ICO Complaint vs Court Data Protection Claim
Comparing a complaint to the Information Commissioner's Office with bringing a claim in court for a data protection breach.
Overview
When your personal data has been misused, you have two formal routes: a complaint to the Information Commissioner's Office (ICO) under Article 77 of the UK GDPR, or a civil claim for compensation and/or injunctive relief under Article 82 UK GDPR and s.168 Data Protection Act 2018. The ICO is a regulator, not a compensation body — it can impose significant fines on organisations but cannot award you money. Only a court can do that.
Side-by-Side Comparison
ICO Complaint
Pros
- Free and accessible — no legal knowledge needed
- ICO can exercise significant enforcement powers against the organisation
- Outcome can benefit others in the same position, not just you
- ICO may compel the organisation to provide information you need to bring a civil claim
Cons
- ICO cannot award you compensation — regulatory fines go to the government, not to you
- ICO has discretion whether to investigate — it may decline if the complaint is not a priority
- ICO investigations can be slow (many months)
- Outcome may be a reprimand or informal undertaking, not a fine
Best For
Cases where you want the organisation to stop unlawful processing, change its practices, or be held accountable; complaints about systemic data breaches affecting many people.
Court Claim (Article 82 UK GDPR)
Pros
- Financial compensation is available — including for distress alone (Vidal-Hall v Google [2015] EWCA)
- Injunctive relief can be obtained — compelling the organisation to erase data, cease processing, etc.
- No need to go to the ICO first — you can go straight to court
- Standard of proof is balance of probabilities
Cons
- Court fees apply; risk of adverse costs order above small claims threshold
- You must prove causation — that the breach caused you the damage claimed
- Article 82 UK GDPR provides a defence if the controller was not at fault
- Legal representation is likely needed for cases of significant value
Best For
Cases where you have suffered quantifiable financial loss or significant distress; cases where the organisation has refused to comply with your rights (e.g. ignoring a DSAR).
Key Differences
Our Recommendation
Complain to the ICO if you want the organisation to change its behaviour or be held to account by a regulator. Go to court if you want compensation. The two routes can be pursued in parallel — the ICO route does not stop the clock on the 6-year limitation period for civil claims. A favourable ICO decision can significantly assist a subsequent court claim. For significant data breaches (e.g. exposure of sensitive health or financial data), specialist data protection solicitors often offer CFA funding.