Case Reference: EA/2022/0034/GDPR
Information Rights
Considered without a hearing on 31 October 2022
Before
TRIBUNAL JUDGE NEVILLE
TRIBUNAL MEMBER S COSGRAVE
TRIBUNAL MEMBER J MURPHY
Between
S R WIELEMAN
Applicant
and
INFORMATION COMMISSIONER
Respondent
Decision: The application is dismissed
REASONS
On 2 November 2021 the applicant made a complaint to the Commissioner that a company called Contactout Limited had not responded to his Subject Access Request made on 2 August 2021. Having had no response to that complaint after three months, the applicant made an application to the Tribunal for an order requiring the Commissioner to progress it. The Commissioner finally provided an outcome letter on 15 February 2022. After some introductory text confirming the nature of the Commissioner’s responsibilities, the letter stated as follows:
Contactout Limited as a data controller is based in the United States of America (the USA), which falls under a ‘third country’ category of data controllers, a country outside the European Union (the Union).
In relation to your case this means that although we are able to communicate with the data controller, in this case Contactout Limited, regarding infringement of the data protection rights, any enforcement falls outside the powers of the ICO and therefore we are unable to impose any actions to improve data protection practises within the organisation.
In relation to remedies, such as compensation sought by the data subject, in this case yourself, who wish to take action about a possible breach of the data protection obligations should do so through the courts.
We would recommend however, if you wish to take the matter to court, that you seek legal advice before doing so.
I hope this provides information allowing for clearer understanding of our role and scope.
A file note dated 15 February 2022 was provided showing that two emails had been sent to Contactout Limited, one in late January and one in early February 2022, with no response.
The Commissioner then provided its response to the present application, pursuant to rule 23 of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009, requesting that the proceedings be struck out as having no reasonable prospect of success. The Commissioner argued that the complaint had now been resolved and there was nothing left for the Tribunal to do. The applicant objected to this, pointing out that Contactout Limited’s data policy specified the Commissioner as being the supervisory authority and that the Commissioner had not explained why he was not. In a decision dated 20 May 2022, a Tribunal Registrar declined to strike out the proceedings and directed full consideration by the Tribunal.
Both parties were content for the matter to be decided without a hearing. We have taken account of the parties’ submissions and evidence as contained within the bundle prepared by the Commissioner. Having done so, we consider that the application engages the following legal principles.
Legal principles – complaints by data subjects
Section 165 of the Data Protection Act 2018 provides as follows:
Articles 57(1)(f) and (2) and 77 of the UK GDPR (data subject's right to lodge a complaint) confer rights on data subjects to complain to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of the UK GDPR.
A data subject may make a complaint to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of Part 3 or 4 of this Act.
The Commissioner must facilitate the making of complaints under subsection (2) by taking steps such as providing a complaint form which can be completed electronically and by other means.
If the Commissioner receives a complaint under subsection (2), the Commissioner must—
take appropriate steps to respond to the complaint,
inform the complainant of the outcome of the complaint,
inform the complainant of the rights under section 166, and
if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.
The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes—
investigating the subject matter of the complaint, to the extent appropriate, and
informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with a foreign designated authority is necessary.
At s.166, the 2018 Act provides the following redress for a failure to meet that statutory duty:
166 Orders to progress complaints
This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the UK GDPR, the Commissioner—
fails to take appropriate steps to respond to the complaint,
fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months.
The Tribunal may, on an application by the data subject, make an order requiring the Commissioner—
to take appropriate steps to respond to the complaint, or
to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order.
An order under subsection (2)(a) may require the Commissioner—
to take steps specified in the order;
to conclude an investigation, or take a specified step, within a period specified in the order.
Section 165(5) applies for the purposes of subsections (1)(a) and (2)(a) as it applies for the purposes of section 165(4)(a).
It can be seen from the plain language of the statute that the section will only apply at all if one of the conditions at s.166(1)(a), (b) or (c) is met. It is only then that the Tribunal may make one of the orders set out at s.166(2) and (3). There are further rights of action against the data controller or data processor contained at ss.167-169. These may only be pursued in the High Court or the county court.
The scope of s.166 was considered by the Upper Tribunal in Leighton v The Information Commissioner (No.2) (Information rights - Data protection) [2020] UKUT 23 (AAC), as follows:
I note that in Platts v Information Commissioner (EA/2018/0211/GDPR) the FTT accepted a submission made on behalf of the Commissioner that “s.166 DPA 2018 does not provide a right of appeal against the substantive outcome of an investigation into a complaint under s.165DPA 2018” (at paragraph [13]). Whilst that is a not a precedent setting decision, I consider that it is right as a matter of legal analysis. Section 166 is directed towards providing a tribunal based remedy where the Commissioner fails to address a section 165 complaint in a procedurally proper fashion. Thus, the mischiefs identified by section 166(1) are all procedural failings. “Appropriate steps” mean just that, and not an “appropriate outcome”. Likewise, the FTT’s powers include making an order that the Commissioner “take appropriate steps to respond to the complaint”, and not to “take appropriate steps to resolve the complaint”, least of all to resolve the matter to the satisfaction of the complainant. Furthermore, if the FTT had the jurisdiction to determine the substantive merits of the outcome of the Commissioner’s investigation, the consequence would be jurisdictional confusion, given the data subject’s rights to bring a civil claim in the courts under sections 167-169 (see further DPA 2018 s.180).
The Upper Tribunal reached the same conclusion in Scranage v Information Commissioner [2020] UKUT 196 (AAC), holding that – contrary to many data subjects’ expectations – s.166 does not provide a right of appeal against the substantive outcome of the Commissioner’s investigation on its merits. The provision is procedural rather than substantive in its focus.
In Killock & Ors v Information Commissioner [2021] UKUT 299 the Upper Tribunal held that s.166 is ‘forward-looking’. The Tribunal is concerned with remedying ongoing procedural defects that stand in the way of the timely resolution of a complaint, specifying appropriate “steps to respond” rather than assessing the appropriateness of the substantive response given. The same applies to orders under s.166(2)(b) requiring the Commissioner to inform the complainant of progress on the complaint or of the outcome of the complaint within a specified period. These are procedural matters (giving information) and should not be used to achieve a substantive regulatory outcome. A dissatisfied complainant must instead have recourse to the legal remedies at ss.167-169, or bring judicial review proceedings against the Commissioner in the Administrative Court.
Killock does contain an important caveat to the above, expressed by the Upper Tribunal as follows:
… We do not rule out circumstances in which a complainant, having received an outcome to his or her complaint under s.165(b), may ask the Tribunal to wind back the clock and to make an order for an appropriate step to be taken in response to the complaint under s.166(2)(a). However, should that happen, the Tribunal will cast a critical eye to assure itself that the complainant is not using the s.166 process to achieve a different complaint outcome.
The Upper Tribunal held that it is the Tribunal rather than the Commissioner which decides whether a particular investigative step is reasonable, and the Commissioner’s view is not decisive. But in considering appropriateness the Tribunal will be bound to take into consideration and give weight to the views of the Commissioner as an expert regulator. In the sphere of complaints, the Commissioner has the institutional competence and is in the best position to decide what investigations he should undertake into any particular issue, and how he should conduct those investigations. This will be informed not only by the nature of the complaint itself but also by a range of other factors such as his own registry priorities, other investigations in the same subject area and his judgement on how to deploy his limited resources most effectively.
Legal principles – territoriality
Section 207 of the Act provides as follows:
207 Territorial application of this Act
This Act applies only to processing of personal data described in subsections (1A) and (2).
(1A) In the case of the processing of personal data to which Part 2 (the UK GDPR) applies, it applies to the types of such processing to which the UK GDPR applies by virtue of Article 3 of the UK GDPR.
In the case of the processing of personal data to which Part 2 does not apply, it applies where such processing is carried out] in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom.
…
Subsections (1), (1A) and (2) have effect subject to any provision in or made under section 120 providing for the Commissioner to carry out functions in relation to other processing of personal data.
Section 3(14)(c) does not apply to the reference to the processing of personal data in subsection (2).
…
In this section, references to a person who has an establishment in the United Kingdom include the following—
an individual who is ordinarily resident in the United Kingdom,
a body incorporated under the law of the United Kingdom or a part of the United Kingdom,
a partnership or other unincorporated association formed under the law of the United Kingdom or a part of the United Kingdom, and
a person not within paragraph (a), (b) or (c) who maintains, and carries on activities through, an office, branch or agency or other stable arrangements in the United Kingdom…
A subject access request falls within Part 2 of the Act, so by way of s.207(1A) depends on Article 3 of UK GDPR:
Article 3 Territorial scope
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the United Kingdom, regardless of whether the processing takes place in the United Kingdom or not.
This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in [the United Kingdom; or
the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.
2A. In paragraph 2, “relevant processing of personal data” means processing to which this Regulation applies, other than processing described in Article 2(1)(a) or (b) or (1A).
This Regulation applies to the processing of personal data by a controller not established in the United Kingdom, but in a place where domestic law applies by virtue of public international law.
Consideration
The Commissioner’s submissions in this case have failed to engage with the applicant’s actual pleaded case. The applicant argues that no adequate explanation has been provided as to why the Commissioner is not the supervisory authority. We consider that such an argument has the potential to fall within the ambit of s.166. The applicant is entitled to have the Commissioner take appropriate steps to respond to the complaint, and to ask the Tribunal to direct it. We do not go so far as holding that a sufficiency of reasoning is required in a public law sense, but the applicant must at least know what the outcome is. Here, the relevant part of the outcome is communicated as follows:
Contactout Limited as a data controller is based in the United States of America (the USA), which falls under a ‘third country’ category of data controllers, a country outside the European Union (the Union).
In relation to your case this means that although we are able to communicate with the data controller, in this case Contactout Limited, regarding infringement of the data protection rights, any enforcement falls outside the powers of the ICO and therefore we are unable to impose any actions to improve data protection practises within the organisation.
Taken in isolation, this wording risks misleading the reader into thinking that the Commissioner cannot take any regulatory action against a data controller based in a third country. This is obviously incorrect. Yet the letter is in response to the actual complaint that was made – “In relation to your case…”. The complaint discloses that the applicant is based in the Netherlands, and nothing is put forward to connect the applicant, the applicant’s data, or Contactout Limited to the United Kingdom. In those circumstances the Commissioner would correctly apply s.207 of the Act, and Article 3 of UK GDPR, to determine that he does indeed have no enforcement powers. Nothing in the legislative scheme permits Contactout Limited to confer jurisdiction on the Commissioner by naming the ICO in its documentation. The use of the words “In relation to your case…” justifies interpreting what follows as explaining that conclusion to the extent required by s.165. We therefore find that the Commissioner has taken appropriate steps to provide an outcome to the complaint, being that there is no connection with the UK so no enforcement powers are available.
We dismiss the application, there being nothing left for the Commissioner to do that could form the basis for an order under s.166.
Signed Date:
Judge Neville 31 October 2022