EU Regulation 2016/679 - Decision Register

SUPERVISORY AUTHORITY PROFILE / UK ICO

UK ICO Post-Brexit Fines, UK GDPR Enforcement Record

The Information Commissioner's Office enforces the UK GDPR, a separate domestic regime from the EU GDPR since Brexit. Headline cases include British Airways, Marriott, TikTok UK and Clearview AI.

Cumulative UK fines

~£100M+

Largest fine

£20M (BA 2020)

Max upper-tier fine

£17.5M / 4%

EU adequacy

Granted Jun 2021

Statute

DPA 2018 + UK GDPR

EDUCATIONAL ONLY

This page is a reference summary of a published regulator decision. It is not legal advice. Consult a qualified data protection lawyer for advice on your specific situation. The UK GDPR is a separate regime from the EU GDPR following Brexit. Always read the source decision in full before relying on any figure or quote.

PROFILE

Mandate and constitution

The UK Information Commissioner's Office (ICO) is the independent regulatory authority established under the Data Protection Act 1984 (now superseded by the Data Protection Act 2018). It is responsible for upholding information rights in the public interest, promoting openness by public bodies, and enforcing the Data Protection Act 2018, the UK GDPR, the Privacy and Electronic Communications Regulations 2003 (PECR, the UK implementation of the ePrivacy Directive), the Freedom of Information Act 2000 and several other information-rights statutes. Headquartered in Wilmslow, Cheshire, with regional offices in Edinburgh, Cardiff and Belfast.

Since the UK's departure from the EU, the ICO is no longer an EU supervisory authority and does not participate in EDPB cooperation as a member. The ICO maintains an observer relationship with the EDPB and active bilateral relationships with EU DPAs, particularly the DPC, BfDI, CNIL and Garante. The Information Commissioner (currently John Edwards, in office since January 2022) leads the ICO; the office is accountable to the UK Parliament through the Department for Science, Innovation and Technology.

Fining philosophy

The ICO's sanctioning approach is shaped by the Notice of Intent procedure under the Data Protection Act 2018. Before issuing a final Monetary Penalty Notice, the ICO must serve a Notice of Intent setting out the proposed sanction and the reasons for it. The controller then has a defined period (28 days, extensible by agreement) to make written representations. The ICO must consider those representations before issuing the final notice. This procedure has, in practice, produced substantial reductions between Notice of Intent and final fine for several large cases, notably British Airways (89% reduction) and Marriott (81% reduction).

The Information Commissioner has stated publicly that the ICO favours a proportionate, behaviourally-effective approach to sanctions, with a preference for corrective action over headline fines where corrective action will achieve the regulatory objective. The ICO also makes substantial use of enforcement notices (orders to do or refrain from doing something) and undertakings (voluntary commitments by controllers) as alternatives to fines, particularly for less serious or first-offence matters.

Headline UK decisions

British Airways (£20M, October 2020, reduced from £183.39M): the largest UK GDPR fine, addressing the 2018 customer-data breach affecting 429,000 customers. Article 32 inadequate-security infringement.

Marriott International (£18.4M, October 2020, reduced from £99.2M): the Starwood guest-data breach affecting up to 339 million records globally. Article 32 plus due-diligence-on-acquisition reference case.

TikTok UK (£12.7M, April 2023): for unlawful processing of children's personal data, specifically for failing to obtain parental consent for the processing of personal data of children under 13 who were nonetheless allowed to use the platform. Article 8(1) UK GDPR (lawful basis for child processing).

Clearview AI Inc (£7.5M, May 2022): for collecting and processing UK residents' facial-image data without lawful basis, mirroring the parallel EU decisions from the Garante, CNIL and Greek HDPA. The ICO order included deletion of UK-resident data.

Other notable decisions include the Cabinet Office (£500k, 2021) for publishing New Year Honours list addresses; Tuckers Solicitors (£98k, 2022) for inadequate security leading to ransomware attack; and a steady stream of PECR-direct- marketing enforcement against small UK businesses, often in the £50k-£500k range.

UK reforms and the adequacy question

The UK Government has, since Brexit, periodically proposed reforms to the UK GDPR aimed at reducing administrative burden on UK controllers. The Data Protection and Digital Information Bill (introduced in 2022, revised in 2023, lapsed at the May 2024 general election, reintroduced in revised form in 2025) proposes changes including a relaxed legitimate-interests assessment for some processing, a redefined DPIA framework, and changes to the lawful-basis framework for cookies and similar technologies. The reforms have been the subject of detailed engagement with the European Commission to ensure continued EU adequacy.

The EU adequacy decisions for the UK (one under GDPR, one under the Law Enforcement Directive) were adopted on 28 June 2021 and reviewed in 2025. The 2025 review concluded that adequacy continued to apply, subject to monitoring of UK reforms. Any future UK reform that materially weakens the data-protection framework risks triggering an adequacy challenge or non-renewal at the next review cycle, which would create substantial friction for UK-EU data flows.

Recent enforcement trends

The ICO's 2024-2026 enforcement priorities, set out in its ICO25 strategy and updated annually, include children's data (continuing the TikTok UK line, with the Age Appropriate Design Code as the operative framework), AI systems (including LLM training and inference processing), cookies and adtech, employment monitoring, and political-party data processing in election cycles. The Children's Code (Age Appropriate Design Code), enforceable since September 2021, is a distinctively UK contribution to the field and has been influential globally on child-focused platform design.

FREQUENTLY ASKED

About the UK ICO

What is the UK GDPR and how is it different from the EU GDPR?
When the UK left the EU on 31 January 2020 (with the transition period ending 31 December 2020), the EU GDPR ceased to apply directly to the UK. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 incorporated the GDPR into UK domestic law as the 'UK GDPR'. Substantively the UK GDPR and EU GDPR remain very similar, but they are separate legal instruments. Updates to either do not automatically apply to the other.
Do EDPB decisions still bind the ICO?
No. Post-Brexit, EDPB decisions do not bind the ICO and the ICO does not participate in EDPB cooperation as a member. The ICO has observer status in some EDPB forums and maintains close working relationships with the BfDI, CNIL, DPC and others, but formal binding decisions of the EDPB have no legal effect on UK enforcement.
What is the UK GDPR maximum fine?
The UK GDPR maximum fine is denominated in pounds sterling rather than euros. For upper-tier infringements (broadly equivalent to Article 83(5) EU GDPR) the maximum is £17.5 million or 4% of total worldwide annual turnover. For lower-tier infringements (broadly equivalent to Article 83(4)), the maximum is £8.7 million or 2% of turnover.
What are the largest UK fines?
British Airways £20M (October 2020, reduced from £183M Notice of Intent), Marriott £18.4M (October 2020, reduced from £99M), TikTok UK £12.7M (April 2023, for processing children's data without parental consent), Clearview AI £7.5M (May 2022, parallel to EU decisions). The BA fine remains the largest UK enforcement.
Does the UK have adequacy from the EU?
Yes. The European Commission adopted adequacy decisions for the UK (under GDPR and under the Law Enforcement Directive) on 28 June 2021, allowing personal data to continue to flow from the EU to the UK without additional safeguards. The adequacy decisions are subject to four-year review and renewal cycles; the first review concluded in 2025 with a finding that adequacy continued to apply, subject to ongoing monitoring of UK reforms.
What about the proposed UK Data Protection and Digital Information Bill?
The UK Government has periodically proposed reforms to the UK GDPR, most notably through the Data Protection and Digital Information Bill (which lapsed at the May 2024 general election and has been reintroduced in revised form). The reforms aim to reduce administrative burden on UK controllers while preserving EU adequacy. Whether the reforms (if enacted) will affect the EU adequacy review is the subject of ongoing diplomatic engagement.

CROSS-REFERENCES

UK cases and references

ICO CASE

British Airways £20M (2020)

The largest UK GDPR fine. Article 32 with 89% reduction from Notice of Intent.

Open reference →

ICO CASE

Marriott £18.4M (2020)

Data-protection due-diligence in M&A reference. 81% reduction.

Open reference →

PARALLEL CASE

Clearview €20M (Italy)

Italian counterpart to the ICO Clearview £7.5M decision.

Open reference →

ARTICLE 32

Article 32 Security Fines

BA and Marriott are the leading UK Article 32 authorities.

Open reference →

PEER DPA

Irish DPC

Pre-Brexit, the DPC and ICO shared GDPR enforcement. Post-Brexit they are distinct regimes.

Open reference →

REGISTER

Full Decision Register

Browse all major fines by country and year.

Open reference →

SOURCES & CITATIONS

Primary sources

Figures as of May 2026. Verified against published DPA decisions.

REGISTER UPDATED 2026-04-28