Royal Courts of Justice
Strand, London, WC2A 2LL
Before :
MR JUSTICE MOSTYN
Between :
THE KING (on the application of BEN PETER DELO) | Claimant |
- and – | |
THE INFORMATION COMMISSIONER -and- WISE PAYMENTS LIMITED | Defendant Interested Party |
Jason Coppel KC (instructed by Pallas Partners LLP) for the Claimant
David Bedenham (instructed by ICO) for the Defendant
The Interested Party was not represented
Hearing date: 17 November 2022
Approved Judgment
Mr Justice Mostyn:
Under the UK GDPR (Footnote: 1) is the Commissioner (Footnote: 2) obliged to investigate and reach a final conclusion on each and every complaint made to him (Footnote: 3)?
I ruled at the start of the hearing that the Claimant’s application to quash the Commissioner’s decision not to direct disclosure of certain documents by the Interested Party, had become technically academic by virtue of receipt by the Claimant of all of those documents some time previously. I further ruled that it was, nonetheless, in the public interest for the claim to be heard. I said I would give my reasons in this judgment and I do so below.
The claim is certainly not academic so far as the Commissioner is concerned. If it succeeds it will have huge ramifications as the workload of the Information Commissioner’s Office (“ICO”) will be vastly increased. The resources of the ICO are presently stretched to the limit in dealing with the present workload.
The ICO website has a page “What to expect from the ICO when making a data protection complaint” (Footnote: 4). It says:
“What can the ICO do to help me?
• We can consider complaints about the way your information has been handled and whether there has been an infringement of data protection law. We will tell you what we think should happen next. Sometimes this can help to resolve the detail of your complaint but this may not always be the case.
• We can make recommendations to organisations to put things right or to improve their practices when we think it is necessary to do so.
• We will usually ask the organisation to do everything they can to explain how they have handled or processed your personal data as the law expects.
• Where we have significant concerns about an organisations ability to comply with the law, we can take Regulatory action.
What can't the ICO do?
• We cannot award compensation like a court or a tribunal. …
• We cannot make an organisation apologise to you if things have gone wrong.
What happens when I submit my complaint to the ICO?
When you bring your complaint to us and we’ve checked it’s something we can help with – a case officer will be given your complaint to look into.
The case officer will:
• weigh up the facts of what’s happened, fairly and impartially;
• ask the organisation and you for further information if they think they need it; and
• tell you and the organisation the outcome of our considerations.
If we think there’s been an infringement of the law, we will usually provide advice so the organisation can take steps to put things right and improve their information rights practices. We deal with most complaints in this way without the need to take further Regulatory action. …
What are the possible outcomes of my complaint?
Data protection law requires us to investigate a complaint to the extent we feel is appropriate and to inform you of the outcome. Most organisations want to do the right thing and comply with the law.
There are a number of potential outcomes for a complaint:
• We can find the organisation has acted properly and there is no further work for us.
• We can record your complaint without taking further action to help us build a picture of how an organisation is complying with the law.
• We can tell the organisation to do more work to help resolve your complaint or explain their position more clearly to you. This could mean getting the organisation to provide you with your information or correct any inaccuracies.
• We can make recommendations to the organisation about how they can improve their information rights practices. This can include asking an organisation to review their policies or procedures, guidance or standards.
• We can take Regulatory action, but this is only in the most serious cases. We do not normally take Regulatory action for individual complaints as we want organisations to comply with the law without us using our formal powers. It is therefore unlikely we will take Regulatory action as a result of your complaint. However, even if we don’t take action, we will keep a record of the complaint to help us to build up a picture of how well an organisation is following the law.
Can the ICO award compensation?
No. The ICO cannot award compensation, even when we give our opinion that an organisation has broken data protection law.”
The Claimant says that the possible outcome which I have highlighted (“We can record your complaint without taking further action to help us build a picture of how an organisation is complying with the law”) is unlawful, and seeks not merely a declaration to that effect but an order quashing the Commissioner’s decision to take no further action on his complaint.
The Commissioner says that such an outcome is not only lawful but critically necessary as an option. In 2020/21 the ICO received 36,607 new complaints of which 46% related to access issues by data subjects. (Footnote: 5) It has 140 staff devoted to the task of handling complaints who managed to close 31,055 of them. On average only about 4¾ hours’ work was given to each closed complaint (Footnote: 6). If it had to investigate every complaint fully and reach a final conclusion on each and every one, the delays in dealing with, and the pressure imposed on the workload would become extreme and take the system to breaking point, if not beyond.
That is no doubt a problem, but it is a political problem and not one for this court to resolve. If the law is that the Commissioner must investigate and reach a final conclusion on each and every complaint made to him, then Recital 120 of the UK GDPR requires the government to provide the necessary human resources, premises and infrastructure for the ICO to do so (Footnote: 7).
I therefore turn to the question. In order to answer it, I first consider the history of the role and functions of the office of the Commissioner and his predecessors. Lord Acton’s aphorisms about history include: “the value of history is certainty - against which opinion is broken up”. In my opinion, the history of the data protection system gives with certainty an illumination of the meanings of the relevant provisions of the UK GDPR (Footnote: 8).
The Council of Europe Convention of 28 January 1981
The origin of the data protection system generally, and of the office of the Commissioner in particular, can be traced to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with Regard to Automatic Processing of Personal Data. It is interesting that even then, before the advent of the personal computer, let alone smartphones, there were sufficient concerns about the misuse of personal data for an international treaty about it to be formulated. Article 4 imposed an obligation on the signatories to take the necessary measures in its domestic law to give effect to the basic principles for data protection set out in the Convention.
The Data Protection Act 1984 gave domestic effect to these treaty obligations. Section 2(1) granted a data subject the right of access to data held by controllers. Sections 21(8) and 25(1) gave the High Court or County Court power to enforce the right of access.
Section 3(1)(a) created an officer known as the Data Protection Registrar. Section 3(1)(b) created the Data Protection Tribunal.
Section 36 provided:
“ General duties of Registrar
(1) It shall be the duty of the Registrar so to perform his functions under this Act as to promote the observance of the data protection principles by data users and persons carrying on computer bureaux.
(2) The Registrar may consider any complaint that any of the data protection principles or any provision of this Act has been or is being contravened and shall do so if the complaint appears to him to raise a matter of substance and to have been made without undue delay by a person directly affected; and where the Registrar considers any such complaint he shall notify the complainant of the result of his consideration and of any action which he proposes to take.
(3) The Registrar shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act and other matters within the scope of his functions under this Act and may give advice to any person as to any of those matters.
(4) It shall be the duty of the Registrar, where he considers it appropriate to do so, to encourage trade associations or other bodies representing data users to prepare, and to disseminate to their members, codes of practice for guidance in complying with the data protection principles.
Under s.36(1) the first duty of the Registrar was to promote the observance of the data protection principles by users and controllers. That was an all-encompassing general duty requiring the Registrar to exercise his functions consistently with that objective (“the observance objective”).
Section 36 then goes on to identify three specific duties to be performed by the Registrar consistently with the observance objective, namely handling complaints (s.36(2)); disseminating to the public information about the operation of the Act and of the Registrar’s role (s.36(3)); and encouraging bodies representing data users to promulgate codes of practice (s.36(4)).
In my opinion it is vital when examining the present role and functions of the Commissioner to understand clearly what the general duties of his predecessors were. Those duties - educating the public, encouraging representative bodies, and considering complaints - were bundled together and all had to be performed consistently with the observance objective.
Section 36(2) was carefully drafted. The Registrar was given a discretion to “consider” any complaint alleging that any of the data protection principles were being breached. If he exercised his discretion in favour of considering a complaint and it appeared to him to raise “a matter of substance” then he had a duty to reach a decision expressing the “result of his consideration and of any action which he proposes to take”.
This language makes clear that the Registrar’s duty was to do no more than to “consider” a complaint of substance. The consideration had to lead to “a result”. What that result could be, and what action might flow from it, was left entirely to the Registrar’s discretion. The exercise of that discretion would unquestionably take into account the ability of the data subject to apply to the court to enforce his right of access to their data.
In argument, Mr Coppel KC accepted in response to a question from me that the right to make a complaint given to data users, and the power vested in the Registrar to deal with complaints, was therefore not quasi-judicial. In my opinion, it was not the type of right which fell within the celebrated principle of Holt CJ in Ashby v White (1702) 2 Ld Raymond 938 that where there is a right there must be a remedy. It was not a determination of the complainant’s civil rights in the sense used in Article 6 of the European Convention of Human Rights. Section 36(2) did no more than to enable a complainant to facilitate the Registrar to take such action as he thought fit to secure the observance objective.
No case law was drawn to my attention concerning the scope of the Registrar’s duty under s.36(2).
In my judgment, the role of the Registrar when considering a complaint of substance under s.36 was to reach a conclusion consistent with the duty to secure the observance objective. The resolution of complaints was a function bundled up with the Registrar’s educational and advisory functions. These functions marched together hand-in-hand.
The Data Protection Directive 95/46/EC
In October 1995 the EU promulgated the Data Protection Directive 95/46/EC. By then the technology for creating, storing and processing data had progressed in leaps and bounds. Recital 4 recorded:
“Whereas increasingly frequent recourse is being had in the Community to the processing of personal data in the various spheres of economic and social activity; whereas the progress made in information technology is making the processing and exchange of such data considerably easier; ”
Accordingly Article 1 provided:
“In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”
Chapter VI concerned the supervisory authority. Article 28 required member states to provide at least one completely independent public authority to monitor the application of the directive. The authority’s powers were to include:
“ … effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions, [and]
… the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.”
Further, under Article 28.4:
“ Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.
Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.”
Article 13 permitted Member States to restrict data protection rights where necessary to protect various interests, including national security, defence and the prevention, investigation, detection and prosecution of criminal offences.
Chapter III dealt with Judicial Remedies, Liability and Sanctions. It provided:
“Article 22
Remedies
Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.
Article 23
Liability
1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.
2. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.
Article 24
Sanctions
The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.”
Therefore, each member state had to provide a process by which the supervisory authority would hear complaints and deliver an outcome (Article 28.4). How such complaints should be dealt with, and what the outcomes might be, were left entirely to the member state (ibid). The process could be entirely administrative (Article 22). In contrast, member states had to provide for a judicial process to determine any claim for a breach of data protection rights (ibid). Compensation could only be awarded in such a judicial process (Article 23).
Again, it can be seen that the right to bring complaints to, and the power to entertain such complaints by, the supervisory authority was not intended to be a quasi-judicial process.
The directive was incorporated into domestic law by the Data Protection Act 1998. By s. 6(1):
“…the office originally established by section 3(1)(a) of the Data Protection Act 1984 as the office of Data Protection Registrar shall continue to exist for the purposes of this Act but shall be known as the office of Data Protection Commissioner;”
In similar fashion to s.36 of the 1984 Act, s.51 was headed “General duties of Registrar”, and then sets out a list of such duties. Section 51(1) stated:
“ It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers.”
Again, this was an all-encompassing general duty (indeed it was the only obligation in the list described explicitly as a “duty”) requiring the Registrar to exercise his functions to secure the same objective as before, namely the promotion of observance of data protection principles by data users, controllers and processors.
Section 51(2) - (6) restated in similar terms to those in s. 36(3) and (4) of the 1984 Act the key educational and advisory functions of the Commissioner.
But the duty to consider a complaint under s.36(2) of the 1984 Act was removed from the list of general duties of the Registrar under s.51 of the new Act.
Instead, the opportunity to make a complaint, and the duty of the Registrar to consider it, was replaced by a facility to make a “request for assessment” under s.42 of the new Act. This provided:
“(1) A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act.
(2) On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to:
(a) satisfy himself as to the identity of the person making the request, and
(b) enable him to identify the processing in question.
(3) The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include:
(a) the extent to which the request appears to him to raise a matter of substance,
(b) any undue delay in making the request, and
(c) whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.
(4) Where the Commissioner has received a request under this section he shall notify the person who made the request:
(a) whether he has made an assessment as a result of the request, and
(b) to the extent that he considers appropriate, having regard in particular to any exemption from section 7 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request.”
Section 7(1) provided the now familiar right of an individual to apply to a data controller for access to his or her personal data. Sections 7(9) and 15 gave the High Court or County Court power to enforce the right of access. Sections 27 - 39 set out the exemptions to the right of access.
The effect of this relabelling and rearranging was to make clear that the Act separately provided for judicial remedies on the one hand, and, on the other, the much more limited “request for an assessment” by the Commissioner in s. 42. The provision of these two separate and very different remedies leads me to the clear view that the Commissioner would not be exercising a quasi-judicial function where a data subject elected to go down the path of a “request for assessment”.
This view is fortified by the terms of s.42(2), (3)(c) and (4)(b) which taken together give the Commissioner a seemingly absolute discretion to make an assessment in such manner as appeared to him to be appropriate, having regard to the substance of the subject matter of the request, and the right of the individual to obtain redress from the data controller under section 7.
The way in which the facility to make a complaint was redesignated in the 1998 Act reinforces my view that the complaints procedure is to be seen as a non-quasi-judicial function to be exercised consistently with the observance objective. To be sure, the right to make a complaint might trigger serious enforcement action against the data controller, but this does not alter my view of the nature of the “right” given to a putative complainant.
It is clear that the discretion vested in the Commissioner allowed him to give a request for assessment a light-touch, summary consideration and to decide to take no further action. Section 42(3)(c) implies that such a decision would be particularly apt where the objective of the complaint was to secure access to data but where the complainant had not exercised the right to seek a court order to that end. To deal with the request in that way would have been completely compliant with Article 28.4.
No case law was drawn to my attention concerning the scope of the Registrar’s powers under s.42.
The UK General Data Protection Regulation (“UK GDPR”)
On 27 April 2016 the EU issued the GDPR (Regulation (EU) 2016/679). It took effect on 25 May 2018. Following Brexit it was retained as part of the law of all parts of the United Kingdom by virtue of s.3 of the European Union (Withdrawal) Act 2018. Paragraph 83 of the Explanatory Notes to the Act states that:
“Where legislation is converted under this section, it is the text of the legislation itself which will form part of domestic legislation. This will include the full text of any EU instrument (including its recitalsFN2).
FN2 Recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a legal rule (Footnote: 9).”
The EU GDPR has since been amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 419). The amendments do not materially alter the provisions of the Articles with which I am concerned (save for the removal of Article 58.4 which I discuss at [50] below), and do not alter any of the Recitals. However, the passages quoted below are from the retained amended version described as the UK GDPR in Regulation 2 of those Regulations. It is this amended version that governs the case before me.
Mr Coppel KC, leading counsel for the Claimant, and Mr Bedenham, counsel for the Defendant, have drawn my attention to the following recitals:
“(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
(117) The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. …
(118) The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review.
(120) Each supervisory authority should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of their tasks, including those related to mutual assistance and cooperation with other supervisory authorities throughout the Union. Each supervisory authority should have a separate, public annual budget, which may be part of the overall state or national budget.
(122) Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. …. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.
(129) … the supervisory authorities should have … effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. … The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. …
(141) Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.
(143) … Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. ….
I was then referred to Chapter VI, Section 1 which concerns the independent status of the Commissioner. I was taken to the following Articles:
“Article 51
Monitoring the application of this Regulation
1. The Commissioner is responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data
Article 57
Tasks
1. Without prejudice to other tasks set out under this Regulation, the Commissioner shall: …
(a) monitor and enforce the application of this Regulation;
(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
(c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
(d) promote the awareness of controllers and processors of their obligations under this Regulation;
(e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with foreign designated authorities to that end;
(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with a foreign designated authority is necessary …
4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Commissioner may charge a reasonable fee based on administrative costs, or refuse to act on the request. The Commissioner shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Article 58
Powers
1. The Commissioner has all of the following investigative powers: …
(e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; …”
I was then taken to Chapter VIII, headed “Remedies, liability and penalties” where I was shown the following Articles:
“Article 77
Right to lodge a complaint with the Commissioner
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with the Commissioner, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2. The Commissioner shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Article 78
Right to an effective judicial remedy against a supervisory authority
1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the Commissioner concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the Commissioner does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
Article 79
Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.”
The right to make a complaint is contained in Article 77.1. Articles 57.1(f), 57.4 and 77.2 give the Commissioner instructions about how he can and should deal with a complaint when made.
Although there is a lot more detail, I cannot see that there is any material difference to what went before in relation to:
the role and functions of the Commissioner and his obligation to exercise his functions consistently with the observance objective;
the right of a data subject to complain to the Commissioner;
the nature of a complaint;
the obligations on the Commissioner on receipt of a complaint;
the powers of the Commissioner to investigate and dispose of a complaint; and
the right of a data subject to seek a judicial remedy against a controller.
The main difference, so far as I can tell, is that pursuant to Recitals 141 and 143, and Article 78, a data subject is now given the right to “an effective judicial remedy” in relation to the Commissioner’s treatment of a complaint in four scenarios viz:
where the Commissioner does not inform the data subject within three months on the progress or outcome of the complaint (Recital 141 and Article 78.2);
where the Commissioner takes no action on a complaint (Recital 141 and Article 78.2);
where the Commissioner rejects or dismisses a complaint wholly or partly (Footnote: 10) (Recitals 141 and 143, and Article 78.2); and
where the Commissioner makes a decision on a complaint that produces a binding “legal effect concerning the complainant” (Recital 143 and Article 78.1).
I explain below at [128] that s.166 of the Data Protection Act 2018 supplies the effective judicial remedy in the first scenario. I explain at [131] that judicial review supplies the effective judicial remedy in the remaining scenarios.
It is submitted by Mr Coppel KC that the meaning of an “effective judicial remedy” is elucidated by the case-law on the same phrase in Article 58.4 of the original EU GDPR. This stated that:
“The exercise of the powers conferred (Footnote: 11) on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.”
Article 148 provided:
“Penalties
… The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.”
Article 58.4 was considered by the Court of Justice in Data Protection Commissioner v Facebook Ireland Ltd [2021] 1 WLR 751. In his opinion at [151] Advocate General H Saugmandsgaard Ǿe wrote:
“The recognition of a right to a judicial remedy assumes the existence of a strict, and not purely discretionary, power on behalf of the supervisory authorities. In addition, Mr Schrems and the Commission have correctly emphasised that the exercise of an effective judicial remedy implies that the authority that adopts the contested act states to an adequate degree the reasons on which it is based. … To my mind, that obligation to state reasons extends to supervisory authorities’ choice to use one or other of the powers conferred on them by Article 58(2) of the GDPR”
To similar effect the Court stated:
“111. In order to handle complaints lodged, Article 58(1) of the GDPR confers extensive investigative powers on each supervisory authority. If a supervisory authority takes the view, following an investigation, that a data subject whose personal data have been transferred to a third country is not afforded an adequate level of protection in that country, it is required, under EU law, to take appropriate action in order to remedy any findings of inadequacy, irrespective of the reason for, or nature of, that inadequacy. To that effect, Article 58(2) of that Regulation lists the various corrective powers which the supervisory authority may adopt.
112. Although the supervisory authority must determine which action is appropriate and necessary and take into consideration all the circumstances of the transfer of personal data in question in that determination, the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence.”
These passages were strongly relied on by Mr Coppel KC, but in my judgment are a red herring for three reasons. First, this case is not about the exercise of the “extensive investigative powers” of the Commissioner under Article 58. Second, the “effective judicial remedy” provided for in Recital 148 and Article 58.4, and the reason for its existence, is not the same as the “effective judicial remedy” provided for in Recital 141, and Article 78.1 and 78.2. The “effective judicial remedy” in Article 58.4 is not an apt analogue, in my opinion. Thirdly, and perhaps most significantly, Article 58.4 has been omitted from the UK GDPR by Schedule 1, para 53(6) of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419). Facebook Ireland therefore concerns a provision in the EU GDPR which has since been removed from the UK version.
I revert to the role and functions of the Commissioner. They are unaltered. The Commissioner remains the public guardian of the fundamental right of natural persons to the protection of their personal data (Recitals 1, 117; Article 51.1).
The Commissioner’s functions as the public guardian of this fundamental right are manifold. Those functions must be seen as forming part of a bundle or package, marching hand-in-hand together (Recital 122) to promote the observance of the data protection principles by all data users. The observance objective lives on.
I now turn to those functions.
The first function is to monitor and enforce the Regulation (Articles 51.1, 57.1(a)). In Data Protection Commissioner v Facebook Ireland Ltd at [108] the court stated:
“…the supervisory authorities’ primary responsibility is to monitor the application of the GDPR and to ensure its enforcement.”
Second, is the educational function to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to data-processing (Recital 122; Article 57.1(b)).
Third, is the advisory function to educate Parliament, the government and other institutions and bodies on measures relating to the protection of the fundamental right (Recital 122; Article 57.1(b)).
Finally, there is the function of handling complaints made by data subjects. The treatment of such complaints by the Commissioner, as before, remains within his exclusive discretion. He decides the scale of an investigation of a complaint to the extent that he thinks appropriate. He decides therefore whether an investigation is to be short, narrow and light or whether it is to be long, wide and heavy. He decides what weight, if any, to give to the ability of a data subject to apply to a court against a data controller or processor under Article 79. And then he decides whether he shall, or shall not, reach a conclusive determination (Recital 122, 129, 141; Article 57.1(f)).
The Commissioner must undertake whatever course he adopts with all due diligence: Data Protection Commissioner v Facebook Ireland Ltd at [109].
Interpretation of Article 57.1(f)
The question is whether Article 57.1(f) contains an implicit instruction to the Commissioner requiring him to investigate, to the extent necessary to reach a conclusive determination, each and every complaint made under Article 77.1. I shall interpret the words literally, purposively, and contextually.
Each method of construction leads to the same answer: it does not.
The literal words of Article 57.1(f) could not be clearer. Recital 141 states unambiguously:
“The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.”
Article 57.1(f) states that the Commissioner shall:
“investigate, to the extent appropriate, the subject matter of the complaint”.
I cannot see that these clear and unambiguous words mean anything other than what they say. The Commissioner decides on each complaint what the appropriate extent of the investigation shall be. If he has that unfettered power then it must follow that he has an equivalent power to determine the form of the outcome.
The literal view is confirmed by a purposive interpretation of the words.
A purposive (or common-sense) interpretation will:
consider the Commissioner’s role and functions and his obligation to exercise his powers consistently with the observance objective;
consider the Commissioner’s task to handle complaints in view of his role and other functions;
recognise that there is nothing to suggest that the legislature intended to change the previous law about complaints to the Commissioner (Footnote: 12);
and ask, in their light, if Article 57.1(f) contains an implicit instruction to reach a conclusive determination on each and every complaint made under Article 77.1. In my judgment a purposive interpretation that takes into account all of the above considerations inexorably points to a negative answer to the question.
Finally, in my judgment, for two particular reasons a contextual or inferential construction of Article 57.1(f) clearly leads to an interpretation that allows the Commissioner to decide, after investigating a complaint to a limited extent, that no further action should be taken on it.
The first reason is this. A close and careful reading of Recital 141 reveals that it refers to the situations where the Commissioner (i) does not act on a complaint, or (ii) partially or wholly rejects or dismisses a complaint or (iii) does not act where such action is necessary to protect the rights of the data subject: see [41] above where it is set out (Footnote: 13). In such circumstances the data subject can challenge the treatment of the complaint in court under Article 78.2. This provides:
“…each data subject shall have the right to an effective judicial remedy where the Commissioner does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint.”
“Handling” a complaint therefore includes not acting on it as well as rejecting it wholly or in part. The wording of Recital 141 and Article 78.2 acknowledges that an outcome of no action (or no further action) was within the lawful powers of the Commissioner.
The second reason is this. Mr Coppel KC accepts that the Commissioner can summarily reject, with minimal investigation, a complaint that is clearly spurious, vexatious or abusive. I recall that he accepted that such a rejection would be done under Article 57.1(f). I am clear that it could not be done under Article 57.4 which allows the Commissioner to refuse to act on a manifestly unfounded, excessive or repetitive “request”. This is clearly a reference to a “request” pursuant to Article 57.1(e) to provide information to a data subject concerning the exercise of their rights under the GDPR, and not to a complaint under Article 57.1(f).
If the Commissioner has the power, after minimal investigation, to reject a complaint as spurious then it must follow that it is a lawful exercise of power by the Commissioner to decide after investigating a complaint to a limited extent that, although it is not spurious, nonetheless no further action should be taken on it.
For these two further reasons also the answer to the question is: no.
If I had any lingering doubts (and I do not) they would be banished by the terms of the Data Protection Act 2018.
The GDPR, being a Regulation, had direct effect and so it was not technically necessary to pass an Enabling Act. The 2018 Act therefore is to be seen as supplementing rather than implementing the Regulation. It also made provision in spheres not covered by the Regulation. It came into force on the same day as the GDPR, 25 May 2018.
Section 114 provides that there is to continue to be an Information Commissioner. Schedule 12 continues the formal aspects of the Commissioner’s status, capacity, appointment, salary etc exactly as before.
Section 2(1) sets out the objective of the GDPR and of the Act in familiar terms:
“The UK GDPR and this Act protect individuals with regard to the processing of personal data, in particular by:
(a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject's consent or another specified basis,
(b) conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
(c) conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.
Reiterating the provisions of the 1998 Act, s. 45 provides the familiar right of an individual to apply to a data controller for access to his or her personal data. Sections 167 and 180 give the High Court or County Court power to enforce the right of access.
Section 2(2) enacts in very specific terms the matters which the Commissioner must keep in mind when exercising his functions, including his function to handle complaints:
“When carrying out functions under the UK GDPR and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest.”
Section 115 sets out the Commissioner’s general functions under the UK GDPR:
“(1) The Commissioner is to be the supervisory authority in the United Kingdom for the purposes of Article 51 of the GDPR.
(2) General functions are conferred on the Commissioner by:
(a) Article 57 of the GDPR (tasks), and
(b) Article 58 of the GDPR (powers),
(and see also the Commissioner’s duty under section 2).
(3) The Commissioner’s functions in relation to the processing of personal data to which the GDPR applies include:
(a) a duty to advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data, and
(b) a power to issue, on the Commissioner’s own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.”
It is noteworthy that in subsection (3), Parliament specifically highlighted the advisory and educational role of the Commissioner, thereby emphasising that the exercise of the Commissioner’s complaints power under Articles 57.1(f), 57.4, 77.1 and 77.2 is bundled up, and marches hand-in-hand, with these chief functions. In contrast to s.36 of the 1984 Act and s.51 of the 1998 Act these functions are no longer described as “general duties”.
Section 165 deals with complaints made by data subjects. Section 165(1) records the data subject’s right to make complaints under Articles 57 and 77 of the Regulation (Footnote: 14). Section 165(2) allows a data subject to make a separate complaint to the Commissioner if they consider that in connection with their personal data there is an infringement of Part 3 or Part 4 of the Act (“a s.165(2) complaint”). These Parts relate to law enforcement and intelligence processing, and are not directly relevant to the issues I have to decide. However, it is revealing how Parliament decided to instruct the Commissioner to deal with a s.165(2) complaint.
Section 165 continues:
“(4) If the Commissioner receives a complaint under subsection (2), the Commissioner must:
(a) take appropriate steps to respond to the complaint,
(b) inform the complainant of the outcome of the complaint,
(c) inform the complainant of the rights under section 166, and
(d) if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.
(5) The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes:
(a) investigating the subject matter of the complaint, to the extent appropriate, and
(b) informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with another supervisory authority or foreign designated authority is necessary.”
It is clear to me that Parliament was putting a s.165(2) complaint on what it perceived to be the same footing as a general complaint under Article 77.1 of the Regulation. It is noteworthy that when specifying the things that the Commissioner had to do when he received such a s.165(2) complaint, Parliament did not say that he had to render a conclusive determination of the complaint. To be sure, the Commissioner has to provide an outcome, and the complainant has to be told about that, but, as has been seen, an outcome can include taking no action on the complaint following investigation. Moreover, Parliament did not tell the Commissioner what degree of investigation he had to apply to a s.165(2) complaint.
It would be bizarre if the Commissioner was fixed with a more rigorous standard of investigation and determination on a general complaint under Article 77.1 than on a s.165(2) complaint.
For this reason also, the answer to the question I posed at [59] above is: no.
Conclusion on the law generally
In my judgment, for the reasons I have given at some length, Mr Bedenham correctly submits that the legislative scheme requires the Commissioner to receive and consider a complaint and then provides the Commissioner with a broad discretion as to whether to conduct a further investigation, and, if so, to what extent. He correctly submits, further, that this discretion properly recognises that the Commissioner is an expert Regulator who is best placed to determine on which cases he should focus.
Accordingly, in my judgment the list of possible outcomes of a complaint under Article 77.1 set out on the ICO’s website (and recounted in [4] above) is lawful.
This case
The Claimant, Ben Peter Delo, was a customer of the Interested Party, Wise Payments Limited (“Wise”). On 1 August 2018 Wise provided the Claimant with an electronic account to facilitate currency conversion. It also provided him with a debit card allowing expenditure in foreign currencies.
On 10 November 2020, the Claimant transferred £30,000 from his account with HSBC in Hong Kong to his Wise account to convert to Hong Kong Dollars (“HKD”), from where the converted funds were to go to his account with the Bank of China (“BOC account”). Wise effected these instructions the next day on 11 November 2020. Later that day, the Claimant transferred £270,000 into his Wise account from his HSBC Hong Kong account, instructing Wise to convert that sum into HKD and to transfer it to his BOC account.
Wise did not action the Claimant’s instruction and instead asked him to provide information on the source of the funds to be transferred and the purpose of the transfer. The Claimant provided that information on the same day. On 19 November 2020, Wise informed the Claimant that it was deactivating his account. On that day, the Claimant submitted a data subject access request (“DSAR”) to Wise, asking to be provided with a copy of the personal data it held about him.
On 23 November 2020, Wise submitted a suspicious activity report (“SAR”) regarding the Claimant to the National Crime Agency (“NCA”).
Wise responded to the DSAR on 18 December 2020, providing the Claimant with copies of some of documents but it did not provide by any means all of the Claimant’s personal data that it had processed or was processing. It did not provide the suspicious activity report or any internal communications regarding the Claimant. The covering letter from Wise stated:
“The information is complete to the best of our knowledge […] Please note that some information may have been exempted in accordance with the GDPR and is therefore not subject to disclosure through the Right of Subject Access.”
The Claimant did not consider that Wise’s response complied with its obligations under Article 15 UK GDPR. He therefore wrote to Wise on 18 January 2021 arguing that its response was deficient and requiring it to fulfil its obligations. Wise’s response on 21 January 2021 was that it had “determined that [its] original response remains the same in line with the provisions of the GDPR and Data Protection Act 2018.”
On 4 February 2021, Wise submitted a further SAR regarding the Claimant to the NCA. The Claimant then received a letter from Thames Valley police on 15 February 2021 to inform him of their investigation into the source of his funds in a Wise account. Wise submitted a third SAR to the NCA on 22 March 2021.
On 25 June 2021, the Claimant again wrote to Wise requiring it to comply with what he saw as its legal obligations under Article 15 GDPR. On that same day the Claimant filed his first complaint with the Commissioner, asking the Commissioner to require Wise (i) to disclose all documents responsive to his DSAR which Wise had unlawfully withheld, including all suspicious activity reports filed, and all materials recording Wise’s decision to close the account (“the documents”), and (ii) to identify and explain the exemptions on which it sought to rely.
On 30 July 2021, Wise wrote to the Claimant informing him that they had filed three SARs about him with the NCA. They further informed the Claimant that they
“…may rely on exemptions including, pursuant to the Data Protection Act 2018, schedule 2, part 1, paragraph 2 (crime and taxations) and paragraph 5 (information required to be disclosed by law)…”
to justify withholding disclosure of the Claimant’s personal data.
On 12 October 2021, the Commissioner decided to take no further action on the Claimant’s first complaint. His justification was that the scope of the Claimant’s DSAR was too widely drawn and supported Wise’s contention that it was exempt from giving the disclosure under the DPA, as this disclosure would reveal information regarding Wise’s internal business processes or measures.
On 22 October 2021, the Claimant again wrote to Wise asking it to comply with its obligations under Article 15 of the UK GDPR. On the same day, the Claimant made a second complaint to the Commissioner about Wise, asking the Commissioner to reconsider his decision of no further action, and stating that if his position remained unchanged, then he (the Claimant) would apply to the court to review their final decision.
The Claimant asked the Commissioner to reconsider on the basis that he (the Commissioner) must have misunderstood or mischaracterised the scope of his request to Wise: he was not asking it to explain its decision to close his account but, rather, was seeking disclosure of the documents which named him (and which therefore included his personal data) recording the decision and the reasons for it.
The Claimant further invited the Commissioner to reconsider his decision arguing that there was no exemption in law entitling the withholding of data which contains information regarding business processes, and that Wise could have redacted words or proposed a confidentiality agreement if that was the case. The Claimant also complained that the Commissioner had not addressed Wise’s failure to disclose the SARs.
On 24 November 2021, the Commissioner dismissed the Claimant’s second complaint. The Claimant therefore sent a letter before claim to the Commissioner on 13 December 2021, to which the Commissioner responded on 22 December 2021. In the Claimant’s pre-action letter he specified the relief he was seeking thus:
“7.1 The Claimant requests that the ICO reconsider the November Decisions and require Wise: (a) To promptly disclose all documents responsive to the Claimant’ DSAR that it has unlawfully withheld, including but not limited to the SARs, documents that explain why the Defendant decided to close the Account on 19 November 2020, and all internal correspondence regarding the Claimant; and (b) If Wise still intends to withhold documents on the basis of an exemption in the DPA, to identify the exemption(s) on which it relies and explain with particularity the basis for such reliance.
7.2 If the ICO does not take the above steps, the Claimant will have no choice but to apply to have the November Decisions judicially reviewed in order to avoid further harm, both to himself and to others. The Claimant will seek an order quashing the November Decisions and a mandatory order directing the ICO to make the decision again in accordance with the court’s judgment.”
It can be seen that the Claimant’s objective was to recover the documents. He was not seeking a separate declaration of unlawfulness.
In parallel, on 24 December 2021 the Claimant commenced proceedings against Wise in the (then) Queen’s Bench Division of the High Court for breach of contract and breaches of UK GDPR (“the civil claim”). Specifically, the Claimant claimed:
“delivery up of his personal data from the Defendant as required under Article 15 of the GDPR consisting of:
• any internal and/or external documents (including but not limited to correspondence such as letters and emails, notes and minutes) that name the Claimant;
• all information gathered by the Defendant at the time that the Claimant opened the Account in August 2018;
• all information naming the Claimant and relating to the Defendant’s decision to terminate the Account without notice;
• all diligence reports concerning the Claimant and which contain his personal information;
• copies of SAR1, SAR2 and SAR3;
• copies of correspondence between the Defendant and any third parties, including the NCA, that concern the Claimant; and
• any and all other information held by the Defendant about the Claimant.
and damages for foregone interest.”
Again, it is clear that the Claimant’s objective was to recover the documents. He was not seeking a formal declaration of illegality.
On 25 February 2022, the Claimant commenced the present judicial review claim against the Defendant, citing Wise as an interested party. In his Statement of Facts and Grounds the Claimant framed the relief he was seeking rather differently to that in his PAP letter. He sought:
“(i) a quashing order, quashing the Decision;
(ii) a mandatory order requiring the Commissioner to reopen its investigation into the Claimant’s complaint; alternatively
(iii) a mandatory order, requiring the Commissioner to re-take the Decision.”
The Commissioner filed Summary Grounds of Defence on 15 March 2022 and Acknowledgements of Service were filed by the Commissioner on 16 March 2022 and on 22 March 2022 by Wise, which stated that it made no submissions but asked to be kept updated on developments. On 8 March 2022 the Claimant replied to the Summary Grounds of Defence.
On 1 June 2022, in the civil claim, Wise provided the Claimant with all of the data it said it had withheld as exempted when responding to the Claimant’s DSAR. Wise did not concede liability in those proceedings. Notwithstanding that the Claimant by no means had achieved everything he had sought, he discontinued the claim (although an issue of costs remains to be resolved).
On 24 June 2022, Richard Clayton KC, sitting as a Deputy High Court Judge, granted permission to the Claimant to apply for judicial review, and listed the application which has now been heard by me. I do not believe that he was aware that three weeks earlier in the civil claim the Claimant had recovered all the documents.
The Claimant’s solicitors informed the Defendant on 13 July 2022 that in the light of Wise’s disclosure, the Claimant would be seeking “relevant declarations” at the final hearing, but did not intend to seek formally to amend its pleadings to make that clear. The Defendant was asked to indicate any objection to that course and did not do so.
On 17 August 2022, the Claimant started a second judicial review application against the Commissioner (No. CO/2988/2022). The Claimant had made a complaint to the Commissioner against the NCA, seeking that, pursuant to s.45(7)(b) of the 2018 Act, he should require the NCA to provide to the ICO its record of the reasons for the restriction of his right of access to his personal data. On 17 May 2022 the Commissioner refused to exercise his power to do so, considering that the Claimant could seek to enforce his data protection rights by way of an application under s.167. The Claimant’s new judicial review application challenges that decision of the Commissioner of 17 May 2022. A permission decision is yet to be made.
In his skeleton argument Mr Coppel KC set out the precise relief the Claimant is now seeking:
“The Claimant seeks a declaration [that the Decision of 24 November 2021 was unlawful], and also an order quashing the Decision, in order to recognise the illegality which he has established. He does not seek mandatory relief requiring the Commissioner to re-open his investigation, given that he has now received direct from Wise the information which he would expect to receive at the conclusion of a re-opened investigation which led to a determination in his favour.”
Two preliminary points
At the hearing before me Mr Bedenham, counsel for the Commissioner, took two preliminary points. First, he argued that the Claimant’s claim had become academic and that the narrow public interest exception permitting an academic claim to be heard was not satisfied in this case. I heard this objection at the very start of the hearing and I rejected it for reasons to be given in this judgment.
Second, he argued that the Claimant had an alternative remedy under s.166 of the Data Protection Act 2018 of which he did not avail himself, and that in such circumstances his claim for judicial review should not be entertained.
Academic claim
It is common ground that pursuant to the opinion of Lord Slynn of Hadley in the decision of the House of Lords in R v Secretary of State for the Home Department ex p Salem [1999] 1 AC 450:
the court has a discretion to hear an academic application in the public law field but not otherwise;
an application will be academic when there is no longer a lis to be decided which will directly affect the rights and obligations of the parties inter se;
the Court should exercise the discretion with caution; and
it should only hear such an application where there is a good reason in the public interest to do so.
I have explained above that the sole objective of the Claimant was to recover the documents. He has done so. It was submitted by Mr Bedenham that there is now no longer a lis to be decided which will directly affect the rights and obligations of the parties inter se.
A lis is a legal cause of action. Notwithstanding that the Claimant has recovered the documents his claim for a declaration of unlawfulness remains extant. But does it directly affect the rights and obligations of him and the Commissioner inter se? Inter se means “between themselves”. That the declaration would seriously affect the Commissioner in his work handling complaints, does not mean that it directly affects the rights and obligations of the parties between themselves.
For a claim not to have become academic the Claimant must be authentically continuing to claim in the lis some real personal benefit. That benefit could be a claim for something tangible (e.g. a property) or quantifiable (like money or money’s worth). Or it may be for declaratory relief that regulates status (e.g. a decree of divorce). Or it may be for recognition of a specific condition (e.g. a refugee). Or it may be a decision about a child or for an incapacitated adult. Or it may be to protect rights of ownership or personal safety. The list is endless.
An academic claim will be abstract or intangible or symbolic. In L, M and P v Devon County Council [2021] EWCA Civ 358 Peter Jackson LJ illustrated the difficulty in coming up with a one-size-fits-all-definition of an academic claim.
In my opinion, identification of an academic claim is probably best achieved by using the well-known method described by Stuart-Smith LJ in Cadogan Estates Ltd v Morris [1998] EWCA Civ 1671, a case about a claim for a new lease, at [17]:
"This seems to me to be an application of the well known elephant test. It is difficult to describe, but you know it when you see it." (Footnote: 15)
The Claimant here has got everything tangible that he sought. He claims that what remains – an application for an abstract quashing of a decision without an order for it to be re-made, alternatively for a declaration of unlawfulness – would gain him some real personal benefit. He says that the declaration would be extremely useful in his second claim for judicial review against the Commissioner. Obviously, that does not fall within the scope of the definition as there must be an issue as to the rights and obligations of the parties between themselves in relation to the subject matter of the claim. His separate dispute with the Commissioner about a different complaint does not bring this claim within the terms of that test.
Similarly, his assertion that there remains an issue about costs in these proceedings does not bring the claim within the requisite definition. In many cases where the substance has been agreed there will be a residual dispute about costs; that does not mean that in such circumstances Lord Slynn’s test is met.
Having heard counsel, I was left in no doubt that the residue of the claim does not satisfy the test. There is nothing left that could affect the rights and obligations of the parties as between themselves. It is academic.
However, I was satisfied that it would be in the public interest for this claim to be heard, as the core question has not been directly considered in domestic or European case law in the 41 years since the right to data protection came into existence, or in the 4½ years since the EU GDPR became part of the law.
The declaration, if granted, would alter, in my opinion, a very long-standing understanding of the role and functions of the Commissioner when dealing with complaints. It would be a piece of judicial legislation.
Therefore, I concluded that it was in the public interest that the claim should be heard and resolved as conclusively as possible.
For these reasons I rejected Mr Bedenham’s preliminary objection.
Section 166 of the Data Protection Act 2018
This is headed “Orders to progress complaints” and provides:
“(1) This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the UK GDPR, the Commissioner:
(a) fails to take appropriate steps to respond to the complaint,
(b) fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
(c) if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months.
(2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner:
(a) to take appropriate steps to respond to the complaint, or
(b) to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order.
(3) An order under subsection (2)(a) may require the Commissioner:
(a) to take steps specified in the order;
(b) to conclude an investigation, or take a specified step, within a period specified in the order.
(4) Section 165(5) applies for the purposes of subsections (1)(a) and (2)(a) as it applies for the purposes of section 165(4)(a).”
Section 165(5) provides:
“(5) The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes:
(a) investigating the subject matter of the complaint, to the extent appropriate, and
(b) informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with a foreign designated authority is necessary.”
Section 166(2) thus provides the “effective judicial remedy” for dilatoriness referred to in Article 78.2. Sections 166(2) and (3) allow the Tribunal to order the Commissioner to take steps specified in the order to respond to the complaint. In my judgment, this would not extend to telling the Commissioner that he had to reach a conclusive determination on a complaint where the Commissioner had rendered an outcome of no further action without reaching a conclusive determination. This is because s. 166 by its terms applies only where the claim is pending and has not reached the outcome stage. It applies only to alleged deficiencies in procedural steps along the way and clearly does not apply to a merits-based outcome decision.
In Killock and Veale v ICO (Information rights - Freedom of Information - exceptions: practice and procedure) [2021] UKUT 299 (AAC) Farbey J and UTJ De Waal held at [74]:
“The remedy in s.166 is limited to the mischiefs identified in s.166(1). We agree with Judge Wikeley’s conclusion in Leighton (No 2) that those are all procedural failings. They are (in broad summary) the failure to respond appropriately to a complaint, the failure to provide timely information in relation to a complaint and the failure to provide a timely complaint outcome. We do not need to go further by characterising s.166 as a “remedy for inaction” which we regard as an unnecessary gloss on the statutory provision. It is plain from the statutory words that, on an application under s.166, the Tribunal will not be concerned and has no power to deal with the merits of the complaint or its outcome. We reach this conclusion on the plain and ordinary meaning of the statutory language but it is supported by the Explanatory Notes to the Act which regard the s.166 remedy as reflecting the provisions of Article 78(2) which are procedural. Any attempt by a party to divert a Tribunal from the procedural failings listed in s.166 towards a decision on the merits of the complaint must be firmly resisted by Tribunals”
I fully agree with this. However, in [87] there seems to be some back-tracking:
“Moreover, s.166 is a forward-looking provision, concerned with remedying ongoing procedural defects that stand in the way of the timely resolution of a complaint. The Tribunal is tasked with specifying appropriate “steps to respond” and not with assessing the appropriateness of a response that has already been given (which would raise substantial Regulatory questions susceptible only to the supervision of the High Court). It will do so in the context of securing the progress of the complaint in question. We do not rule out circumstances in which a complainant, having received an outcome to his or her complaint under s.165(b) (sic, semble s.165(4)(b)), may ask the Tribunal to wind back the clock and to make an order for an appropriate step to be taken in response to the complaint under s.166(2)(a). However, should that happen, the Tribunal will cast a critical eye to assure itself that the complainant is not using the s.166 process to achieve a different complaint outcome.”
For my part, if an outcome has been pronounced, I would rule out any attempt by the data subject to wind back the clock and to try by sleight of hand to achieve a different outcome by asking for an order specifying an appropriate responsive step which in fact has that effect. The Upper Tribunal rightly identified in [77] that if an outcome was pronounced which the complainant considered was unlawful or irrational then they can seek judicial review in the High Court. In my judgment, that entitlement supplies the “effective judicial remedy” against the outcomes referred to by me in the second, third and fourth scenarios at [46] above.
Mr Bedenham argues that:
“The Claimant’s challenge is not that the Commissioner’s substantive decision was wrong on its merits but rather that the Commissioner failed to adequately determine the complaint (i.e. failed to take appropriate steps to respond to the complaint). That is a procedural failing of the sort where the appropriate forum for redress is the Tribunal by way of an application pursuant to section 166(2). The Claimant’s complaint is that the Commissioner should have approached Wise for further information and that the Commissioner should have reached a concluded view on whether Wise had complied with its data protection obligations. The Claimant could, pursuant to s 166 DPA 2018, have asked the Tribunal to require the Commissioner to take those steps.”
In my judgment this is precisely the sort of sleight of hand with which I disagree. The Commissioner’s argument seeks to clothe a merits-based outcome decision with garments of procedural failings. The substantive relief sought by the Claimant was disclosure of the documents. The Commissioner’s argument is that the Tribunal could have made a mandatory procedural order specifying as a responsive step the disclosure of those very documents.
I disagree with Mr Bedenham. I agree with Mr Coppel KC that s.166 did not provide the Claimant with an alternative remedy.
The Claimant’s claim
I now turn to the Claimant’s claim. It challenges the Commissioner’s decision made on 24 November 2021 on three grounds:
Ground 1: The Commissioner failed to determine the Claimant’s complaint.
Ground 2: The Commissioner failed to conduct a lawful investigation of the Claimant’s complaint.
Ground 3: The Commissioner failed to take account of relevant considerations, proceeded on the basis of insufficient enquiry and irrationally made a determination on the basis of facts not known to him.
I have set out above the basic chronology of the communications between the Claimant and the Commissioner. It is correct that the Commissioner decided to investigate the Claimant’s second complaint by reading the letter of complaint and the accompanying clip of correspondence, and no more. It is correct that he reached his conclusion of no further action without making enquiries of Wise as to what precise personal data of the claimant it had withheld and why. The material part of the decision states:
“The ICO provides guidance to organisations on the use of exemptions. You believe that a Suspicious Activity Report was completed by TransferWise but that details of this have not been provided as they have used the crime and taxation exemption under the prevention or detection of crime. Our guidance states that an organisation needs to judge whether complying with the SAR would prejudice the purpose of the document. They are satisfied that they have done this and there is no requirement for them to explain the exemption used to an individual.
Although TransferWise would be required to provide details of any document regarding the decision to close Mr Delo’s account if it contained his personal data, they would again need to judge whether disclosure of such would prejudice the reasons for the decision. Again, they are also not required to state and explain the exemption if it would prejudice the purpose of the data/document.
There is no evidence to suggest that TransferWise have a blanket approach as they appear to have made a decision based on the information on this particular SAR and also confirmed on 8 February 2021 that they had revisited their decision. Also, if they have made a considered judgement not to provide this data using the exemptions mentioned above, they would also be unlikely to agree to provide them confidentially to Mr Delo’s advisors as you suggest.”
The decision therefore confirmed the earlier decision of 12 October 2021 which had stated:
“Having reviewed the correspondence provided, in our view it is likely that TransferWise have complied with their data protection obligations.”
Although it was not explicitly spelt out, by implication the formal outcome was: No Further Action on the Complaint.
Mr Bedenham submits that all three grounds rest on the flawed premise that in every case where a complaint is made, the Commissioner must reach a final determination as to whether there has been a breach of a data subject’s rights, or not. In my judgment, Mr Bedenham is correct for the reasons I have set out above at some length.
I further agree with Mr Bedenham that on the facts of this case the Commissioner complied with all the obligations imposed on him, viz:
he received and reviewed the complaint and the attached correspondence;
having regard to that information, and to his view that he should be concentrating on those cases which he believes gives the most opportunity to improve the practices of organisations which process data, he formed the view that this was not a case where further investigation was necessary;
that was the decision he reached as to the appropriate extent that investigation was necessary;
in consequence the outcome decision of 12 October 2021, as detailed above, was then reached;
that was reviewed, but the same outcome decision was reached on 24 November 2021;
in accordance with his duties, he then informed the Claimant of the outcome namely that no further action would be taken by the ICO against Wise.
The Claimant has exercised his right under Recital 141 and Article 78.2 to challenge the Commissioner’s decision to take no further action by commencing the instant judicial review proceedings.
In my judgment the decisions of 12 October 2021 and 24 November 2021 were completely lawful, both in substance and procedurally. The Commissioner was under no obligation either to seek further materials from Wise or to reach a conclusive determination as to whether, or not, Wise had complied with its data protection obligations. It was sufficient for him to conclude on the basis of the available information that it appeared likely that Wise had so complied.
The Commissioner dealt with the complaints in his capacity as an expert Regulator in accordance with the legal requirements. He did so to the letter. There is no warrant for saying either that he failed as a matter of fact to determine the complaints; or that he handled them in violation of the law; or that his decision-making process left out of account material matters, or took into account irrelevant matters, or was otherwise irrational. These criticisms all stem from the false argument I have identified above namely that it is the obligation of the Commissioner in every case where a complaint is made, to investigate it to the extent necessary to enable him to reach a conclusive determination.
The Commissioner made his operative decisions on 12 October and 24 November 2021. The Claimant did not begin his parallel civil claim to make Wise to disclose the documents until 24 December 2021 (Footnote: 16). The civil claim was settled on 1 June 2022 with the Claimant receiving full disclosure of the documents. The Commissioner would have been well aware when he made his decision that the civil claim was available to the Claimant.
In my opinion, on the facts of this case, the availability of that civil claim was a further good reason for the Commissioner to have reached his decisions.
For these reasons the claim for judicial review is dismissed.
____________________________________