No merits accountability when the ICO declines to enforce
Section 166 DPA 2018 lets complainants ask the First-tier Tribunal only to fix procedural failings, not to review the outcome; the Court of Appeal in R (Delo) v ICO confirmed the Commissioner need not determine every complaint. Judicial review is expensive and deferential. This is how the ICO's own 2019 finding that real-time bidding systemically breaches UK GDPR could end in closed complaints (Killock & Veale) and zero RTB enforcement seven years on, while its 2026 tracking strategy focuses on cookie banners and accommodates consent-or-pay.
A regulator whose inaction cannot be appealed on the merits faces asymmetric incentives: enforcement risks appeals from deep-pocketed firms, inaction risks nothing. The adtech failure shows the result: documented unlawfulness at population scale with no remedy.
Statutory duty to determine complaints within deadlines plus a merits appeal to the First-tier Tribunal against ICO complaint outcomes, mirroring the FOI s50 decision-notice model.
// State-led: Instrument: statutory complaint deadlines plus First-tier Tribunal merits appeal.
Regulator inaction is unappealable on the merits, letting documented population-scale adtech unlawfulness go unremedied; the FOI decision-notice model is copyable, but the fix needs legislation with no dated trigger.