R (Delo) v Information Commissioner
| Jurisdiction | England & Wales |
| Neutral Citation | [2022] EWHC 3046 (Admin) |
| Year | 2022 |
| Court | King's Bench Division (Administrative Court) |
2022 Nov 17; Dec 2
Data protection - Enforcement - Complaint - Data subject lodging complaint with Information Commissioner regarding processing of personal data - Whether commissioner obliged to reach conclusive determination on every such complaint - Whether permissible to take no further action -
The claimant made a data subject access request to a financial services company, pursuant to article 15 of Parliament and Council Regulation (EU) No 2016/679F1 as retained following the United Kingdom’s exit from the European Union (“the UK GDPR”). Considering that the company’s response did not comply with its obligations under article 15, the claimant lodged a complaint with the Information Commissioner under article 77 of the UK GDPR. Having received and reviewed the complaint the commissioner decided to take no further action, finding that the scope of the complaint was too widely drawn and that the company was likely to be exempt from giving the disclosure sought. The claimant’s request for reconsideration of that decision was refused. The claimant brought a claim for judicial review, contending that an outcome of no further action on the part of the commissioner was unlawful.
On the claim—
Held, dismissing the claim, that the Information Commissioner’s obligation under article 57(1)(f) of the UK GDPR to investigate “to the extent appropriate” the subject matter of a complaint lodged by a data subject under article 77 of the UK GDPR did not contain an implicit instruction to reach a conclusive determination on each and every complaint; that, rather, article 57(1)(f) gave the commissioner a broad discretion to decide on each complaint what the appropriate extent of the investigation should be and to determine the form of the outcome; that, therefore, it was a lawful exercise of power by the commissioner to decide, after investigating a complaint under article 77, that no further action should be taken on it; that such a construction (i) considered the commissioner’s role and functions and his obligation to exercise his powers consistently with the objective of promoting the observance of the data protection principles by all data users, (ii) considered the commissioner’s task of handling complaints in view of his role and other functions and (iii) recognised that there was nothing to suggest that the legislature had intended to change the previous law about complaints to the commissioner; and that, accordingly, there was no warrant for concluding in the present case that the commissioner had failed as a matter of fact to handle the complaints, or that he had handled them in violation of the law, or that his decision-making process had left out of account material matters, or taken into account irrelevant matters, or was otherwise irrational (post, paras 57, 59–71, 85–87, 143, 146).
The following cases are referred to in the judgment:
Ashby v White (
Cadogan Estates Ltd v Morris [
Data Protection Comr v Facebook Ireland Ltd
Jacobellis v Ohio (
Killock v Information Comr
R v Secretary of State for the Home Department, Ex p Salem [
R (L) v Devon County Council
The following additional cases were cited in argument or referred to in the skeleton arguments:
Hogan v Information Comr [
R v Inland Revenue Comrs, Ex p Mead [
R (B) v Redbridge London Borough Council
R (Glencore Energy UK Ltd) v Revenue and Customs Comrs
R (Lord) v Secretary of State for the Home Department
Secretary of State for Education and Science v Tameside Metropolitan Borough Council [
CLAIM for judicial review
The claimant, Ben Peter Delo, made a subject access request, under article 15 of Parliament and Council Regulation (EU) No 2016/679 (“the UK GDPR”), asking the interested party, Wise Payments Ltd, for a copy of the personal data that it held about him. The interested party provided the claimant with copies of some, but not all, of documents in its possession. On 25 June 2021 the claimant lodged a complaint with the defendant, the Information Commissioner, under article 77 of the UK GDPR asking that the interested party be required to disclose all documents responsive to his request. On 12 October 2021 the commissioner decided to take no action on the claimant’s complaint. On 24 November 2021 the claimant’s request for reconsideration of that decision was refused.
By a claim form issued on 25 February 2022 and pursuant to permission to proceed granted by Richard Clayton QC sitting as a deputy judge of the Queen’s Bench Division on 24 June 2022 the claimant claimed judicial review by way of a declaration that an outcome of no action (or no further action) on the part of the commissioner was unlawful and an order quashing the decision to take no further action on his complaint. The grounds of challenge were that the commissioner had failed to (i) determine the claimant’s complaint, (ii) conduct a lawful investigation of the claimant’s complaint and (iii) take account of relevant considerations; and had proceeded on the basis of insufficient enquiry and had irrationally made a determination on the basis of facts not known to him.
The facts are stated in the judgment, post, paras 1–8, 87–110.
Jason Coppel KC (instructed by
David Bedenham (instructed by
The interested party did not appear and was not represented.
The court took time for consideration.
2 December 2022. MOSTYN J handed down the following judgment.
1 Under the the UK General Data Protection Regulation (“UK GDPR”)
2 I ruled at the start of the hearing that the claimant’s application to quash the commissioner’s decision not to direct disclosure of certain documents by the interested party, had become technically academic by virtue of receipt by the claimant of all of those documents some time previously. I further ruled that it was, nonetheless, in the public interest for the claim to be heard. I said I would give my reasons in this judgment and I do so below.
3 The claim is certainly not academic so far as the commissioner is concerned. If it succeeds it will have huge ramifications as the workload of the Information Commissioner’s Office (“ICO”) will be vastly increased. The resources of the ICO are presently stretched to the limit in dealing with the present workload.
4 The ICO website has a page “What to expect from the ICO when making a data protection complaint”
“What can the ICO do to help me?
• We can consider complaints about the way your information has been handled and whether there has been an infringement of data protection law. We will tell you what we think should happen next. Sometimes this can help to resolve the detail of your complaint but this may not always be the case.
• We can make recommendations to organisations to put things right or to improve their practices when we think it is necessary to do so.
• We will usually ask the organisation to do everything they can to explain how they have handled or processed your personal data as the law expects.
• Where we have significant concerns about an organisations ability to comply with the law, we can take Regulatory action.
“What can’t the ICO do?
• We cannot award compensation like a court or a tribunal …
• We cannot make an organisation apologise to you if things have gone wrong.
“What happens when I submit my complaint to the ICO?
“When you bring your complaint to us and we’ve checked it’s something we can help with—a case officer will be given your complaint to look into.
“The case officer will:
• weigh up the facts of what’s happened, fairly and impartially;
• ask the organisation and you for further information if they think they need it; and
• tell you and the organisation the outcome of our considerations.
“If we think there’s been an infringement of the law, we will usually provide advice so the organisation can take steps to put things right and improve their information rights practices. We deal with most complaints in this way without the need to take further Regulatory action …
“What are the possible outcomes of my complaint?
“Data protection law requires us to investigate a complaint to the extent we feel is appropriate and to inform you of the outcome. Most organisations want to do the right thing and comply with the law.
“There are a number of potential outcomes for a complaint:
• We can find the organisation has acted properly and there is no further work for us.
•
We can record your complaint without taking further action to help us build a picture of how an organisation is complying with the law. • We can tell the organisation to do more work to help resolve your complaint or explain their position more clearly to you. This could mean getting the organisation to provide you with your information or correct any inaccuracies.
•
We can make recommendations to the organisation about how they can improve their information rights practices . This can include asking an organisation to review their policies or procedures, guidance or standards.•
We can take Regulatory action, but this is only in the most serious cases . We do not normally take Regulatory action...
To continue reading
Request your trial
-
Ryan v Data Protection Commission
...it should be recorded that both parties helpfully referred me to the judgment of the High Court of England and Wales in Rex (Delo) v. Information Commissioner [2022] EWHC 3046 (Admin), [2023] 1 WLR 1327. That judgment is under appeal: by coincidence, the appeal was heard the week prior to......