BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
England and Wales High Court (Administrative Court) Decisions |
||
You are here: BAILII >> Databases >> England and Wales High Court (Administrative Court) Decisions >> Delo, R (On the Application Of) v Information Commissioner & Anor [2022] EWHC 3046 (Admin) (02 December 2022) URL: http://www.bailii.org/ew/cases/EWHC/Admin/2022/3046.html Cite as: [2022] WLR(D) 486, [2023] 1 WLR 1327, [2022] EWHC 3046 (Admin), [2023] WLR 1327 |
[New search] [Printable PDF version] [View ICLR summary: [2022] WLR(D) 486] [Buy ICLR report: [2023] 1 WLR 1327] [Help]
KING'S BENCH DIVISION
ADMINISTRATIVE COURT
Strand, London, WC2A 2LL |
||
B e f o r e :
____________________
THE KING (on the application of BEN PETER DELO) |
Claimant |
|
- and – |
||
THE INFORMATION COMMISSIONER |
Defendant |
|
-and- |
||
WISE PAYMENTS LIMITED |
Interested Party |
____________________
David Bedenham (instructed by ICO) for the Defendant
The Interested Party was not represented
Hearing date: 17 November 2022
____________________
Crown Copyright ©
Mr Justice Mostyn:
"What can the ICO do to help me?
- We can consider complaints about the way your information has been handled and whether there has been an infringement of data protection law. We will tell you what we think should happen next. Sometimes this can help to resolve the detail of your complaint but this may not always be the case.
- We can make recommendations to organisations to put things right or to improve their practices when we think it is necessary to do so.
- We will usually ask the organisation to do everything they can to explain how they have handled or processed your personal data as the law expects.
- Where we have significant concerns about an organisations ability to comply with the law, we can take Regulatory action.
What can't the ICO do?
- We cannot award compensation like a court or a tribunal. …
- We cannot make an organisation apologise to you if things have gone wrong.
What happens when I submit my complaint to the ICO?
When you bring your complaint to us and we've checked it's something we can help with – a case officer will be given your complaint to look into.
The case officer will:
- weigh up the facts of what's happened, fairly and impartially;
- ask the organisation and you for further information if they think they need it; and
- tell you and the organisation the outcome of our considerations.
If we think there's been an infringement of the law, we will usually provide advice so the organisation can take steps to put things right and improve their information rights practices. We deal with most complaints in this way without the need to take further Regulatory action. …
What are the possible outcomes of my complaint?
Data protection law requires us to investigate a complaint to the extent we feel is appropriate and to inform you of the outcome. Most organisations want to do the right thing and comply with the law.
There are a number of potential outcomes for a complaint:
- We can find the organisation has acted properly and there is no further work for us.
- We can record your complaint without taking further action to help us build a picture of how an organisation is complying with the law.
- We can tell the organisation to do more work to help resolve your complaint or explain their position more clearly to you. This could mean getting the organisation to provide you with your information or correct any inaccuracies.
- We can make recommendations to the organisation about how they can improve their information rights practices. This can include asking an organisation to review their policies or procedures, guidance or standards.
- We can take Regulatory action, but this is only in the most serious cases. We do not normally take Regulatory action for individual complaints as we want organisations to comply with the law without us using our formal powers. It is therefore unlikely we will take Regulatory action as a result of your complaint. However, even if we don't take action, we will keep a record of the complaint to help us to build up a picture of how well an organisation is following the law.
Can the ICO award compensation?
No. The ICO cannot award compensation, even when we give our opinion that an organisation has broken data protection law."
The Council of Europe Convention of 28 January 1981
The Data Protection Act 1984
" General duties of Registrar
(1) It shall be the duty of the Registrar so to perform his functions under this Act as to promote the observance of the data protection principles by data users and persons carrying on computer bureaux.
(2) The Registrar may consider any complaint that any of the data protection principles or any provision of this Act has been or is being contravened and shall do so if the complaint appears to him to raise a matter of substance and to have been made without undue delay by a person directly affected; and where the Registrar considers any such complaint he shall notify the complainant of the result of his consideration and of any action which he proposes to take.
(3) The Registrar shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act and other matters within the scope of his functions under this Act and may give advice to any person as to any of those matters.
(4) It shall be the duty of the Registrar, where he considers it appropriate to do so, to encourage trade associations or other bodies representing data users to prepare, and to disseminate to their members, codes of practice for guidance in complying with the data protection principles.
The Data Protection Directive 95/46/EC
"Whereas increasingly frequent recourse is being had in the Community to the processing of personal data in the various spheres of economic and social activity; whereas the progress made in information technology is making the processing and exchange of such data considerably easier; "
Accordingly Article 1 provided:
"In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data."
" … effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions, [and]
… the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities."
" Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.
Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place."
Article 13 permitted Member States to restrict data protection rights where necessary to protect various interests, including national security, defence and the prevention, investigation, detection and prosecution of criminal offences.
"Article 22
Remedies
Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.
Article 23
Liability
1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.
2. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.
Article 24
Sanctions
The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive."
The Data Protection Act 1998
"…the office originally established by section 3(1)(a) of the Data Protection Act 1984 as the office of Data Protection Registrar shall continue to exist for the purposes of this Act but shall be known as the office of Data Protection Commissioner;"
" It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers."
"(1) A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act.
(2) On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to:
(a) satisfy himself as to the identity of the person making the request, and
(b) enable him to identify the processing in question.
(3) The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include:
(a) the extent to which the request appears to him to raise a matter of substance,
(b) any undue delay in making the request, and
(c) whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.
(4) Where the Commissioner has received a request under this section he shall notify the person who made the request:
(a) whether he has made an assessment as a result of the request, and
(b) to the extent that he considers appropriate, having regard in particular to any exemption from section 7 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request."
The UK General Data Protection Regulation ("UK GDPR")
"Where legislation is converted under this section, it is the text of the legislation itself which will form part of domestic legislation. This will include the full text of any EU instrument (including its recitalsFN2).
FN2 Recitals will continue to be interpreted as they were prior to the UK's exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a legal rule[9]."
"(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the 'Charter') and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
(117) The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. …
(118) The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review.
(120) Each supervisory authority should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of their tasks, including those related to mutual assistance and cooperation with other supervisory authorities throughout the Union. Each supervisory authority should have a separate, public annual budget, which may be part of the overall state or national budget.
(122) Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. …. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.
(129) … the supervisory authorities should have … effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. … The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. …
(141) Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.
(143) … Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. ….
"Article 51
Monitoring the application of this Regulation
1. The Commissioner is responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data
Article 57
Tasks
1. Without prejudice to other tasks set out under this Regulation, the Commissioner shall: …
(a) monitor and enforce the application of this Regulation;
(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
(c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
(d) promote the awareness of controllers and processors of their obligations under this Regulation;
(e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with foreign designated authorities to that end;
(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with a foreign designated authority is necessary …
4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Commissioner may charge a reasonable fee based on administrative costs, or refuse to act on the request. The Commissioner shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Article 58
Powers
1. The Commissioner has all of the following investigative powers: …
(e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; …"
"Article 77
Right to lodge a complaint with the Commissioner
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with the Commissioner, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2. The Commissioner shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Article 78
Right to an effective judicial remedy against a supervisory authority
1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the Commissioner concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the Commissioner does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
Article 79
Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation."
i) the role and functions of the Commissioner and his obligation to exercise his functions consistently with the observance objective;
ii) the right of a data subject to complain to the Commissioner;
iii) the nature of a complaint;
iv) the obligations on the Commissioner on receipt of a complaint;
v) the powers of the Commissioner to investigate and dispose of a complaint; and
vi) the right of a data subject to seek a judicial remedy against a controller.
i) where the Commissioner does not inform the data subject within three months on the progress or outcome of the complaint (Recital 141 and Article 78.2);
ii) where the Commissioner takes no action on a complaint (Recital 141 and Article 78.2);
iii) where the Commissioner rejects or dismisses a complaint wholly or partly[10] (Recitals 141 and 143, and Article 78.2); and
iv) where the Commissioner makes a decision on a complaint that produces a binding "legal effect concerning the complainant" (Recital 143 and Article 78.1).
"The exercise of the powers conferred[11] on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter."
Article 148 provided:
"Penalties
… The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process."
"The recognition of a right to a judicial remedy assumes the existence of a strict, and not purely discretionary, power on behalf of the supervisory authorities. In addition, Mr Schrems and the Commission have correctly emphasised that the exercise of an effective judicial remedy implies that the authority that adopts the contested act states to an adequate degree the reasons on which it is based. … To my mind, that obligation to state reasons extends to supervisory authorities' choice to use one or other of the powers conferred on them by Article 58(2) of the GDPR"
To similar effect the Court stated:
"111. In order to handle complaints lodged, Article 58(1) of the GDPR confers extensive investigative powers on each supervisory authority. If a supervisory authority takes the view, following an investigation, that a data subject whose personal data have been transferred to a third country is not afforded an adequate level of protection in that country, it is required, under EU law, to take appropriate action in order to remedy any findings of inadequacy, irrespective of the reason for, or nature of, that inadequacy. To that effect, Article 58(2) of that Regulation lists the various corrective powers which the supervisory authority may adopt.
112. Although the supervisory authority must determine which action is appropriate and necessary and take into consideration all the circumstances of the transfer of personal data in question in that determination, the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence."
"…the supervisory authorities' primary responsibility is to monitor the application of the GDPR and to ensure its enforcement."
Interpretation of Article 57.1(f)
"The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case."
"investigate, to the extent appropriate, the subject matter of the complaint".
i) consider the Commissioner's role and functions and his obligation to exercise his powers consistently with the observance objective;
ii) consider the Commissioner's task to handle complaints in view of his role and other functions;
iii) recognise that there is nothing to suggest that the legislature intended to change the previous law about complaints to the Commissioner[12];
and ask, in their light, if Article 57.1(f) contains an implicit instruction to reach a conclusive determination on each and every complaint made under Article 77.1. In my judgment a purposive interpretation that takes into account all of the above considerations inexorably points to a negative answer to the question.
"…each data subject shall have the right to an effective judicial remedy where the Commissioner does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint."
The Data Protection Act 2018
"The UK GDPR and this Act protect individuals with regard to the processing of personal data, in particular by:
(a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject's consent or another specified basis,
(b) conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
(c) conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.
"When carrying out functions under the UK GDPR and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest."
"(1) The Commissioner is to be the supervisory authority in the United Kingdom for the purposes of Article 51 of the GDPR.
(2) General functions are conferred on the Commissioner by:
(a) Article 57 of the GDPR (tasks), and
(b) Article 58 of the GDPR (powers),
(and see also the Commissioner's duty under section 2).
(3) The Commissioner's functions in relation to the processing of personal data to which the GDPR applies include:
(a) a duty to advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to the processing of personal data, and
(b) a power to issue, on the Commissioner's own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data."
It is noteworthy that in subsection (3), Parliament specifically highlighted the advisory and educational role of the Commissioner, thereby emphasising that the exercise of the Commissioner's complaints power under Articles 57.1(f), 57.4, 77.1 and 77.2 is bundled up, and marches hand-in-hand, with these chief functions. In contrast to s.36 of the 1984 Act and s.51 of the 1998 Act these functions are no longer described as "general duties".
"(4) If the Commissioner receives a complaint under subsection (2), the Commissioner must:
(a) take appropriate steps to respond to the complaint,
(b) inform the complainant of the outcome of the complaint,
(c) inform the complainant of the rights under section 166, and
(d) if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.
(5) The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes:
(a) investigating the subject matter of the complaint, to the extent appropriate, and
(b) informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with another supervisory authority or foreign designated authority is necessary."
Conclusion on the law generally
This case
"The information is complete to the best of our knowledge […] Please note that some information may have been exempted in accordance with the GDPR and is therefore not subject to disclosure through the Right of Subject Access."
"…may rely on exemptions including, pursuant to the Data Protection Act 2018, schedule 2, part 1, paragraph 2 (crime and taxations) and paragraph 5 (information required to be disclosed by law)…"
to justify withholding disclosure of the Claimant's personal data.
"7.1 The Claimant requests that the ICO reconsider the November Decisions and require Wise: (a) To promptly disclose all documents responsive to the Claimant' DSAR that it has unlawfully withheld, including but not limited to the SARs, documents that explain why the Defendant decided to close the Account on 19 November 2020, and all internal correspondence regarding the Claimant; and (b) If Wise still intends to withhold documents on the basis of an exemption in the DPA, to identify the exemption(s) on which it relies and explain with particularity the basis for such reliance.
7.2 If the ICO does not take the above steps, the Claimant will have no choice but to apply to have the November Decisions judicially reviewed in order to avoid further harm, both to himself and to others. The Claimant will seek an order quashing the November Decisions and a mandatory order directing the ICO to make the decision again in accordance with the court's judgment."
"delivery up of his personal data from the Defendant as required under Article 15 of the GDPR consisting of:
- any internal and/or external documents (including but not limited to correspondence such as letters and emails, notes and minutes) that name the Claimant;
- all information gathered by the Defendant at the time that the Claimant opened the Account in August 2018;
- all information naming the Claimant and relating to the Defendant's decision to terminate the Account without notice;
- all diligence reports concerning the Claimant and which contain his personal information;
- copies of SAR1, SAR2 and SAR3;
- copies of correspondence between the Defendant and any third parties, including the NCA, that concern the Claimant; and
- any and all other information held by the Defendant about the Claimant.
and damages for foregone interest."
"(i) a quashing order, quashing the Decision;
(ii) a mandatory order requiring the Commissioner to reopen its investigation into the Claimant's complaint; alternatively
(iii) a mandatory order, requiring the Commissioner to re-take the Decision."
"The Claimant seeks a declaration [that the Decision of 24 November 2021 was unlawful], and also an order quashing the Decision, in order to recognise the illegality which he has established. He does not seek mandatory relief requiring the Commissioner to re-open his investigation, given that he has now received direct from Wise the information which he would expect to receive at the conclusion of a re-opened investigation which led to a determination in his favour."
Two preliminary points
Academic claim
i) the court has a discretion to hear an academic application in the public law field but not otherwise;
ii) an application will be academic when there is no longer a lis to be decided which will directly affect the rights and obligations of the parties inter se;
iii) the Court should exercise the discretion with caution; and
iv) it should only hear such an application where there is a good reason in the public interest to do so.
"This seems to me to be an application of the well known elephant test. It is difficult to describe, but you know it when you see it."[15]
Section 166 of the Data Protection Act 2018
"(1) This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the UK GDPR, the Commissioner:
(a) fails to take appropriate steps to respond to the complaint,
(b) fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
(c) if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months.
(2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner:
(a) to take appropriate steps to respond to the complaint, or
(b) to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order.
(3) An order under subsection (2)(a) may require the Commissioner:
(a) to take steps specified in the order;
(b) to conclude an investigation, or take a specified step, within a period specified in the order.
(4) Section 165(5) applies for the purposes of subsections (1)(a) and (2)(a) as it applies for the purposes of section 165(4)(a)."
"(5) The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes:
(a) investigating the subject matter of the complaint, to the extent appropriate, and
(b) informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with a foreign designated authority is necessary."
"The remedy in s.166 is limited to the mischiefs identified in s.166(1). We agree with Judge Wikeley's conclusion in Leighton (No 2) that those are all procedural failings. They are (in broad summary) the failure to respond appropriately to a complaint, the failure to provide timely information in relation to a complaint and the failure to provide a timely complaint outcome. We do not need to go further by characterising s.166 as a "remedy for inaction" which we regard as an unnecessary gloss on the statutory provision. It is plain from the statutory words that, on an application under s.166, the Tribunal will not be concerned and has no power to deal with the merits of the complaint or its outcome. We reach this conclusion on the plain and ordinary meaning of the statutory language but it is supported by the Explanatory Notes to the Act which regard the s.166 remedy as reflecting the provisions of Article 78(2) which are procedural. Any attempt by a party to divert a Tribunal from the procedural failings listed in s.166 towards a decision on the merits of the complaint must be firmly resisted by Tribunals"
"Moreover, s.166 is a forward-looking provision, concerned with remedying ongoing procedural defects that stand in the way of the timely resolution of a complaint. The Tribunal is tasked with specifying appropriate "steps to respond" and not with assessing the appropriateness of a response that has already been given (which would raise substantial Regulatory questions susceptible only to the supervision of the High Court). It will do so in the context of securing the progress of the complaint in question. We do not rule out circumstances in which a complainant, having received an outcome to his or her complaint under s.165(b) (sic, semble s.165(4)(b)), may ask the Tribunal to wind back the clock and to make an order for an appropriate step to be taken in response to the complaint under s.166(2)(a). However, should that happen, the Tribunal will cast a critical eye to assure itself that the complainant is not using the s.166 process to achieve a different complaint outcome."
"The Claimant's challenge is not that the Commissioner's substantive decision was wrong on its merits but rather that the Commissioner failed to adequately determine the complaint (i.e. failed to take appropriate steps to respond to the complaint). That is a procedural failing of the sort where the appropriate forum for redress is the Tribunal by way of an application pursuant to section 166(2). The Claimant's complaint is that the Commissioner should have approached Wise for further information and that the Commissioner should have reached a concluded view on whether Wise had complied with its data protection obligations. The Claimant could, pursuant to s 166 DPA 2018, have asked the Tribunal to require the Commissioner to take those steps."
The Claimant's claim
i) Ground 1: The Commissioner failed to determine the Claimant's complaint.
ii) Ground 2: The Commissioner failed to conduct a lawful investigation of the Claimant's complaint.
iii) Ground 3: The Commissioner failed to take account of relevant considerations, proceeded on the basis of insufficient enquiry and irrationally made a determination on the basis of facts not known to him.
"The ICO provides guidance to organisations on the use of exemptions. You believe that a Suspicious Activity Report was completed by TransferWise but that details of this have not been provided as they have used the crime and taxation exemption under the prevention or detection of crime. Our guidance states that an organisation needs to judge whether complying with the SAR would prejudice the purpose of the document. They are satisfied that they have done this and there is no requirement for them to explain the exemption used to an individual.
Although TransferWise would be required to provide details of any document regarding the decision to close Mr Delo's account if it contained his personal data, they would again need to judge whether disclosure of such would prejudice the reasons for the decision. Again, they are also not required to state and explain the exemption if it would prejudice the purpose of the data/document.
There is no evidence to suggest that TransferWise have a blanket approach as they appear to have made a decision based on the information on this particular SAR and also confirmed on 8 February 2021 that they had revisited their decision. Also, if they have made a considered judgement not to provide this data using the exemptions mentioned above, they would also be unlikely to agree to provide them confidentially to Mr Delo's advisors as you suggest."
"Having reviewed the correspondence provided, in our view it is likely that TransferWise have complied with their data protection obligations."
i) he received and reviewed the complaint and the attached correspondence;
ii) having regard to that information, and to his view that he should be concentrating on those cases which he believes gives the most opportunity to improve the practices of organisations which process data, he formed the view that this was not a case where further investigation was necessary;
iii) that was the decision he reached as to the appropriate extent that investigation was necessary;
iv) in consequence the outcome decision of 12 October 2021, as detailed above, was then reached;
v) that was reviewed, but the same outcome decision was reached on 24 November 2021;
vi) in accordance with his duties, he then informed the Claimant of the outcome namely that no further action would be taken by the ICO against Wise.
Note 1 See [39] below for the origin and explanation of the acronym UK GDPR [Back] Note 2 The official title of the Commissioner was changed from the “Data Protection Commissioner” to the “Information Commissioner” by s.18 of the Freedom of Information Act 2000. [Back] Note 3 John Edwards began his term as UK Information Commissioner on 3 January 2022, replacing Elizabeth Denham CBE. When referring to the Commissioner and his role, functions, powers and duties in this judgment I will therefore use male pronouns. Otherwise, I will use plural pronouns in the form “they/their” rather than single pronouns in the form “s/he” and “his or her”, even when the governing verb is in the singular. [Back] Note 4 https://ico.org.uk/make-a-complaint/data-protection-complaints/what-to-expect/ [Back] Note 5 Under the UK GDPR a natural person in relation to whom data exists is called a “data subject”. A body which, or a person who, keeps such data is called a “data controller” and a “data processor” where the data is used by the controller. When a data subject wants to know what data a controller has about them, a request for “access” to such data is made. [Back] Note 6 A typical staff member might work on complaints in a day for 6 hours (allowing for breaks and doing other things) for 35 weeks in a year (allowing for gaps for sickness, turnover etc), giving around 1,050 hours of work on complaints each year. So 140 staff would do around 147,000 hours of complaints work, meaning that each closed complaint must have taken on average only about 4.74 hours to deal with from start to finish. [Back] Note 7 Recital 120 states: “…each supervisory authority should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of their tasks.” [Back] Note 8 All emphases of text from legislation quoted in this judgment are mine. [Back] Note 9 https://www.legislation.gov.uk/ukpga/2018/16/notes/division/19/index.htm [Back] Note 10 The right to an effective judicial remedy where the Commissioner has rejected or dismissed a complaint wholly or partly is provided for in each of Recitals 141 and 143. [Back] Note 11 Article 58 contains a lengthy list of investigative, corrective, and authorisation and advisory powers. [Back] Note 12 The UK GDPR is a codifying, consolidating and updating measure. Under Lord Herschell’s rule where there is doubt as to the meaning of the words in such a measure there is a presumption that the legislator did not intend to change the law and in applying that presumption recourse may be had to the earlier legislation (see Bennion, Bailey and Norbury on Statutory Interpretation, 8th edition 2020 LexisNexis at 24.7). [Back] Note 13 I consider the first and third situations to be effectively tautological. [Back] Note 14 Although s.165(1) refers to complaints being made under Article 57 as well as Article 77, I think that it is only under Article 77.1 that a complaint can actually be made. Article 57.1(f) is not a vehicle for making a complaint, but rather the place where the key instructions are laid out for dealing with a complaint once made. See [44] above. [Back] Note 15 See also Jacobellis v Ohio (1964) 378 U.S. 184 per Potter J from where the “I know it when I see it” technique appears to originate. [Back]