.png)
.png)
.png){kind=logo}
By Thomas Kinsella
In December 2024, Hacked Off published an article commenting on Professor David Erdos’ analysis of the Information Commissioner’s Office’s (ICO) first statutory review of journalistic compliance with data protection laws, which followed the enactment of the Data Protection Act 2018 (“DPA 2018”). Prof. Erdos, who is Co-Director of the Intellectual Property and Information Law Centre at the University of Cambridge found the review to be not only to be largely invisible but also manifestly insufficient.
The DPA also required the Department for Culture, Media and Sport (DCMS) to publish reports on the use of alternative dispute resolution systems (“arbitration”) for complaints against the media. This requirement was a critical part of the compromise solution agreed by Parliament in 2018, when Parliamentarians seeking the introduction of minimum standards of accountability for national newspapers were in negotiation with a government determined to honour the interests and wishes of newspaper publishers, who themselves were set against any meaningful form of accountability.
These reports were due in 2021 and 2024. Yet they one was produced a year and a half late and both only became widely accessible after a Freedom of Information request in the summer of 2024. Prof. Erdos has written on Inforrm about the Government’s failure to produce these reports on time and with sufficient detail. He has also commented on the findings which can be gleaned from the limited data they provide. This article summarises his findings.
Firstly, the DPA legislates that the reports should be published on a three-year rotating basis, with the first report published at the end of May 2021, and the second at the end of May 2024. However, the first report suffered from significant delays and was laid before Parliament one and a half years late, following a delay in commissioning the report in the first place. Only a small portion of this delay can be attributed to the pandemic. The May 2024 report was laid on schedule.
The reports can be described as insubstantial at best. Section 179 of the DPA lays out the requirement for the Government to assess the “use” and “effectiveness” of non-broadcast media Alternative Dispute Resolution (ADR) in data protection matters. This notion of effectiveness was explicitly defined during Parliamentary proceedings to include both the number of people taking up the ADR option and the outcomes reached. However, both reports instead considered only the effectiveness of the procedures once they have been used. This therefore led to no analysis of the “take up” that would have been so valuable in understanding the effectiveness of these processes. The result is that each report is under 10 pages in length and lacks the required detail to achieve Parliament’s intended goal.
Finally, the requirement to see that these reports are correctly “published” was also not met. Guidance from Parliament states that the department must ensure that papers are published on gov.uk promptly, and yet as of February 2025 neither report can be found on gov.uk, despite one report claiming it “is available”.
Although the legislation clearly focuses on procedures intended to address actual or alleged failures to comply with data protection law, both reports extended their examination to complaints processes that are arguably only tangentially linked to data protection—namely, code-based complaints to press bodies like IPSO and Impress. At the same time, the statutory mechanism that is entirely concerned with data protection breaches— complaints to the Information Commissioner’s Office (ICO)—was deemed outside the scope of these reports because, while ICO can enforce the law, it does not award individual compensation. Yet, IPSO’s code-based procedure, which also lacks any ability to award compensation, was included.
This bizarre omission is important because it means the reports ignores data on the central body explicitly set up by statute to monitor data protection compliance in journalism (ICO) and instead focus heavily on IPSO’s and Impress’s procedures, which revolve around their own press codes rather than the legal framework. As Erdos argues, if the reports are truly examining how effectively the media handles data protection grievances, it makes little sense to dismiss the one regulator whose entire purpose is the enforcement of data protection law.
Moving beyond Prof. Erdos’ analysis, IPSO is an unreliable organisation. It is controlled by the newspaper industry, and ignores or rejects complaints on grounds that Hacked Off has found to be arbitrary. A January Report from the Press Recognition Panel found that, at most, IPSO investigated a mere 3.82% of the complaints it received between 2018 and 2022. As a result of these problems, their statistics and findings carry little significance.
Despite the limited scope, the statistics provided by the reports still manage to paint a worrying picture. The use of the two arbitration schemes that are specifically designed to deal with data protection breaches remains remarkably low. IPSO saw just six data-protection-related arbitration cases in the first period (2018–2021), dropping to three in the second (2021–2024), with none leading to any formal arbitration outcome. Impress, meanwhile, had one such case in the first period and none in the second.
This lack of data allowed the report to excuse the lack of an effectiveness assessment by claiming the data made this “infeasible”. Once again ignoring that there was explicit reference to “take-up” being a crucial part of examining the effectiveness of these ADR schemes.
In summary, the two statutory reports on Media ADR have consistently failed to deliver on the core aims laid out in Section 179 of the DPA. They were delayed and hidden from public view, neither was effectively publicised, and both contained only rudimentary analysis. Most importantly, they do not meaningfully address the “effectiveness” question at the heart of the legislation. Anyone looking at the woefully low cases received can tell that these systems are not working as intended, and yet these reports have failed to recognise this and carefully examine why this may be.
Further to Prof Erdos’ commentary, it is notable that several Parliamentarians were persuaded to support the Government’s position in 2018 on the basis of the inclusion of this Section in the Bill. They have been misled. In its failure to pursue these matters in the spirit in which they were agreed, the previous Government treated Parliamentary democracy with contempt. It is for the current Government to address this wrong by taking swift and robust action to protect the public from data protection abuses committed by the press.
By submitting your details you agree to receive email updates about the campaign. We will always keep your data safe and you may unsubscribe at any time.
.png)
.png)