AND MADE THINGS WORSE

The ICO are supposed to be a countervailing power, that ensures government policies are implemented without unjustly sacrificing our right to privacy and data protection. However, independence has historically been a weak spot. ORG’s report on data protection oversight during the pandemic already found that the ICO looked more interested in acting as the government’s “critical friend” rather than as a regulator. Since then, the UK data protection reform further tightened the government’s grip over the ICO. Then, John Edwards capitulated to the Labour government’s demands to direct regulatory activities toward removing “barriers for businesses” and submitted to a number of pledges to “promoting growth”.

In fact, the ICO have recently taken steps to make things worse. By signing a new Memorandum of Understanding with the government, the ICO are moving toward what ministers have described as a “relationship of partnership rather than opposition”. By adopting a new complaints-handing policy, the ICO are effectively telling us that they will not be acting to investigate or remedy data protection infringements reported by the public.

Most recently, it has emerged that the ICO are advising the government on how to water down the Freedom of Information Act, and undercut the public’s ability to demand transparency. As with the data protection changes beforehand, the ICO are providing intellectual cover for the government’s plans to curtail the regulatory framework they are tasked to enforce.

NOW WE NEED CHANGE

As the ICO moves to a new structure, it is time to acknowledge that the direction the ICO have taken has been, for the greater part, negative. However, is is also true that the ICO’s current faults are rooted in government interference, and lack of the necessary arms-length to carry out their job as written in the law. The faults which have characterised the ICO under their current leadership will persist unless the ICO are shielded from executive pressures, and made accountable to Parliament and the law, rather than the government of the day.

This is why we are launching a campaign to reset the new Information Commission. We want the ICO to:

• Be accountable, with a clear right to appeal for individuals who are let down by inaction.

• Put the public first with a clear responsibility to enforce the law.

• Be independent from government and directly accountability to Parliament.

• Put rules in place that prevent revolving doors or other undue corporate influences in the Information Commission’s functioning.

• Let public interest organisations like ORG represent the public, giving individuals alternative avenues to pursue justice when their data protection rights are infringed.

Things don’t need to get worse before they get better: sign up to our petition or join us in our fight to protect our rights in the digital age.

Digital Privacy

Reset the ICO

Find Out More

6 Targeting

What features within targeting are the minimum requirements for a commercially viable advertising model, and why?:

Commercial viability of targeting practices is not a static definition, but is ultimately determined by what practices are tolerated and allowed to be offered withing the online advertising market.

With this in mind, real-time-bidding and behavioural advertising are currently underscored by a free-for-all model where, once consent is given (and oftentimes, even when it’s not) adtech intermediaries process, share and repurpose this data at will. This is illegal under the UK GDPR, which requires data not to be processed beyond the specific, granular purpose for which consent was given.

It follows that the true value and commercial viability of advertising practices cannot be measured, insofar prices are distorted and the market is impacted by the unfair competition of non-compliant advertising practices. In turn, any serious assessment regarding the extent necessary of employing targeting features to attain a “commercially viable advertising model” should be preceded by an effective regulatory sweep to remove illegal advertising from the market, and restore a level playing-field for law-abiding businesses.

7 How significant are the changes in ICO regulatory posture towards PECR regulation 6 consent requirements that would be required to enable delivery of a commercially viable advertising model?

Change needed – Targeting: No change

Please explain your answer:

Firstly, the ability to target individuals based on personal data is the main enabler of harms, discrimination and predatory practices that plague online advertising. Targeting based on personal data exposes women to unjust prosecutions for their attempt to exercise reproductive health rights; problem gamblers to being targeted with gambling ads that are meant to exploit their addiction; anyone to be excluded on the basis of their gender, sexual preferences, ethnicity or other sensitive characteristics; children and those in a more vulnerable status to be targeted and taken advantage of.

These are not unfortunate outcomes, but inherent to the technolopgy being used: behaviour is the only personal data that can be observed and captured by storage and access technologies; however, behaviour is never a reliable proxy for an individuals’ characteristics, preferences or inner desires, but is a reliable mean to identify addiction, health statuses and other syndromes—all of which are, indeed, recognisable by “typical”, “compulsive” behaviours and clearly discernible patterns of behaviour. A system that is inherently bad at guessing your commercial preferences but inherently good at identifying weak spots that can be exploited does, not surprisingly, serve the purpose of exploiting individuals better than it does serve the purpose of delivering legitimate advertising. Advertising systems that target individuals on the basis of personal data should never be considered low-risk or exempted from consent requirements.

For the avoidance of the doubt, contextual advertising may not be considered as targeting on the basis of personal data, insofar targeting is based purely on the context of the website where the ad is being shown. The inclusion of information that either directly or indirectly relates to an individual—for instance, where the IP address was used to guess the geolocation of an individual— should never be considered contextual and thus be treated as targeted advertising.

Finally, we would draw attention to the fact that the call for views includes the following statement:
“We will continue to enforce consent requirements for collecting personal information for ad targeting and personalisation.”

Therefore, we consider a relaxation of consent requirement for ad targeting based on any amount of personal data to be outside of the scope of this call for view, and we expect the ICO to honour this statement.

Impacts of our approach

8 How far do you agree that the approach outlined in our call for views can identify commercially viable solutions that can also safeguard people’s privacy and improve user experience?

Strongly disagree

Please explain your answer::

As mentioned in response to question 6, tolerance toward non-compliant advertising practices prevent a meaningful measurement of the true value and commercial viability of advertising practices “that can also safeguard people’s privacy and improve user experience”.

Adding to those considerations, the approach of the call for views turns the relationships between commercial viability and “safeguarding people’s privacy and improving user experience” on its head: it is for advertising market players to commercialise their services withing the boundaries and in compliance with the norms that have been established by legislation. The UK GDPR and PECR already require advertising to be done in a manner that safeguards privacy and our agency. The role of the ICO is to enforce these boundaries, not to adapt them to meet the needs of non-compliant advertising firms.

Finally, it is worth underscoring that, in the event of exemptions to cookie consent requirements being adopted, “safeguarding people’s privacy” would ultimately depend on the limits and safeguards in place that underpins those exemptions. The call for views provides some, welcome clarifications over what will not be exempted, but does not at any point clarify what practices may or are being considered to be covered by those exemptions. This does not allow to appreciate the approach, and if and in which manner the ICO is managing to “safeguard people’s privacy” while conducting this call for views.

10 Would you anticipate any of the following negative impacts if any of the capabilities referenced were permitted without PECR consent in circumstances where the ICO considers them to be low risk to people? Please select all that apply:

Increased risk of privacy harm

Please provide any evidence on the likely scale of these negative impacts:

This questionnaire give adtech providers ample freedom to argue in favour of removing consent requirements for a range of purposes, as listed in questions 1-6. From the perspective of civil society and independent experts, instead, the call for views does not provide any proposal whose impact on people’s privacy can be commented upon. Further, the call for views allows industry players to keep their responses as confidential, which could prevent evidence in favour of deregulation to be scrutinised publicly.

Notwithstanding that the “scale of these negative impacts“ can only be measured when a proposal will be presented, it is clear that the design of this call for views presents a very high likelihood to over-represent the views of the adtech industry and, in turn, to underweight the increased risk of privacy harm that could result.

Technical safeguards

12 Are you aware of any technical safeguards to reduce data protection and privacy risks of storage and access of information for the advertising purposes listed above?

Giving legal enforceability to technical signals would allow individuals to express consent for online advertising targeting via browser settings and communicate them persistently as they browse the Internet, thus ensuring that meaningful choices can be made and communicated to adtech providers. This solution would also constitute an effective way to allow individuals to object and opt-out of processing, thus ensuring that they retain choice and agency in an opt-out model of online advertising. Finally, such a system could also be relied upon by parents to set consent preferences via parental controls and thus protect their kids from online tracking.

According to Schedule 12(2) of the Data (Use and Access) Act:

(3) […] the means by which the subscriber or user may signify consent include—
10(a) amending or setting controls on the internet browser which the subscriber or user uses; (b) using another application or programme.

Therefore, powers to amend exemptions to Regulation 6 PECR could be used to give legal enforceability to technical signals.

22 We may wish to contact you for further information on your responses. If you are happy to be contacted, please provide your name and an email address below.

Please provide your name: Mariano delli Santi

Please provide your email address: mariano@openrightsgroup.org

Your views on our approach

7 To what extent to do you agree that ‘our proposed approach to complaint handling’ clearly explains how we’ll handle complaints?

Strongly disagree

If disagree / strongly disagree / not sure, please explain:

The proposal does explain, to an extent, how the ICO would handle complaints. Here, it is worth stressing that the policy outlined in this document is unlawful, as it extends the discretion of the ICO well beyond what case-law has accepted.

Your consultation document states that “In 2023, the Court of Appeal confirmed that we have broad discretion in deciding the appropriate extent of an investigation, including the form of the outcome”. The hyperlink provided refers to Delo vs. The Information Commissioner which, whereas does provide broad discretion to the ICO, also reaffirms the duty to uphold rational decision-making. In the case at hand, the ICO decision to drop the complaint was found to be “rationale” on the basis that “The Commissioner’s assessment that there was nothing to suggest that [the Controller] had operated a blanket approach is legitimate on its face. Mr Delo has not identified any basis for supposing, rather than speculating, that a more detailed investigation might falsify that conclusion”.

In other words, Delo affirmed that the ICO can legitimately close a complaint if there is no evidence of infringements, and that it is not the Commissioner’s duty to pursue an investigation that may, speculatively, overturn the lack of evidence provided by the complaint. The judgement does, however, say that the ICO must “reach and express a view about the likelihood” of an infringement. Further, the judgement does not say, that it would be rationale (and thus lawful) for the ICO not to investigate a complaint where evidence of infringements is provided, or where context clearly suggest that this should be the case. Likewise, the Upper Tribunal found, in Smith vs. The Information Commissioner, that the law imposes an “objective test [of] what is ‘appropriate’ by way of investigation” on the ICO.

The ICO proposed approach to complaints handling, however, does expressly foresee the closing of complaints without any substantive investigation where evidence of rights infringement or harm is provided (or, indeed, is even obvious and established). This contradicts much of what case-law mentioned above establishes, as well as the ICO primary responsibilities under the law.

8 Is there anything else you think we should include in our proposed approach to complaint handling?

Yes

If ‘Yes’, please explain:

The proposed approach to complaint handling should go back to the drawing board.

9 To what extent do you agree that the proposed framework document clearly explains how we will handle complaints.

Strongly disagree

Please explain your response:

Notwithstanding the remarks made in question 7, the proposed framework fails to provide an objective and rational framework to determine which cases would be escalated to an investigation and which would not. In particular, the proposed framework:

– Establishes thresholds which are both vaguely defined and arbitrary, such as “high level of harm”, or “significantly affecting people”, or “substantial number of people”, or “significantly improve the way the organisation uses personal information or enhance data protection rights”.

– Introduces the “ICO strategic priorities” among the criteria used to assess the investigation of a complaint. This is spurious and extra-legal, and suggest the ICO wants discretion not to remedy situations that may cause harm or affect large number of people unless it aligns with its own internal agenda.

– Includes “Is it in the public interest for us to make enquiries?” among the assessment criteria. This is rather odd, as it suggests the ICO is seeking discretion not to investigate complaints unless they relate to a matter of public interest. This would pervert the role of complaints under the GDPR: although individual may decide to use complaints strategically and to pursue matters of public interest, the primary function of a complaint is to remedy and infringement of the rights of the complainant.

Overall, the framework fails to establish clear and substantive criteria upon which the ICO decision-making can be scrutinised against.

Further, complaints are a remedy given to the individual to address infringement of their rights. Their rationale is rooted in the difficulty that individuals may have in collecting evidence and uphold their rights against situations that are technically complex, or in situation where there is an obvious imbalance of power—e.g. because the complaint involves powerful public or private entities. Against this background, the proposed framework takes very little consideration of individuals and their rights, and focuses instead on establishing criteria which are useful to the ICO themselves, or to serve the interest of the organisations against which a complaint may be filed.

10 Is there anything else you think we should include in this proposed framework document?

Yes

If ‘Yes’, please explain: :

The proposed framework should be brought back to the drawing board

11 To what extent do you agree with the ‘criteria’ we’ll consider when assessing complaints:

Strongly disagree

Please explain your response:

See answer to question 9

12 Is there anything else you think we should include in our criteria?

Yes

If ‘Yes’, please explain: :

See answer to question 10

13 To what extent do you agree with the proposed plans of what we would do with the information we collect from complaints?

Strongly disagree

If ‘Yes’, please explain:

There is obvious value in keeping track of number of complaints filed against a controller for the purpose of determining what would constitute an effective and dissuasive enforcement action against them. For instance, repeated offences or infringements of rights are useful criteria to determine the

amount of monetary penalties being issued, or to issue an enforcement notice instead of a reprimand. Counting the number of complaints is not, however, a rational criteria to assess whether the ICO should pursue an investigation or drop and “record” the complaint instead.

Notwithstanding what we explained in our answer to question 7, here it is worth stressing that this policy will lead to Controllers breaking the law and not facing the consequences of their non-compliance until the number of complaints against them hasn’t reached a certain threshold. This is dis-educative, as it favours the adoption of unlawful or substandard data management practices, which would not be challenged until such practices have entrenched into the organisation’s internal culture and developed into a “bad habit”. This would also prevent the ICO from begin effective and dissuasive in their oversight role, as their intervention would become reactive and delayed by default, rather than aiming to educate controllers and prevent infringements from occurring.

Likewise, this policy will inevitably increase the volume of complaints received by the ICO: as Controllers will develop bad habits and break the law more often, individuals’ rights will also be breached more often and the volume of complaints will likely increase.

14 Is there anything else you think we should consider when using the information we collect from complaints?

Yes

If ‘Yes’, please explain: :

As argued before, the number of complaints should not be used a criteria to determine if and to what extent substantive action is needed upon receiving a complaint. Instead, the ICO should consider the available evidence provided to them by the complaint, and determine the likelihood and potential gravity of such infringement.

Questions to assess the impact of our proposed approach

15 Do you agree with the identified list of the affected groups in Section 5.4 of the impact assessment?

Strongly disagree

16 Are there any other groups of stakeholders that you think will be affected by the proposed data protection complaints handling approach?

No

17 Do you agree with the assessment of costs and benefits outlined in the impact assessment?

Strongly disagree

Please explain your response:

The cost-assessment estimates that this policy would have an impact on “c.42,315 – c.55,000 people” who raise complaints with the ICO and “Up to 3.3 million data controllers”. This makes the whole assessment irrational, since:

– Either the ICO wants to measure the impact of their proposal against the UK as a whole, in which case the policy would have an impact on 66,940,559 people (as recorded by the latest census). Or,
– The ICO wants to assume that this policy will impact only those stakeholders who have raised a complaint in the past. In this case, the ICO should factor how many controllers where targeted by a complaint, rather than the whole amount of controllers who reside in the UK.

The decision to measure the whole population of controllers against an arbitrary fraction of UK data subjects who have exercised their right to lodge a complaint under the GDPR is, frankly, extraordinarily suspicious. Indeed, it is obvious that the “cost” of exposing 66 million individuals to repeated data protection harms and until certain arbitrary threshold have been reached would invariably outweigh whatever benefits the ICO claim this may bring to a small fraction of controllers or to themselves.

18 Are there any other costs and/or benefits that you think should be considered?

No

If yes, please provide details below and any evidence you might have to illustrate this: :

See answer to question 17

19 Do you think the proposed data protection complaints handling approach will result in any additional costs or benefits for you / your organisation? (These could be financial or non-financial)

Cost(s)

20 Please describe the types of additional costs and / or benefits you / your organisation might incur, including a rough estimate where possible.

If applicable, please describe the types of additional costs and/or benefits you/ your organisation might incur, including a rough estimate where possible.:

Additional litigation costs (judicial reviews).

21 Is there any other evidence or information on potential impacts that you would like us to consider?

No

23 Are there any terms or sections in the proposed approach you found unclear or overly technical?

Yes

If ‘Yes’, please explain::

The proposed framework as a whole is unclear, as most criteria rest on subjective assessments conducted by the ICO concerning what is “high” or “significant” or reaches a threshold that warrants regulatory oversight.

24 Would you be happy for us to contact you if we have any follow up questions based on your responses to this consultation?

Yes

If ‘Yes’ please provide your name / email address / preferred contact details.:

Mariano delli Santi, mariano@openrightsgroup.org

Signatories of joint statement, including Mozilla, Tor and Open Rights Group, call on ministers to address root causes of online harm rather than pursue blanket access restrictions.

A group of tech companies and civil society organisations has urged UK policymakers to reconsider their approach to online safety legislation, warning that proposed age-gating measures and access restrictions threaten to fragment the open internet and erode the rights of all users.

The statement comes as ministers consult on which online platforms and features should be placed behind age verification systems. Proposals under consideration include curfews for young users and sweeping restrictions on access to internet services ranging from video games and VPNs to static websites.

Such proposals would in practice require all internet users to verify their ages, creating significant privacy and data security risks, including to young people, as shown by the serious breaches of UK users’ government ID data.

The expansion of age verification risks entrenching the dominance of major app stores and platform gatekeepers, turning the web into “a patchwork of age-gated jurisdictions” rather than a globally accessible resource.

The statement urges UK policymakers to adopt ‘thoughtful policy interventions’ that address the root cause of online harms – the business models of large platforms, which are built on extensive data collection, behavioural targeting, and engagement-maximising design.

Open Rights Group has warned that new powers agreed by MPs in the Children and Schools Wellbeing Bill to expand age identification across online platforms risk creating a system of digital checkpoints.

As age identification expands, millions more people may be required to hand over personal data to access everyday services. Open Rights Group has already warned that current systems pose “serious privacy and security risks”, including weak safeguards, data reuse, and fraud vulnerabilities.

James Baker, Platform Power Programme Manager at Open Rights Group, said:

“In less than a year, we’ve gone from proposals to check ID for porn to the prospect of checking ID to access social media or unlock everyday features such as livestreams or feeds. These online ID systems put both children and adults’ sensitive data at risk.”

“Evidence coming out of Austrialia where a ban is in place suggests that many young people are seeking to avoid these blanket bans, and they aren’t effective.

“MPs should look at other policy options that change the underlying business models of social media platforms so we can build better online spaces rather than imposing blanket restrictions.”

Open Rights Group reiterated its call for stronger regulation of the age assurance industry, alongside robust data protection safeguards.

The group also warned that when details of the regulations to impose bans emerge they must not sweep up low-risk community forums and small services, which are already being forced offline due to the burden of complying with the Online Safety Act.

Free expression online

Fix the Online Safety Act

Find Out More

A cross party group of MPs has called for the government to publish classified documents that detail the “chronic risks” to the UK from our reliance on digital platforms and services, the dominance of global tech and the impact of AI. Digital rights campaigners, the Open Rights Group, have also requested the release of the classified documents through a freedom of information request.

The publication of these risks is crucial to enable a proper public and parliamentary debate about the UK’s dependence on foreign tech companies for its critical infrastructure.

The MPs’ letter follows analysis in a recent report by ORG, which highlighted that national debate on digital sovereignty is being hampered by secrecy, preventing Parliament and the public from debating whether the government understand the scale of the challenge.

The report showed that the UK’s over-reliance on mostly US companies is a national security issue, due to US legal powers. During the previous parliament, MPs recognised the risks of using foreign tech companies when they took action over potential state interference from using Huawei equipment. However, there needs to be an urgent parliamentary and public debate about the UK’s reliance on mostly US companies in light of recent geopolitical uncertainty. Were the UK’s relationship with the US to deteriorate over Iran or Greenland, the US could use legal powers compel tech companies to discontinue services or carry out surveillance. Companies such as Palantir, recently contracted to deliver core components of the Ministry of Defence’s data systems, have openly championed US military dominance.

The letter calls for the National Risk Register to be updated so that it addresses the risk of foreign states using legal powers in this way. It also asks that the government “lead a national debate on the nature of our digital dependence, from both a security and economic perspective”.

Read the letter signed by Sian Berry MP (Green Party), Clive Lewis MP (Labour), Victoria Collins MP (Liberal Democrats) and Ben Lake MP (Plaid Cymru).

EU shift to Open Source

EU countries, including France, Germany, the Netherlands and Denmark are taking steps to end their reliance on US Big Tech by moving to Open Source and collaborative solutions.

ORG has called for the UK to develop a digital sovereignty strategy to protect the UK’s independence and grow its economy. Digital sovereignty is defined as the ability of a country to have control over its digital infrastructure, data, and technology. Greater investment in Open Source could also drive UK economic growth, supporting domestic innovation and a more competitive technology sector. It can modernise critical government systems, strengthen control over public technology infrastructure, reduce dependence on proprietary vendors and restore public sector control.

Jim Killock, Executive Director of Open Rights Group said:

“For years, Big Tech has used its power to lobby parliament, gain control of the UK’s digital infrastructure and influence government policy. It is known within government that our dependence on foreign companies is a national security risk but the details are being kept from the public.

“We have a right to know what the consequences of years of pandering to Big Tech mean for the UK. The Government must be transparent about the risks and show how it is taking steps to make the UK’s more resilient to foreign interference.”

Siân Berry MP said:

“Cross-party MPs are urging the Government to address the glaring risks to our citizens from the choices made for our critical digital infrastructure. Our over-reliance on foreign tech giants for the digital systems that keep the country running, combined with temperamental Trump in the White House, leaves us open to the very real possibility of foreign interference or even service withdrawal. 

“With my fellow MPs, I am sounding the alarm and urging Ministers to update the risk register, while continuing to push for a digital sovereignty strategy that would build up homegrown tech resilience and protect our national security.”

Clive Lewis MP said:

“The UK’s dependence on Big Tech has left us dangerously vulnerable, particularly against a backdrop of increased geopolitical uncertainty as a result of US and Israeli military actions.

With the government actively considering triggering the break clause in Palantir’s Federated Data Platform contract, ministers seem to be waking up to the risks of allowing these corporation free rein in our public institutions.

It’s vital that work starts urgently on alternatives to Big Tech dominance.”

Demand UK Digital Sovereignty

Find Out More

Growing the economy through digital sovereignty

The report urges the UK Government to follow the lead of EU countries, including Germany, France, Netherlands and Denmark, who are actively pursuing digital sovereignty through strategic investments in open technologies and international collaboration.

Greater investment in Open Source can also drive UK economic growth, supporting domestic innovation and a more competitive technology sector. It can also modernise critical government systems, strengthen control over public technology infrastructure, reduce dependence on proprietary vendors and restore public sector control.

Demand UK Digital Sovereignty

Find Out More

Our new report asks a profound question: just how dependent is the UK on US technology, and what could that mean for the UK’s sovereignty? It is an enormous question, but as our report shows, there are real and beneficial answers if the UK shifts from one way dependence on US tech giants to shared technology, based on a Digital Commons, including Open Source, open standards and open hardware.

Our report surveys the mess that is the UK’s digital dependence, mostly on US tech giants but also in some cases Chinese technologies. Starting with the risks, we identify:

• Security risks: including threats of service withdrawals and sanctions, or even the use of technologies to launch attacks on government systems.

• Surveillance risks: including foreign powers compelling companies to provide access to UK government data.

• Economic risks: such as extractive economic behaviour, including tax avoidance, structuring of profits overseas, and depletion of economic value of government spending.

• Policy and democratic risks: through lobbying, threats of withdrawal of ‘investment’, and techno-solutionism; alongside centralised control of social media driving public discourse through the preferences of tech oligarchs.

Each of these is a big topic. The security risks have become pretty clear, as US President Donald Trump has made significant use of sanctions against individuals, resulting in them being cut out of European banking systems, as well as American tech platforms. However, the mere existence of potential leverage is also a threat, as it reduces the maneuverability of any government to resist pressure from the US in the event of a foreign policy or trade disagreement. Surveillance risks have a similar profile.

The UK’s digital policies are looking the other way

The report goes into the details of the UK’s current policy position, showing a remarkable absence of thinking about these risks in public policy documents. Reliance on US tech and the apparent faith of the government that AI will deliver significant benefits for the UK’s economy is in fact driving the other way. This strategy is made plain in the UK’s Tech Sectoral Plan. The inevitable result will be greater economic extraction and less value to the UK. This approach will drive the tax-ability of the tech sector downwards, relocate high value jobs outside of the UK, and result in ever greater pressure on public spending. Weakening regulation of data protection and competition policy only makes the situation worse.

Related to this, the UK also has a woeful record in allowing tech companies to be acquired by US and other overseas owners. Two of the biggest example include DeepMind, now owned by Google, and ARM chips, owned by a Japanese investment company and mostly US shareholders. Acquisitions of this kind make the UK tech sector wholly dependent on US tech. This stands in contrast to similar firms in European countries, which are regarded as strategic assets, and not sold on.

The UK’s failures regarding outsourced IT systems date back decades, whether these rely on US corporations such as Oracle, Microsoft, and IBM, or UK, Japanese and European vendors such as Capita, Accenture, Fujitsu and CapGemini. The Post Office scandal and the current debacle with civil service pensions did not come out of nowhere. Nor did the bankruptcy of Birmingham City Council, the victim of spiralling costs during a transition to an Oracle management system. Cloud dependence on Microsoft Azure and Amazon Web Services is just another chapter in vendor lock-in leading to over-charging.

Democracy is at risk

The democratic and policy risks of digital dependence are profound. They include lobbying, interference in trade agreements, promoting digital restrictions and producing e-waste. Techno-solutionism can also be a result of digital dependency, as vendors promote their way of doing things. The risks are profound, as Big Tech shapes what we do as a country. As Siân Berry MP describes in her foreword:

“Some of the practices of these not-so-friendly giants we rely on sit very uncomfortably with the ethics and values our country holds dear. For example, I have watched in horror as Palantir has crafted data-analytics software to facilitate ICE’s fascist deportations, sharing data between government departments to surveil and track migrants. While its CEO, Alex Karp is free to joke about its mission, saying chillingly in 2025: “Palantir is here to disrupt… and, when it’s necessary, to scare our enemies and, on occasion, kill them.”

The dominance of Big Tech in social media is itself a risk to democracy, as an EU study Fractured Reality also concluded this month. Yet the government is supporting Big Tech monopolies with ad spending and content, without publishing on the alternatives. The government complains about Big Tech’s failures, while only giving users the opportunity to engage with government through Big Tech. Clive Lewis MP writes in his foreword:

“Data and algorithms do not merely power economic activity. They increasingly mediate how citizens encounter information, interpret events and form political opinions. The systems that curate what we read and watch now have the power to shape public debate itself. We have already seen how foreign-owned platforms can promote, suppress or algorithmically amplify particular viewpoints — sometimes reflecting the preferences of their owners. Control over digital infrastructure therefore extends beyond markets and innovation into something more fundamental: who shapes the public sphere, and on whose terms.”

But there is a way forward

We also present the potential solutions. On these, the picture is much more encouraging. We show that many European governments are learning to collaborate and escape Big Tech, for reasons of economic and political sovereignty. France, Germany, the Netherlands and Denmark are making great strides in reducing dependence on US tech giants. As Lord Clement-Jones writes in his foreword:

“What gives me hope is the evidence assembled here that alternative approaches work. The economic case is overwhelming: open source generates £4 for every £1 invested and has created 2-3% of global GDP. France’s Open Source preference has driven 9-18% annual growth in tech start-ups. The sovereignty case is equally clear: when you control the code, you control your destiny.”

The key is having clear institutional leadership to promote the alternatives to Big Tech, and secondly, by using shared, Open Source technologies the route to Digital Sovereignty. Rather than just asking to “Buy British”, we need to ask, “how do we collaborate with our neighbours and reduce costs for everyone?” There should not be a proprietary “British Office Suite” and a “British Operating System”, owned by some company that may well be bought up by Microsoft, Amazon or Oracle in the future. Rather, Open Source allows multiple partners and governments to develop the tools they need. Indeed, using US companies where useful becomes entirely manageable if the products are Open Source.

These principles can equally apply for cloud providers, and especially for AI, where transparency, control and understanding of the fundamental technology is even more necessary. Europe has made significant investments in commercial and academic AI research and modelling. France has developed methods to control deployment and swapping in and out of AI models.

Stopping Big Tech’s control of social media can be achieved. The powers to open up social media already exist in competition law. Users on BlueSky and Mastodon can switch from providers they do not like, and choose the moderation values that they want. EU users no longer have to use Meta’s WhatsApp to talk to WhatsApp users. Once you can escape Big Tech, without the downsides of losing your networks, any exodus of users will push platforms to think hard about their toxic online environments.

What we believe is needed next is for digital rights, safety and tech accountability campaigners to come together around the opportunities that the growing debate on Digital Sovereignty offers. It is a means to create a wide debate on the nature of our dependence on Big tech, and how we exit coercion and control.

There is growing political interest. Chi Onwurah MP is leading work at the Science and Technology Committee to press for answers. Liberal Democrat, Labour and Green Parliamentarians have kindly provided help with this report. A growing number of MPs that have signed the Parliamentary ‘Early Day Motion’ calling for a Digital Sovereignty strategy, and debates on the topic have highlighted its pressing need during the Cyber Security Bill. It will take political courage to end our digital dependency on powerful companies but the risks of not acting are greater.

Demand UK Digital Sovereignty

Find Out More

Executive Summary

Reclaiming Digital Sovereignty

• Digital Sovereignty is critical for the UK’s economic and national security.
  It is defined as the ability of a country to have control over its digital infrastructure, data, and technology.

• The UK is currently facing a crisis of digital dependency.
  The country is overly reliant on a small number of tech giants for its critical digital infrastructure, which poses significant economic, security, legal, and policy risks, including to democracy and public debate.

• A strategic shift to using and growing the Digital Commons — that is, open technologies — provides the most effective path to Digital Sovereignty.
  This includes shared Open Source software, open standards, and open hardware, which can foster a more competitive and innovative domestic tech sector, reduce costs, and enhance security.

The high cost of digital dependency

In Part I The Digital Sovereignty challenge we find:

• Economic risks.
  The dominance of a few tech giants leads to vendor lock-in, inflated costs for government and businesses, and the extraction of value from the UK economy through tax avoidance and profit repatriation.

• Security risks.
  Reliance on foreign proprietary technology creates vulnerabilities to surveillance, espionage, and cyber attacks. These risks are produced by foreign legal frameworks, which govern both US and Chinese technology companies.

• Surveillance risks.
  The UK is exposed to the extra-territorial jurisdiction of other countries, such as the US Clarifying Lawful Overseas Use of Data (CLOUD) Act and China’s National Intelligence laws, which can compel tech companies to hand over data.

• Policy Risks.
  The immense lobbying power of Big Tech distorts policy-making, leading to weaker regulation, anti-competitive practices, and a centralised, abusive and anti-democratic digital information environment.

The UK’s current position

Part II Current UK policy position shows that:

• The UK lacks a coherent Digital Sovereignty strategy.
  Current policies are designed to reinforce dependency on foreign tech giants.

• The Government’s analysis of the ‘chronic’ risks is classified, precluding public debate of its approach.

• Government IT procurement is dysfunctional.
  It is characterised by a lack of competition, vendor lock-in, and a series of high-profile project failures and cost overruns. Like other areas of government procurement, there is not a functioning market, so government cannot expect good procurement while it is a passive recipient of software services. There is insufficient focus on known solutions to resolving this dysfunction. Solutions include: leadership in development and ownership of custom software; requirements for interoperability; preferencing Open Source; and leveraging competition policy in the cloud market.

• Competition and data protection enforcement have been weakened.
  This invites tech giants to further consolidate their market power and continue to engage in anti-competitive practices. It appears to be a response to dependence, seeking to attract further inward investment that will build economic extraction rather than reduce it.

Digital Sovereignty reduces costs and grows the digital economy

We show in Part III Beyond the UK how other countries are benefiting from prioritising Digital Sovereignty.

• Building the economy.
  Germany, France, Netherlands, Denmark and other European nations are actively pursuing Digital Sovereignty through strategic investments in open technologies and international collaboration.

• International collaboration.
  Provides a model for governments to create and control key technologies for common problems, including in health, data and procurement.

The opportunity of the Digital Commons

• Growing the Digital Commons with Open Source software offers a major opportunity for the UK in modernising critical government systems and strengthening control over public technology infrastructure.

• It can repair the relationship between government and the technology it relies on, by reducing dependence on proprietary vendors and restoring public sector control.

• Greater investment in Open Source can also drive UK economic growth, supporting domestic innovation and a more competitive technology sector.

• Despite underpinning much of the global digital economy, Open Source remains underrecognised in UK government strategy.

• National economies would be 2–3% smaller without Open Source software.

• Open Source is present in over 95% of proprietary software systems, making up around 70% of their codebase on average.

• EU research suggests every £1 invested in Open Source returns around £4 in economic value.

• The Linux Foundation estimates 2–5x return on investment for organisations contributing to Open Source, rising to around 6x for leading contributors.

• France’s government preference for Open Source procurement helped generate 9–18% annual growth in IT startups, while also creating globally valuable Open Source assets.

• In the UK, OpenUK estimates Open Source contributes around £13 billion annually, representing 27% of the technology sector.

• A 2024 Harvard study estimates the global demand-side value of Open Source at $8.8 trillion, noting firms would need to spend 3.5x more on software without it.

• European Commission research suggests a 10% increase in Open Source contributions could add 0.4–0.6% to annual European economic growth.

The way forward: a roadmap to Digital Sovereignty

See Part IV Recommendations for a Digital Sovereignty strategy.

• Embrace the Digital Commons of Open Source: The UK should adopt a “Public Code for Public Money” policy, where software developed for the public sector is made available under an open source license.

• Strengthen competition and regulation: The UK must empower its regulators to challenge the market dominance of tech giants and enforce pro-competitive measures, such as interoperability and data portability.

• Build digital leadership in Government: The UK needs to rebuild its in-house technical expertise to reduce its reliance on external consultants and make smarter procurement decisions.

• Foster international collaboration: The UK should actively participate in international initiatives to develop open standards and digital public goods, and collaborate with other countries on strategic technologies like AI and cloud computing.

Key Recommendations for the UK Government

For the full recommendations, see A Roadmap for Digital Sovereignty.

• Reset UK digital policy to make Digital Sovereignty a central strategic goal.

• Drive competition and effective regulation to create a more level playing field for UK businesses.

• Deliver ‘Public Code for Public Money’ to build a commons of publicly-owned software.

• Invest in the UK’s Open Source ecosystem through procurement, tax incentives and skills development.

• Build digital leadership within government to drive the transition to open technologies.

• Protect democracy by promoting a more diverse and open social media landscape.

Demand UK Digital Sovereignty

Find Out More