The UK’s Court of Appeal has given a significant ruling concerning the role of the UK data protection regulator the Information Commissioner’s Office (ICO) when a handling a data protection law complaint, deciding in particular that the ICO has broad discretion. This article looks at this latest ruling in brief.
What’s this all about?
The individual in question, Mr. Ben Peter Delo, had an account with the financial institution Wise. The individual made a Subject Access Request to Wise who in response did not provide the individual with much of the personal data that he had requested.
The individual then brought a complaint to the ICO claiming that Wise’s response was not in accordance with his subject access rights. The ICO replied to the individual that it was “likely” that Wise had complied with its obligations, making it clear that no further action would be taken.
The individual then took legal proceedings to the High Court bringing a judicial review claim, arguing that the ICO had failed to discharge a legal duty to determine any such complaint, or, alternatively, had acted unlawfully in failing to investigate further and/or by reaching an unlawful and irrational conclusion.
By the time the judicial review claim came before the High Court the individual had been provided with the personal data he was seeking. The court nevertheless proceeded to deal with the case on the basis that there was a public interest in doing so. The court ruled that the ICO was not obliged to determine the merits of each and every complaint but had a discretion which it had exercised lawfully, and accordingly the court dismissed the claim.
The individual then went to the Court of Appeal which had to determine the following two issues:
- More generally, what are the ICO’s responsibilities, and more particularly, is the ICO obliged to reach a definitive decision on the merits of each and every complaint or does it have a discretion to decide that some other outcome is appropriate?; and,
- If the ICO has such a discretion, did it nonetheless act unlawfully in this case by declining to investigate or declining to determine the merits of the complaint made by the individual in question?
What did the Court of Appeal rule?
The Court of Appeal determined that it was in the public interest for the court to rule on the two issues and ruled as follows:
- “[…]…the most striking point about the language of [Article 57(1)(f) of UK GDPR] is that it does not contain any words that are redolent of decisions on the merits of a complaint. Article 57 does not adopt any of the familiar ways of designating a decision-making function. We are not told that the [ICO] must (for instance) adjudicate, decide, determine, rule upon, or resolve a complaint, or that complaints must be “upheld” or not upheld by the [ICO]. Rather, we are told that the [ICO] must “handle” a complaint. [The ICO] must “investigate the subject-matter of the complaint” but even then only “to the extent appropriate”. [The ICO] must “inform” the complainant of the “progress” of the complaint and its investigation and its “outcome”;
- “[…] the [ICO’s] principal obligations are to address and deal with every complaint by arriving at and informing the complainant of some form of “outcome”, having first investigated the subject matter “to the extent appropriate” in the circumstances of the case”;
- “[…] An “outcome” must be the end point of the [ICO’s] “handling” of a complaint. A conclusive determination or ruling on the merits that brings an end to the complaint is certainly an “outcome” but that word is intended to have broader connotations”;
- Therefore, as regards the first issue, the Court of Appeal upheld the conclusion of the High Court that “[…] the legislative scheme requires the [ICO] to receive and consider a complaint and then provides the [ICO] with a broad discretion as to whether to conduct a further investigation and, if so, to what extent. [Further,] having done that much the [ICO] is entitled to conclude that it is unnecessary to determine whether there has been an infringement but sufficient to reach and express a view about the likelihood that this is so and to take no further action. By doing so the [ICO] discharges [its] duty to inform the complainant of the outcome of their complaint;” and,
- On the second issue, the court ruled that the ICO had acted lawfully (and the High Court had not committed any legal errors either).
Accordingly, the appeal was dismissed.
What are the takeaways?
The main takeaway is that the ICO has broad discretion in how it handles a data protection complaint – this should be factored into expectations when bringing a complaint. Such broad discretion will be of comfort to the ICO but likely less so to complainants. It should not be overlooked however that there is always another possible avenue which is to bring a civil claim before the courts.
We report about data protection issues here https://www.corderycompliance.com/category/data-protection-privacy/.
We report about compliance issues here https://www.corderycompliance.com/news/.
The Court of Appeal’s judgment can be found here: https://www.judiciary.uk/wp-content/uploads/2023/06/Delo-v-The-Information-Commissioner-ewca_civ_2023_1141.pdf.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|