Doorstep Dispensaree Ltd v Information Commissioner
On appeal from the First-tier Tribunal (Information Rights)
Between:
Doorstep Dispensaree Ltd
Appellant
- v –
The Information Commissioner
Respondent
Before: Upper Tribunal Judge Mitchell
Hearing date: 13-14 July 2022 at Field House, Breams Buildings, Central London.
Representation:
Appellant: Mr P Coppel KC, of counsel, instructed by Jung and Co. Solicitors.
Respondent: Mr P Lockley, of counsel, instructed by the Information Commissioner’s Legal Services Directorate.
DECISION
The decision of the Upper Tribunal is to refuse this appeal. The decision of the First-tier Tribunal, taken on 9 August 2021, under file reference EA/2020/0065/V, did not involve an error on a point of law. Under section 11 of the Tribunals, Courts and Enforcement Act 2007, the Upper Tribunal dismisses this appeal.
REASONS FOR DECISION
Meaning of terms used in these reasons
In these reasons:
“Commissioner” means the Information Commissioner;
“DPA 2018” means the Data Protection Act 2018 before it was amended on 31 December 2020 (the date on which the Act was amended to substitute references to “GDPR” with “UK GDPR”). The relevant events in this case occurred before that date;
“MPN” means a penalty notice given under section 155(1) of the DPA 2018 requiring a person to pay a specified sum to the Commissioner;
“Tribunal” means the First-tier Tribunal.
The main issue of wider interest: summary of conclusion
The main issue of potentially wider interest on this appeal concern the standard of proof in proceedings before the First-tier Tribunal on an appeal against a MPN. The Upper Tribunal decides that, in such proceedings, disputed matters of fact are to be resolved according to the civil standard of proof rather than the criminal standard.
Background
The Appellant company operated pharmacies and much of its business involved supplying medicines to care homes. In July 2018, the Appellant held dispensing contracts with 27 care homes.
The Appellant’s sole director and shareholder was Mr S Budhdeo. He was also the sole director and shareholder of Joogee Pharma Ltd, a company engaged by the Appellant to collect from care homes, and dispose of, unused medicines and pharmaceutical records. According to Mr Budhdeo’s evidence before the Tribunal, Jogee Pharma had been providing services to the Appellant since March 2018, but that arrangement was not, at July 2018, governed by any written contract.
On 24 July 2018, the Medicines and Healthcare Products Regulatory Agency (MHRA) executed a search warrant at 75-79 Masons Avenue, Harrow (“the Premises”). Joogee Pharma used the Premises in their business operations. The Commissioner was not present at, nor did he have prior knowledge of, the search.
The Premises included an outside yard which, according to Mr Budhdeo’s evidence before the Tribunal, could be accessed from the fire escapes of adjacent residential flats. The MHRA reported seizing from the yard 47 unlocked crates, two disposal bags and a cardboard box, which contained pharmaceutical and related documents.
Following the MHRA’s search, they informed the Commissioner’s office of the documents seized. The Commissioner’s staff relied on MHRA’s audit of the documentation to determine its contents. The audit stated that some 500,000 documents, dated from December 2016 to June 2018, were seized at the Premises comprised of the following:
- the majority of the documents were dispensing tokens (print outs of electronic prescriptions), sent by care homes to the Appellant’s pharmacies;
- Medical administration records, on which care home staff had recorded administration of medication to residents. Bottom copies of these records were supposed to be returned to the Appellant on a monthly basis but, according to the Appellant, care home staff routinely returned the top copy in error;
- copy prescriptions;
- prescription orders faxed by care homes;
- patient medication review documents and patient management records;
- care home resident lists and residents’ photographs;
- medication dispensing check lists;
- pharmacy delivery manifests and delivery driver records;
- “patient identifiable medicinal waste”.
The MHRA thought that many of the documents contained personal data and special category personal data, mainly relating to care home residents. The MHRA also reported that many documents were “soaking wet”, which they thought consistent with storage outdoors.
Acting under Schedule 16 to the DPA 2018, the Commissioner served on the Appellant notice of intention to impose a MPN in the sum of £400,000. Having received representations about the Appellant’s finances, the MPN issued on 17 December 2019 imposed a reduced penalty of £275,000. At the same time, the Commissioner issued the Appellant with an Enforcement Notice under section 149(1) of the DPA 2018.
In January and July 2020, the Appellant’s solicitor carried out what was subsequently described by the Tribunal as a “more detailed analysis of the documents”. The solicitor concluded that no more than 75,000 documents were seized of which 7,351 contained no personal data, 6229 contained only a name, 6,268 contained only a name and address, and 53,871 contained special category personal data. The solicitor also reported that three crates and bags contained damp and mouldy documents.
First-tier Tribunal’s decision
The Appellant appealed to the Tribunal against both the MPN and the Enforcement Notice. A hearing was held on 17 and 18 December 2020 and the Tribunal gave its decisions in August 2021. The Tribunal dismissed the appeal against the Enforcement Notice but allowed the MPN appeal in so far as it concerned penalty amount, which it reduced to £92,000.
The Tribunal’s reasons, at paragraph 56, record that the Commissioner “elected not to rely on witness evidence” and, instead, relied on the Notices under appeal, exhibits provided by the MHRA and various other documents produced for purposes other than the appeal proceedings.
Agreed facts
Set out in paragraph 55 of the Tribunal’s reasons, the agreed facts included:
Mr Budhdeo was the sole director and shareholder of the Appellant company and Joogee Pharma Ltd;
Joogee Pharma was a licensed waste disposal company;
Mr Budhdeo and his wife jointly owned the Premises, which were used by Joogee Pharma to carry out waste disposal activities on behalf of the Appellant, which included destroying personal data including special category personal data;
Joogee Pharma’s activities constituted data processing for which it was the processor and the Appellant the controller;
the MHRA seized from the Premises at least 73,000 pieces of paper stored in unlocked crates, boxes and bags. Some of the seized documents contained personal data and/or special category personal data;
many of the Appellant’s data protection policies and procedures were out of date at 24 July 2018, and failed to comply with the GDPR. In particular, data subjects were not given the information required by Article 13 and/or 14 of the GDPR;
having been dissatisfied with the Appellant’s response to informal enquiries, on 25 October 2018 the Commissioner issued an Information Notice under section 142(1) of the DPA 2018. The Appellant’s appeal against the Notice was dismissed by the Tribunal and, on 1 March 2019, the Appellant responded in part but relied on privilege against self-incrimination to refuse to respond to certain queries;
on 26 November 2019, the MHRA decided to take no further action against the Appellant under legislation related to the supply of medication, having concluded that there was insufficient evidence to support a reasonable prospect of conviction.
Tribunal’s general role
The parties agreed that “an appeal under s.163 [of the DPA 2018] gives rise to a full merits review of the decision under appeal” (paragraph 35 of the Tribunal’s reasons). The Tribunal said it would “decide whether it would itself reach the same decision [as the Commissioner] based on the evidence now before it” (paragraph 36).
The Tribunal directed itself that, in R (Hope and Glory) Public House Ltd v City of Westminster Magistrates’ Court [2011] EWCA Civ 31, [2011] 3 All ER 579, the Court of Appeal held that “careful attention” should be paid to the decision under appeal, bearing in mind that Parliament had entrusted to the Commissioner responsibility for certain regulatory decisions. However, the weight to be given to the Commissioner’s decision “is a matter of judgment for the Tribunal” (paragraph 37 of the Tribunal’s reasons).
Burden of proof
The Tribunal determined that the Commissioner was “broadly correct” that “to a limited extent the burden of proof is of secondary importance in the context of a full merits review”. However, “when the appeal is against a penalty imposed in response to perceived infringements…there must also be an initial evidential burden imposed upon the decision maker who is required to prove that the infringement has taken place” and “as a matter of common sense, this evidential burden must shift to the other party once evidence of the infringements has been introduced” (paragraph 38 of the Tribunal’s reasons).
Standard of proof
The Tribunal held that the civil standard of proof applies in proceedings on appeal against a MPN. I shall set out the Tribunal’s reasons in full since much of the argument on this appeal concerns them:
“47…(i) I have reminded myself of the principles relevant to determining the applicable standard of proof as summarised by the Upper Tribunal in [Hackett v HMRC [2020] UKUT 0212 (TCC)], to which the paragraphs cited below refer. In particular:
a. As identified by Lord Hoffman in In re B (Children) (FC) [2008] UKHL 35, there are three categories of civil cases in which it has been suggested that the standard of proof may vary according to the gravity of the misconduct alleged or the severity of the consequences, the first of which is a case classified as civil for the purposes of Article 6 but where the criminal standard should apply due to the serious consequences of the proceedings [59];
b. A number of authorities, including McCann v Crown Court at Manchester (2003) 1 AC 787, support the view that a serious consequence which imposes restrictions upon a person’s liberty may require the criminal standard to be applied even though the proceedings are civil in nature [60 – 61], although a deprivation of fundamental liberties is not always a necessary ingredient [76];
c. In HMRC v Khawaja [2008] EWHC 1687 (Ch) 2008 Mann J concluded that the civil standard of proof applied to civil penalty proceedings in the tax context having identified the existence of parallel criminal proceedings, while noting…that this is only a starting point because, in some cases, the seriousness of the consequences or the nature of the claim is such that the criminal standard of proof is required [67];
d. The civil standard may apply in civil proceedings even when these involve allegations of civil fraud and dishonesty, and assistance in identifying the applicable standard may be found in the language of the legislation [70];
e. As determined by the Upper Tribunal in a subsequent hearing in Khawaja, the application of Article 6 to proceedings does not prevent the civil standard of proof from applying [74]; and
f. As found by the Upper Tribunal in [Hannam v FCA [2014] UKUT 0233 (TCC)], an allegation in relation to which a person faces an unlimited financial penalty and reputational damage but in which fundamental liberties were not at risk does not necessarily fall within Lord Hoffman’s first category of cases [78].
(ii) I have considered whether assistance may be found in the language of the DPA. This creates two distinct penalty regimes. The first is the s. 155(1) MPN regime, enacted in compliance with the UK’s obligations under the GDPR. An appeal against an MPN is to a civil tribunal, and is brought under same statutory provisions as appeals against other s. 155(1) notices, in relation to which it is agreed that the civil standard applies.
(iii) The second penalty regime is framed by reference to a criminal process, set out in ss. 196 – 200. This uses the language of criminal offences, including indictable offences, of convictions before the criminal courts, the appropriate sanction for which may also be a penalty. The criminal offences created by the DPA are contained within a number of provisions. Prosecutions may be brought either by the Commissioner after ‘investigation’, or by or with the consent of the DPP. The behaviours to which the offences relate are described in terms of deliberate acts taken in relation to personal data rather than by reference to breaches of the GDPR.
(iv) The language used in s. 155(1)(a) requires the Commissioner to be ‘satisfied’ that a breach of the GDPR has occurred. I accept…that this is reflective of the application of the civil standard of proof. I have noted the contrast between this language and that in s.200 that refers to the Commissioner’s investigation.
(v) I conclude from this analysis a clear intention by Parliament to create two distinct penalty regimes, only one of which is overtly criminal in nature. Accordingly I conclude that an MPN issued pursuant to s. 155(1) is a civil penalty for domestic law purposes.
(vi) I have also considered whether, notwithstanding this, an MPN issued under s. 155(1) ought to be treated as a criminal offence, at least to the extent that the criminal standard of proof must apply.
(vii) I am not persuaded…that any appeal against a monetary penalty is a denial of a criminal offence for the purposes of Article 6, such that it should be afforded enhanced procedural protections. Even if I was so persuaded, Article 6 does not assist in relation to the applicable standard of proof (see Hackett [72-74]). I am satisfied that, in any event, the domestic common law requirements of a fair hearing apply to, and have been applied in, these proceedings, and that these meet Article 6 requirements of procedural protection in any event.
(viii) I note that the provisions of s. 155(1)(b) allow an MPN to be imposed in addition to an information, assessment or enforcement notice, and that this reflects the provisions of Article 83 in which such a penalty is described as an ‘administrative fine’. I find that the use of this language in a European context is inconsistent with an intention to create a penal sanction amounting to a criminal offence. Moreover, the Commissioner may only impose an MPN under s. 155(1)(b) in circumstances where the person has failed to comply with the earlier notice. This means that an MPN may only be imposed:
a. where the Commissioner is satisfied that a breach of relevant parts of GDPR has taken place (s. 155(1)(a)); or
b. where a person served with an information, assessment or enforcement notice has failed to satisfy the Commissioner that no such breach of the GDPR subsists.
In either case the MPN is served in connection with established or suspected breaches of specified obligations under the GDPR.
(ix) The language of s. 155(1)(b) differs significantly from that of the other regulatory regimes cited by Mr Coppel [for the Appellant] as examples of legislation in which the criminal standard applies to a fine is imposed for non-compliance with a enforcement notice. This is because, in contrast to Mr Coppel’s examples, s.155(1)(b) does not refer to the creation of ‘an offence’.
(x) The right of appeal created by s. 162(1)(d) & (3) essentially replicates the right created by s. 55B(5) DPA 1998 – i.e. an appeal may be brought against an MPN and/or the quantum of the penalty. The well-established practice of this Tribunal under the earlier legislation is to apply the civil standard of proof. There is nothing in the language of the DPA to suggest an intention by Parliament to change the applicable standard of proof.
(xi) The criteria identified in ss. 155(2) & (3) as relevant to the assessment of the quantum of the penalty are taken from Article 83. These are necessarily expressed in terms unconnected to offsetting any ‘benefit’ of non-compliance with GDPR obligations because the purpose of this aspect of the Regulation is to prevent the infringement of individual rights. Therefore the ‘cost’ of breaches of the GDPR is necessarily assessed on a different basis.
(xii) Although the levels of MPN that may be imposed under s. 155(1) are significant and when imposed at the higher level must meet the description of ‘a serious consequence’, there is no additional consequent deprivation of a fundamental liberty…[the Appellant] may continue to operate as an online pharmacy, the MPN under appeal notwithstanding. Applying the principles identified in Hannam and Hackett to the circumstances of this appeal, I find that the potential quantum of a s.155(1) MPN is not by itself a sufficiently serious consequence so as to bring an appeal within the first category of cases identified by Lord Hoffman, thereby requiring application of the criminal standard of proof on the basis of serious consequence alone.
(xiii) I therefore conclude that the civil standard of proof applies to an appeal under s. 162(d).”
Relevance of law of agency
The Appellant argued that domestic agency law principles informed the attribution of responsibilities between processor and controller under the GDPR. The Tribunal disagreed:
“54. Having considered the submissions of both Parties, I am not persuaded that consideration of the law of agency assists with the determination of the central issue in this appeal, which is the extent to which [the Appellant] was controller of the data recovered and whether it bears responsibility for any data protection breaches arising from JPL’s processing activities.”
General conclusions
Paragraphs 81 to 87 of the Tribunal’s reasons set out a number of “general conclusions” which included findings of fact. Unless corroborated, the Tribunal treated Mr Budhdeo’s evidence with scepticism because “his credibility as a witness has been diminished by his misleading answers concerning his directorship of Equitable Sustainable Housing Limited…[his] explanation, when presented with contradictory evidence, also lacks credibility” (paragraph 82(vii)). Mr Budhdeo initially denied being a director of that company and that the ‘S Budhdeo’ recorded as a director by Companies House was his brother. When subsequently presented with evidence which showed this to be incorrect, Mr Budhdeo said that he had originally forgotten that he was a director of this company.
In relation to the documentation seized from the Premises, the Tribunal found that the Commissioner’s evidence lacked “important details about the nature of the personal data concerned, not least an accurate calculation of the number of documents recovered”. The Appellant’s solicitor’s audit was a “more reliable source of information”. The Tribunal accepted the audit’s finding that 73,710 documents were seized by the MHRA, of which 12,491 contained personal data and 53,871 special category personal data (paragraph 81 of the Tribunal’s reasons). Unsurprisingly, the Tribunal left out of account the documents that contained no personal data.
The Tribunal’s rejected the Appellant’s argument that most of the documents seized originated from care homes, rather than the Appellant. Mr Budhdeo’s evidence was that, since Joogee Pharma became responsible for collecting and destroying waste medicines, it had used the Premises for that purpose (paragraph 82(i) of the Tribunal’s reasons). The Appellant did not dispute that much of the data recovered related to care home residents nor that the documents themselves were generated by the Appellant’s pharmacies (paragraph 82(ii)). Since some data dated back to 2016, and Mr Budhdeo said Joogee Pharma securely destroyed data within 28 days of receipt, his case was that several care homes, acting independently, recently supplied Joogee with many documents dating back to 2016. This was inherently unlikely, and a “more likely explanation” was “that this is the result of data protection failures by [the Appellant] and/or [Joogee Pharma]” (paragraph 82(iii), (iv)).
The Tribunal found that, for the purposes of the GDPR, the Appellant was the controller of data processed by Joogee Pharma, for the following reasons:
Joogee Pharma’s only stated purpose was to collect medicinal waste on behalf of the Appellant who admitted that these “activities on its behalf constitutes data processing in relation to which [the Appellant] is the controller and [Joogee Pharma] the processor” (paragraph 82(viii) of the Tribunal’s reasons);
Mr Budhdeo gave evidence that the Appellant “stipulates the processes [Joogee Pharma] must follow, describing [its] collection activities as robotic…[and]…confirms that [its] waste disposal agreement with [the Appellant] did not distinguish between personal data and non-data”. The Tribunal found that “[the Appellant] was determining the purposes and means by which any personal data collected by [Joogee Pharma] would be processed” (paragraph 82(viii));
the argument that Joogee Pharma departed from the Appellant’s stipulated processes and thereby assumed the role of controller was rejected. Joogee Pharma “remained the processor rather than the controller of the data it processed”. Article 5(2) of the GDPR provides for the controller to retain responsibility for ensuring compliance with the Article 5(1) principles. While a “tipping point” may be reached, when the processor’s departure from agreed policies “becomes an arrogation of the controller’s role”, this did not happen. Mr Budhdeo was the sole director and shareholder of both companies and “appears to have been responsible for deciding which waste disposal processes [Joogee Pharma] would adopt as [the Appellant’s] agent”. Since the arrangement between the companies was not, before the MHRA’s search, committed to writing and the Appellant’s data processing policies remained incomplete, even after the MHRA’s search, there was “no basis upon which to conclude that [Joogee Pharma] departed to a material extent from any tangible data processing instructions it had received from [the Appellant]” (paragraph 82(ix)).
In relation to GDPR breaches, the Tribunal found as follows:
Joogee Pharma allowed some documents containing data processed on behalf of the Appellant to be stored in unlocked crates in an outside yard. Some documents became wet, and the yard was not an appropriately secure area. Joogee Pharma’s methods of data storage “did not afford sufficient protection against accidental loss or destruction”, and “this was a breach of the integrity and confidentiality requirements of Article 5(1)(f) [of the GDPR] for which [the Appellant] retained responsibility by virtue of Article 5(2)” (paragraph 83 of the Tribunal’s reasons);
at the date of the MHRA’s search, Joogee Pharma “was storing personal data in a form that permitted identification of data subjects for longer than necessary”, shown by the presence of data that was more than two years old. The Tribunal was “satisfied that the retention of this data by [Joogee Pharma] was a breach of the storage limitation requirements of Article 5(1)(e), for which [the Appellant] also retained responsibility by virtue of Article 5(2)”. The Tribunal also found that, apart from Mr Budhdeo’s testimony, there “was no contemporaneous evidence adduced to show when and how [Joogee Pharma] securely destroyed personal data on [the Appellant’s] behalf” (paragraph 84);
the Appellant’s “failure to devise adequate data processing policies contributed to [Joogee Pharma’s] breaches”. In particular, the absence of a retention policy and the lack of a clear explanation of the data destruction processes that Joogee Pharma was required to follow “must have contributed to [Joogee Pharma’s] breaches as it was provided with no appropriate procedures to follow” (paragraph 85);
contrary to Article 24(1) “[the Appellant] failed to implement appropriate and organisational measures to ensure that [Joogee Pharma’s] processing was performed in accordance with the GDPR” (paragraph 86);
the failure to implement such measures was also a breach of Article 32 of the GDPR “in that [the Appellant] failed to implement appropriate measures to ensure a level of security appropriate to the risks” (paragraph 86);
the Appellant accepted that “it breached the requirements of Articles 13 and/or 14 in relation to the provision of information in its Privacy Notice” (paragraph 87).
Whether a MPN was appropriate
The Tribunal found that 66,638 documents containing personal data were recovered by the MHRA (of which 53,871 contained special category personal data) rather than the 500,000 documents on which the Commissioner’s MPN was based.
The Tribunal concluded that the Commissioner had mistakenly thought that a MPN might be imposed for a breach of Article 24(1) of the GDPR. That was not the case “because it is not a breach of GDPR listed in s.149(2) [of the DPA 2018]” (paragraph 89 of the Tribunal’s reasons).
Apart from the number of seized documents / affected data subjects, the Tribunal adopted the Commissioner’s assessment of the matters specified in Article 83(2) (paragraph 90). The Commissioner’s assessment was not reproduced in the Tribunal’s reasons. It is found in paragraphs 47 to 67 of the MPN issued by the Commissioner on 17 December 2019. The key considerations were as follows:
the Appellant’s breaches were “both repeated, and negligent in character” and its subsequent attempts to improve compliance were not “relevant to how seriously defective the practices were at the date of the Breach” (paragraph 48 of the MPN);
nature of infringement (Article 83(2)(a)): the breach concerned the security of special category data “that should have been treated with the utmost care”. A controller operating the Appellant’s type of business should take its data protection obligations “far more seriously” and “therefore…the Breach resulted from a highly culpable degree of negligence on the part of [the Appellant]”. The data’s sensitivity made it “particularly important” to ensure compliance with Articles 13 and 14 of the GDPR but the Appellant “paid little or no attention to its regulatory obligations in this respect” (paragraphs 49, 50);
gravity of infringement (Article 83(2)(a)): the breach was “very serious” and concerned “highly sensitive information that was left unsecured in a cavalier fashion”. Data subjects could be “very readily identified and linked to data concerning their health”, and a high proportion of them were likely to be elderly or otherwise vulnerable. There were “very serious shortcomings in the information provided to data subjects through the privacy policy”, which was a significant infringement of subjects’ right to transparency about the processing of their personal data and was heighted by the data’s sensitive nature. No data subject would reasonably expect personal data relating to their health to be handled in the manner that it was (paragraphs 51, 52);
duration of infringement (Article 83(2)(a)): the exact duration of the breach was uncertain but, given the age of some data, it must have been “occurring, to some extent, since at least 25 May 2018”. That date was relevant because earlier breaches would fall to be dealt with under the previous data protection regime and, for the same reason, the Commissioner only took into account privacy notice inadequacies, under Articles 13 and 14, since 25 May 2018 (paragraphs 53, 54);
number of data subjects affected (Article 83(2)(a): the Commissioner’s analysis of the number of affected data subjects was based on the assumption that some 500,000 documents were seized during the MHRA’s July 2018 search of the Premises;
damage suffered (Article 83(2)(a)): data subjects were not aware of the breach but, if they had been, “it could cause high levels of distress, although financial damage is unlikely”. The Article 13/14 infringements may also have caused distress – confusion or uncertainty – about the Appellant’s processing of sensitive personal data (paragraph 56);
intentional or negligent character of infringement (Article 83(2)(b)): Article 13 and 14 infringements were treated as negligent rather than intentional but “in both cases there is considerable evidence of extremely poor data protection practice, amounting to significantly negligent conduct” (paragraph 57);
action taken to mitigate damage (Article 83(2)(c)): the Commissioner was “unaware of any mitigation measure that [the Appellant] may have taken” although he did take into account subsequent, actual or intended, improvements in data protection practices. The Appellant was taking steps to improve written policies and contractual arrangements, and staff training. If properly implemented, the Appellant’s changes were likely to mitigate the ongoing Article 13/14 breach. The Commissioner gave “some credit” for this factor in determining the penalty amount but “notes that some of the policy documents provided remain in template form” (paragraphs 58, 59);
degree of responsibility (Article 83(2)(d): there was “little to no evidence that measures to ensure data protection by design and default were in place”, as required by Article 25, nor that “any technical or organisational measures were in place to protect the affected data as required by Article 32”. This was a “major failing” for a controller that routinely processed large quantities of highly sensitive health data. The Appellant “bore full responsibility” for these infringements as well as “shortcomings of its privacy notice”. The GDPR’s implementation was extensively publicised in advance. Joogee Pharma’s role did not avoid the Appellant’s responsibility for ensuring “the security of any processing undertaken by it or on its behalf” (paragraph 60);
previous infringements (Article 83(2)(e)): no known previous infringements (paragraph 61);
cooperation with supervisory authority (Article 83(2)(f)): this was “poor”. The Appellant failed to “engage” which required multiple chasing emails from Commissioner staff. The Appellant appealed against the Information Notice but could have simply relied on section 143(6) of the DPA 2018 to withhold information that might be self-incriminating. However, the remedying or mitigation of the infringement was not hampered since the data was now secure and “data subjects unaware of the incident”. The Commissioner also acknowledged a more cooperative approach in representations made in response to the notice of intent to issue a MPN (paragraph 62);
categories of affected personal data (Article 83(2)(g)): “these include information allowing very easy identification of individuals…and sensitive, special category data relating to health (medical information, prescriptions)” (paragraph 63);
manner in which infringement became known to supervisory authority (Article 83(2)(h)): the Appellant did not notify the Commissioner (paragraph 64);
compliance with previous orders (Article 83(2)(j)); adherence to approved codes of conduct etc (Article 83(2)(k)): not applicable (paragraphs 65, 66);
other aggravating or mitigating factors (Article 83(2)(k)): the Appellant may have made “a modest financial gain” by saving on the costs of secure destruction or appropriate storage (paragraph 67).
While the Tribunal agreed with the Commissioner’s findings, save for the number of affected data subjects, it noted “in particular” findings as to the gravity of the breach and the risk of significant emotional distress to a vulnerable group of data subjects, and expressly agreed with the Commissioner that the “serious breaches” occasioned by Joogee Pharma’s activities were largely due to the Appellant’s “negligence in relation to its Article 24(1) and Article 32 obligations”. The Tribunal concluded “as a consequence that issuing an MPN is an effective, proportionate and dissuasive response to [the Appellant’s] contraventions” (paragraph 91 of the Tribunal’s reasons). Despite the reduced magnitude of the breach, the Tribunal found that “the contraventions identified are sufficiently serious to justify issuing a penalty” (paragraph 89).
Penalty amount
Having dismissed the appeal against the imposition of a MPN, the Tribunal turned to consider the appropriate penalty amount. The Tribunal was satisfied that the Commissioner’s initial indicative penalty of £400,000 was appropriate, based on the facts as then understood, as was the reduction to £275,000 in the light of the Appellant’s financial position (paragraph 92 of the Tribunal’s reasons). However, the Tribunal’s conclusion that far fewer data subjects must have been affected than assumed by the Commissioner, which followed from the finding that 67,000, rather than 500,000, relevant documents were seized by the MHRA, had to be taken into account in fixing a revised penalty.
The considerations taken into account by the Tribunal in fixing the amount of the penalty were as follows:
“the statutory intention of both the GDPR and DPA is that a higher financial penalty should be imposed under this that…the predecessor legislation” (paragraph 92 of the Tribunal’s reasons);
a penalty should not be avoided solely due to financial hardship, but this was an important consideration “in terms of mitigation”. In the Appellant’s case, it “has already been reflected in an appropriate manner in the MPN under appeal” (paragraph 93);
while the breach affected far fewer data subjects than originally assumed, the number of seized documents remained “very large” and, of these, 12,491 contained ordinary personal data and 53,871 special category data (paragraph 94);
most documents contained personal data of “highly vulnerable data subjects”, which was a “significant aggravating factor” (paragraph 94);
unlike the Commissioner, the Tribunal found that the Appellant had breached Article 5(1)(e) of the GDPR. Given that, and the “long list of aggravating criteria identified in the MPN”, it would not be appropriate simply to reduce the Commissioner’s £275,000 penalty in proportion to the reduced number of breach documents (paragraph 95).
Taking these matters into consideration, the Tribunal concluded as follows:
“96…I have decided that the amount of the MPN should be reduced to £92,000, which is a reduction of approximately two thirds”.
The Tribunal also dismissed the Enforcement Notice appeal. I shall describe its reasons briefly since the dismissal of that appeal is not challenged. The Tribunal concluded that it was “proportionate and reasonable” to issue an Enforcement Notice on 17 December 2019 “in relation to [the Appellant’s] data protection policies” (paragraph 97 of the Tribunal’s reasons). The steps taken by the Appellant before that date, in discussion with the Commissioner, to demonstrate GDPR-compliant policies were inadequate. At September 2019, the Appellant’s policy documents remained incomplete and “referred to some changes that were yet to be implemented” (paragraph 98).
Legislative framework
General Data Protection Regulation
The GDPR is preceded by a number of recitals, which include:
“(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators…and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors.
…(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility…
(148) In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation…The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process…
(150)…Imposing an administrative fine…does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.
…(152) Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by Member State law.”
I need not set out the GDPR’s definition of “personal data” since it is not disputed that the documents seized by the MHRA contained personal data.
Article 9(1) prohibits the processing of “special categories” of personal data, including “data concerning health”, unless an exception in Article 9(2) applies. “Data concerning health” is defined by Article 4(15) as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
Article 4(2)’s definition of “processing” refers to various operations performed on personal data including storage, erasure and destruction.
The definitions of “controller” and “processor”, in Articles 4(7) and (8) respectively, are as follows:
“‘controller’ means the natural or legal person…which, alone or jointly with others, determines the purposes and means of the processing of personal data…
‘processor’ means a natural or legal person…which processes personal data on behalf of the controller”.
Article 5(1) lays down a number of principles for the processing of personal data, including that personal data must be:
“…(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…(‘storage limitation’); and
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Article 5(2) provides that the “controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”.
Article 13 requires a controller to provide certain information to data subjects upon collection of their personal data, including the purposes of processing, the length of time for which personal data will be stored (or criteria used to determine the period of storage) and the existence of the right to request access to the data. Analogous requirements are imposed by Article 14 in cases where personal data are not collected from the data subject.
Article 24 imposes general obligations on a controller in that they relate to the entirety of the controller’s other obligations under the GDPR:
“1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.”
Article 25, entitled “Data protection by design and by default”, provides as follows:
“(1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures…which are designed to implement data-protection principles…in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
(2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
Article 28 concerns processing carried out on behalf of a controller:
“(1) Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
…(3) Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
(a) processes the personal data only on documented instructions from the controller…;
(c) takes all measures required pursuant to Article 32;
…(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller…
…(9) The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
(10) Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.”
Article 29 provides:
“The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.”
Article 32 imposes requirements in relation to the security of data processing:
“1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
…(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
(2) In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored of otherwise processed.”
Article 83 provides for imposition of administrative fines by a supervisory authority (the Information Commissioner is a supervisory authority: see Article 51):
“(1) Each supervisory authority shall ensure that the imposition of fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
(2) Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification measures pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly from the infringement.”
For administrative fine purposes, Article 83 categorises some GDPR infringements as more serious than others. The less serious infringements mentioned in Article 83(4) are subject to a maximum fine of the greater of 10,000,000 EUR or 2% of an undertaking’s total worldwide turnover for the preceding financial year. These infringements include breach of the obligations of a controller and processor under Articles 25, 28, 29 and 32. The more serious infringements mentioned in Article 83(5) are subject to a maximum fine of the greater of 20,000,000 EUR or 4% of an organisation’s total worldwide turnover for the preceding financial year. These infringements include breach of “the basic principles for processing, including conditions for consent, pursuant to Articles 5” and “the data subjects’ rights pursuant to Articles 12 to 22”. Neither category of infringement includes contravention of Article 24.
Data Protection Act 2018
The DPA 2018 seeks to implement the GDPR and many of its provisions operate by reference to the GDPR.
Section 155(1) permits the Commissioner to give a penalty notice (MPN) requiring a person to pay to the Commissioner the amount specified “if…satisfied that a person (a) has failed or is failing as described in section 149(2)”. Schedule 16(2) requires the Commissioner to give a ‘notice of intent’ before issuing a MPN.
Section 149(2) includes the following failures (which are also grounds for giving an Enforcement Notice under section 149(1)):
“(2) The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following –
(a) a provision of Chapter II of the GDPR [Articles 5 to 11]…
(b) a provision of Articles 12 to 22 of the GDPR…;
(c) a provision of Articles 25 to 39 of the GDPR…”
To the extent that a MPN concerns a matter to which the GPDR applies, the Commissioner must, in deciding whether to give a MPN and in determining the penalty amount, have regard to “the matters listed in Article 83(1) and 2 of the GDPR” (section 155(2)). For GDPR infringements, the maximum amount of the penalty is that specified in Article 83 of the GDPR. In other cases, the “standard maximum amount”, in section 157(6), closely resembles the maximum administrative fine provisions of Article 83.
Section 160(1) requires the Commissioner to produce and publish guidance about how he proposes to exercise functions in connection with penalty notices (amongst other matters). The guidance must include provision about the circumstances in which the Commissioner would consider it appropriate to give a MPN and an explanation of how penalty amounts will be determined (section 160(7)).
If a penalty is not duly paid, it is recoverable in England and Wales as if payable under an order of the county court or High Court, if the court so orders (paragraph 9(2) of Schedule 16).
Section 162(1) allows a person given a MPN to appeal to the First-tier Tribunal. A person may appeal against the amount of a penalty without appealing against the MPN (section 162(3)).
On appeal, the Tribunal may “review any determination of fact on which the notice or decision against which the appeal is brought was based” (section 163(2)). If the Tribunal considers that the penalty notice is not in accordance with the law or the Commissioner ought to have exercised any discretion differently, the Tribunal “must allow the appeal or substitute another notice…which the Commissioner could have given…”.
An onward right of appeal to the Upper Tribunal against the First-tier Tribunal’s decision lies on “any point of law arising from” the decision (section 11(1) of the Tribunals, Courts and Enforcement Act 2007).
Grounds of appeal, and the parties’ submissions
The First-tier Tribunal granted the Appellant permission to appeal to the Upper Tribunal on all seven grounds put to that tribunal.
Ground 1 – Tribunal’s general approach to burden of proof
This ground is that the Tribunal conducted the Appellant’s appeal “on a legally flawed basis and in a legally flawed way” by:
giving “careful attention” to the Commissioner’s reasons for imposing the MPN;
accepting as broadly correct the Commissioner’s submission that the burden of proof was “of secondary importance in the context of a full merits review”;
holding that only an “initial evidential burden” was placed on the Commissioner which shifted to the Appellant “once evidence of the infringements [had] been introduced”;
holding that the “burden of proof is of secondary importance in the context of a full merits review” (this appears to me to be a repetition of sub-ground (b)).
The “legally correct approach”, which the Tribunal failed to follow, required the Commissioner to satisfy the Tribunal afresh, based on the evidence, of the “matters in DPA s 155(2)-(3)”. The legal and evidential burden started and remained with the Commissioner to show that the statutory conditions for giving a MPN were met, the discretion to give a MPN was in favour of its imposition and the amount of an appropriate penalty. No deference should have been given to the Commissioner’s reasons for giving a MPN because it was for the Tribunal to consider for itself what was the “right and just decision”.
Ground 1 - arguments
I shall not describe here the arguments on sub-ground (a) because, in my opinion, it duplicates Ground 2.
At the hearing of this appeal, Mr Coppel KC for the Appellant argued that Grounds 1 to 3 were linked, and their cumulative effect was greater than the sum of their parts. He also argued that, over the last 25 years or so, regulatory powers have shifted away from conferring power on a regulator to bring a criminal prosecution as a means of dealing with regulatory breaches. That ‘time-honoured’ approach, both in this country and abroad, supplied important protection against an ‘overbearing state’. The modern preference, however, is for regulatory systems under which a regulator imposes a financial penalty so that, if the penalty is disputed, the onus is on the penalised person to instigate proceedings. The resultant ‘fairness downgrade’ is sometimes tempered by relatively modest and/or fixed penalty amounts as well as the opportunity afforded to avoid the adverse publicity that might accompany formal legal proceedings. But that is not the case with a MPN, which is why the First-tier Tribunal’s role is so important. In this case, the Tribunal failed to provide the Appellant with the level playing field to which it was entitled.
The Tribunal was required, submits the Appellant, to consider for itself whether the material relied on by the Commissioner rendered the MPN both right (statutory conditions met) and just (appropriate, as regard imposition of a MPN and amount of penalty). This involves more than simply ‘marking the Commissioner’s homework’; it places the Commissioner is under both a legislative and evidential burden.
The Commissioner argues that the Tribunal’s approach to the burden of proof was consistent with the Court of Appeal’s judgment in Khan v Customs and Excise Commissioners [2006] EWCA Civ 89, [2006] STC 1167. In Khan, a VAT penalty case, it was accepted that the first instance tribunal correctly placed on HM Revenue & Customs the burden of proving that the appellant had acted for the purpose of evading VAT and that his conduct involved dishonesty (I note that section 60(7) of the 1994 Act expressly provided that “…the burden of proof as to [these matters] shall lie upon the Commissioners”). On appeal to the High Court, the dispute concerned other aspects of the penalty-setting exercise including whether the burden was on HMRC to show, as the Court put it at [63], that “the best of judgment assessment (by reference to which the penalty was calculated) was correct”. Before the Court of Appeal, HMRC conceded that the burden was on them to prove “the quantum of tax evaded” ([67]). The Court of Appeal, however, was “reluctant to allow this judgment to rest simply on concessions” ([68]). Carnwath LJ said:
“70…the general principle, in my view, is that, where a statute gives a right of appeal against enforcement action taken by a public authority, the burden of establishing the grounds of appeal lies on the person appealing….
71. That principle is well-established in other statutory contexts, particularly where the relevant facts are peculiarly within the knowledge of the person appealing. For example, a local planning authority may serve an enforcement notice if it "appears" that there has been a breach of planning control. The owner can appeal against the notice on various grounds, which may, for example, include a denial of the acts complained of, or a claim that permission is not required. It has long been clear law that the burden of proof rests on the appellant. That was confirmed recently in this court in Hill v Secretary of State for Transport [2003] EWCA Civ 1904. Buxton LJ said:
"43. The appellant accepted that there is a longstanding decision in planning law, Nelsovil Ltd v Minister of Housing and Local Government [1962] 1 WLR 404, which has been generally regarded as placing the burden of proof on the appellant in an enforcement notice appeal. That view was developed in the leading judgment of Widgery J and pungently summarised by Slade J at page 409 of the report:
"It is a novel proposition to me that an appellant does not have to prove his case."
44… The general principle that the appellant must prove his case seems to be unassailable…"
72. It is true that both Nelsovil and Hill were planning cases, but the statements in the former were expressed quite generally. There may of course be something in the nature of the appeal, or the statutory context, which requires a different approach. For example, under the jurisdiction of the Transport Tribunal, it was held that, whereas on appeal against refusal of a licence the burden lay on the appellant, that was reversed on an appeal against revocation of a licence (see Muck It Ltd v Secretary of State [2005] EWCA Civ 1124). That decision turned on the construction of the particular regulations and the European Directive on which they were based.
73. The ordinary presumption, therefore, is that it is for the appellant to prove his case. That approach seems to me to be the correct starting-point in relation to the other categories of appeals with which we are concerned under section 83, including the appeal against a civil penalty. The burden rests with the appellant except where the statute has expressly or impliedly provided otherwise. Thus, the burden of proof clearly rests on Customs to prove intention to evade VAT and dishonesty. In addition, in most cases proof of intention to evade is likely to depend partly on proof of the fact of evasion, and for that purpose Customs will need to satisfy at least the tribunal that the threshold has been exceeded. But, as to the precise calculation of the amount of tax due, in my view, the burden rests on the appellant for all purposes.”
At the hearing, Mr Coppel argued that Khan was ‘inspired’ by planning case law and should be confined to that and tax penalty contexts.
The Commissioner submits that the First-tier Tribunal’s approach to the burden of proof – that it is of secondary importance in the context of a full merits review – was consistent with authorities under section 136 of the Equality Act 2010, even though section 136 expressly provides for a shifting of the burden of proof. And, as the Supreme Court has said, “it is important not to make too much of the role of the burden of proof provisions” (Hewage v Grampian Health Board [2012] UKSC 372). The burden of proof in MPN proceedings is broadly neutral, with the same initial burden faced by both Commissioner and Appellant. At paragraph 38 of its reasons, the Tribunal made the straightforward point that, if the Commissioner cannot point to any evidence of infringement, there is no basis on which to find an infringement, which is consistent with the DPA 2018’s requirement, in sections 149(1) and 155(1), that the Commissioner must be “satisfied” of certain matters. While the Commissioner is not required to ‘show’ or ‘prove’ relevant matters, he must act rationally in reaching his conclusions and accepts that he bears an ‘initial evidential burden’ of “gathering evidence of the infringement” and must also set out the evidence relied on when imposing a MPN.
The Appellant submits that the Commissioner effectively argues that, provided that he acts rationally in finding an infringement, the evidential burden shifts to the Appellant who is required to prove there was no infringement. This argument would amplify the Tribunal’s mistaken approach. It would relieve the Commissioner of any requirement to prove a breach of data protection legislation. All the Commissioner would be required to do was show that he acted rationally in reaching his conclusions. At the hearing, Mr Coppel argued that this was the difference between the Commissioner having to produce sufficient or only ‘some’ evidence to support a MPN. He also argued that, if the Commissioner were able to discharge his evidential burden simply by reference to the MPN under appeal, any semblance of fairness would be destroyed and the Commissioner could succeed without ever going to the trouble of calling witnesses. Mr Coppel further argued that, on the Commissioner’s submission, a full merits review would be degraded into no more than a judicial review. The argument that the Commissioner’s submission simply reflects the ‘standard approach to the burden of proof in adversarial proceedings’ is seriously misguided.
The Commissioner rejects the argument that his submissions describe a judicial review-type role for the First-tier Tribunal. The Tribunal conducts a re-hearing of the facts rather than a review of the MPN in a narrow public law sense (see Central London Community Healthcare NHS Trust v The Information Commissioner [2013] UKUT 551 (AAC) at [49]). The Appellant misunderstands the Commissioner’s case. It is obvious that the Commissioner must present a factual case to the Tribunal which may be done, at a minimum, by reference to the notice under appeal. At the hearing, Mr Lockley confirmed that he did not argue that this was the approach taken by the present tribunal but, instead, he sought to identify the qualitative minimum necessary to discharge the Commissioner’s evidential burden.
The Commissioner argues that the Tribunal’s function under section 162 of the DPA 2018, of carrying out a full merits review, comprises a quasi-investigative role such that the Tribunal may, of its own accord, decide that the evidential case for an infringement is not made out. Typically, however, it is for an appellant to show why the Commissioner got it wrong, and in this sense an evidential burden falls on an appellant. This is the standard approach to the burden of proof in adversarial proceedings, as confirmed in Khan. In the absence of contrary statutory provision, it is for a claimant / appellant to prove its case. The proposition of law set out in Khan, at [70], was clearly intended to be of general application. While that case concerned civil penalties under VAT legislation, the Court considered “other statutory contexts”, at [70], and cited statements of principle that were “expressed quite generally”, at [72].
The quasi-investigative role ascribed to the Tribunal by the Commissioner does not really exist, argues the Appellant. It is not reflected in any legislative provision, and, in practice, the Tribunal lacks the necessary administrative apparatus. The investigative role is vested in the Commissioner, and it follows that he bears the burden of putting before the Tribunal evidence of the results of his investigation and whatever other evidence he relies on. For the Commissioner to succeed, argues the Appellant, that evidence must be sufficient to satisfy the Tribunal of an infringement for which a penalty is a just sanction.
The significance given to Khan by the Commissioner is based, argues the Appellant, on a contextual misunderstanding. Khan concerned a penalty imposed under legislation which provided for a purely arithmetical means of fixing a penalty amount. Khan referred, at [9], to the avoidance of the stigma associated with, as hitherto, criminal prosecution for an offence involving dishonesty. The Commissioner, however, publishes MPNs on his website. The Court of Appeal was also influenced by the Value Added Tax Tribunals Rules 1986 which made special provision for evasion penalty appeals and afforded procedural protections absent under the present Tribunal’s rules.
The Appellant argues that Khan, at [72], recognises that a different approach is appropriate depending on whether regulatory action confers or removes a benefit. Where a regulator imposes a dis-benefit, the regulator should be required to satisfy a tribunal that all necessary conditions are satisfied. It follows that, in relation to a MPN, the Commissioner’s burden extends to persuading the Tribunal that the penalty amount is appropriate. The Commissioner disagrees and argues that Khan, at [72], where the Court identified cases in which a different approach is required, does not undermine the ordinary presumption in [73]. The presumption applies in the absence of contrary statutory provision. There is clearly no express provision in the DPA 2018, nor may such properly be implied. The DPA 2018 speaks only of the need for the Commissioner to be ‘satisfied’ of certain matters. On appeal, the Tribunal must satisfy itself “independently and afresh” that the conditions for a MPN are made out (Information Commissioner v Home Office [2011] UKUT 17 (AAC) at [59]. Furthermore, the GDPR, in Articles 5(2) and 24(1), requires a controller to be able to demonstrate compliance. In those circumstances, there is nothing objectionable in requiring the appellant, in proceedings before the Tribunal, to show why a penalty imposed for breaching that legislation was wrong.
The Commissioner argues that the fair trial guarantees in Article 6 of the European Convention on Human Rights make no material difference, even if a MPN amounts to a criminal charge for Article 6 purposes. The important issue is whether the MPN scheme, as a whole, is consistent with Article 6’s guarantees. The Appellant’s submissions on Euro Wines (C&C) Ltd v HMRC [2016] UKUT 359 (TCC) ended with the Upper Tribunal’s finding, at [29], that the penalty in that case was criminal in nature for the purposes of Article 6. The Appellant overlooked, argued Mr Lockley at the hearing, the Upper Tribunal’s subsequent discussion of the consequences which, at [34] to [38], explained why reversal of the burden of proof is not necessarily incompatible with Article 6’s requirement for a presumption of innocence for a person facing a criminal charge. In Euro Wines, at [40], the Upper Tribunal also acknowledged that the penalised person may, in that case, have found it difficult to ascertain whether duty had been paid on a chain of transactions. It is noteworthy, submits the Commissioner, that this consideration was not decisive and it strengthens his case because it should not have been unduly difficult for the present Appellant to have obtained the information necessary to show GDPR compliance.
The Commissioner also relies on Janosevic v Sweden (2004) 38 EHRR 22 in which a taxpayer argued that the Swedish tax surcharges system, under which an administrative court carried out a full merits review of a tax authority’s decision, contravened Article 6’s presumption of innocence. Mr Lockley draws my attention to the European Court of Human Rights’ description, at [98], that “it is for the [Swedish] Tax Authority to show that there are grounds, under the relevant laws, for imposing the tax surcharges” and asks me to note that, at [100], it went on to say this about the Swedish tax legislation’s provision for remission of surcharges:
“…as the duty to consider whether there are grounds for remission only arises in so far as the facts of the case warrant it, the burden of proving that there is reason to remit is, in effect, on the taxpayer.”
The Commissioner submits that, in Janosevic, the Court did not propound a general rule to the effect of ‘the taxpayer must show’. Its analysis arose out of the natural role of the parties in the type of case under analysis. The Court’s remarks were very similar to those of the Tribunal, at paragraph 38 of its reasons, that an initial evidential burden falls on the Commissioner which effectively shifts to the appellant once evidence of the infringement has been introduced.
By reference to the criteria identified by Lord Bingham in Sheldrake v Director of Public Prosecutions [2005] 1 AC 264, at [21], for determining whether a presumption of fact or law is compatible with Article 6’s criminal fair trial guarantees, the Commissioner submits:
in MPN proceedings before the Tribunal, the appellant has the opportunity to rebut the case against it, given that the proceedings involve a full merits review, the appeal is of right and cost free;
the Tribunal has its own power to assess the evidence;
there is the potential for significant financial implications, but deprivation of liberty is not an issue;
if the Commissioner were required to meet more than an initial evidential burden, his enforcement work would be hampered because his primary source of evidence is always the answers given by a data controller to questions posed by his staff;
the Commissioner’s work is clearly very important since he seeks to protect the fundamental rights of data subjects.
If the Tribunal’s ‘initial evidential burden’ approach amounts to a presumption of fact or law, and if MPN proceedings amount to a criminal charge for Article 6 purposes, the Commissioner argues that the Tribunal’s approach was compatible with Article 6.
The Commissioner submits that, even if the Appellant’s arguments are correct in the abstract, they fail to explain how the Tribunal’s supposed error of approach made a difference to the outcome. As Mr Lockley put it at the hearing, one ‘looks in vain’ for any indication of what the Tribunal should have done differently.
Ground 2 – reliance on Hope & Glory
Ground 2 is that the reliance placed by the Tribunal on the Court of Appeal’s decision in Hope and Glory, in holding that “careful attention” should be paid to the Commissioner’s reasons, was misplaced. The Court of Appeal’s decision was informed by matters that are not applicable in the present context:
the point was conceded by counsel;
licensing authority decisions are given in the exercise of “a power delegated by the people as a whole to decide what the public interest requires”; and
licensing authority sub-committees are comprised of elected individuals who are answerable to their electors.
Ground 2 –arguments
In Hope and Glory, which concerned the decision of a district judge (magistrates’ court) on appeal against the decision of a local authority’s licensing sub-committee, the Court of Appeal said:
“39…the issues are quite narrow. They are: (1) How much weight was the district judge entitled to give to the decision of the licensing authority? (2) More particularly, was he right to hold that he should only allow the appeal if satisfied that the decision of the licensing authority was wrong?...
41…the licensing function of a licensing authority is an administrative function. By contrast, the function of the district judge is a judicial function. The licensing authority has a duty, in accordance with the rule of law, to behave fairly in the decision-making procedure, but the decision itself is not a judicial or quasi-judicial act. It is the exercise of a power delegated by the people as a whole to decide what the public interest requires…
42. Licensing decisions often involve weighing a variety of competing considerations…They involve an evaluation of what is to be regarded as reasonably acceptable in the particular location…
43. The statutory duty of the licensing authority to give reasons for its decision serves a number of purposes. It informs the public, who can make their views known to their elected representatives if they do not like the licensing sub-committee’s approach. It enables a party aggrieved by the decision to know why it has lost and to consider the prospects of a successful appeal. If an appeal is brought, it enables the magistrates’ court to know the reasons which led to the decision. The fuller and clearer the reasons, the more force they are likely to carry.
…45. Given all the variables, the proper conclusion to the first question can only be stated in very general terms. It is right in all cases that the magistrates’ court should pay careful attention to the reasons given by the licensing authority for arriving at the decision under appeal, bearing in mind that Parliament has chosen to place responsibility for making such decisions on local authorities. The weight which the magistrates should ultimately attach to those reasons must be a matter for their judgment in all the circumstances, taking into account the fullness and clarity of the reasons, the nature of the issues and the evidence given on the appeal.
…48. It is normal for an appellant to have the responsibility of persuading the court that it should reverse the order under appeal…We see no indication that Parliament intended to create an exception in the case of appeals under the 2003 Act.”
The Commissioner argues that Hope and Glory was confirmed and ‘generalised’ by the Supreme Court in Hesham Ali v Secretary of State for the Home Department [2016] UKSC 60, [2016] 1 WLR 4799. In Hesham Ali, which concerned deportation of foreign criminals, Lord Reed said:
“44 ....in considering the issue arising under article 8 in the light of its findings of fact, the appellate authority should give appropriate weight to the reasons relied on by the Secretary of State to justify the decision under appeal. In that connection, Lord Bingham [in Huang v Secretary of State for the Home Department [2007] UKHL 11, [2007] 2 AC 167] gave as examples a case where attention was paid to the Secretary of State’s judgment that the probability of deportation if a serious offence was committed had a general deterrent effect, and another case where weight was given to the Secretary of State’s judgment that the appellant posed a threat to public order. [Lord Bingham] continued:
‘[16] The giving of weight to factors such as these is not, in our opinion, aptly described as deference: it is performance of the ordinary judicial task of weighing up the competing considerations on each side and according appropriate weight to the judgment of a person with responsibility for a given subject matter and access to special sources of knowledge and advice. That is how any rational judicial decision-maker is likely to proceed.’
45. It may be helpful to say more about this point. Where an appellate court or tribunal has to reach its own decision, after hearing evidence, it does not, in general, simply start afresh and disregard the decision under appeal. That was made clear in Sagnata Investments Ltd v Norwich Corpn [1971] 2 QB 614, concerned with an appeal to quarter sessions against a licensing decision taken by a local authority. In a more recent licensing case, R (Hope & Glory Public House Ltd) v City of Westminster Magistrates’ Court [2011] PTSR 868, para 45...”.
According to Mr Coppel’s skeleton argument for the Appellant, “the enormity of [the Tribunal’s Hope and Glory] reasoning cannot be overstated”. If taken to its natural conclusion, we would end up with a system in which (a) a regulator could, without being subject to any external scrutiny, impose a multi-million pound penalty payment; (b) payment of the penalty could only be avoided by appealing to a tribunal; (c) on the appeal, the Commissioner would, in relation to the infringement question, have to meet only an initial evidential burden and, if he did, the Appellant would have the burden of establishing that the MPN should not have been imposed whether at all or in amount. By its self-direction to pay “careful attention” to the Commissioner’s reasons, simply because Parliament entrusted it with decision-making responsibilities, the Tribunal tilted the playing field in favour of the regulator. That is clearly unfair and, in the words of the Appellant’s skeleton argument, “not something that any respectable legal system would countenance”.
The Appellant argues that the Commissioner misreads both Hope and Glory and Hesham Ali.
Hope and Glory was concerned with licensing decisions, not imposition of penalties. Central to the Court of Appeal’s reasoning, argues the Appellant, was that a licensing system focusses on local needs and concerns. The licensing sub-committee of a local authority is best placed to make, and be accountable for, decisions about local matters. This is why the Court, at [41], described the licensing decision as involving “the exercise of a power delegated by the people as a whole to decide what the public interest requires”, and contrasted it with a judicial or quasi-judicial act. It was this analysis led the Court to make its remarks, at [48], concerning an appellant’s burden of persuasion.
Regarding Hesham Ali, the deportation of ‘foreign criminals’ is not, argued Mr Coppel at the hearing, a promising start for the proposition that the Supreme Court’s decision ‘generalised’ Hope and Glory. Further distinguishing contextual factors were that, on appeal, deportation decisions were scrutinised by a tribunal that carried out a full merits review and cases frequently involved claims that Article 8 of the European Convention on Human Rights prevented deportation. The Appellant submits that ‘this point’, in Hesham Ali, at [45], meant issues arising under Article 8 and, accordingly, the Supreme Court applied, or ‘generalised’, Hope and Glory only to that limited extent. That reading is supported by the reference, at [45], to the Secretary of State’s decision-making ‘answerability’ in which the Court drew, even if impliedly, an analogy with the elected licensing decision makers in Hope and Glory. There is no principled basis upon which either decision could be applied to proceedings on an appeal against a MPN and the present Tribunal’s misreading of the case law meant that it improperly deferred to the Commissioner’s MPN decision and reasons. The Upper Tribunal cannot be confident that, had the Tribunal not misunderstood the authorities, it would have reached the same conclusion.
The Commissioner argues that the Appellant’s attempt to confine the application of Hope and Glory is a ‘hopeless exercise’. The Court of Appeal’s reference, at [45], to ‘an appeal court or tribunal’ can only be sensibly read as part of a proposition of law of general application. The ‘administrative functions’ referred to in Hope and Glory, at [41], are analogous to the function of imposing an MPN. Hope and Glory is not limited in its application to decisions given by bodies comprised of publicly elected individuals. The ‘highest authority’ (Hope and Glory, as approved by the Supreme Court in Hesham Ali) prevents a Tribunal from disregarding the decision under appeal. It instead requires careful attention to be paid to the decision but the actual weight to be given to the decision is such as the Tribunal considers appropriate. The Appellant argues that this would necessarily involve giving great weight to the Commissioner’s decision and, as Mr Coppel’s skeleton argument puts it, “every public law practitioner knows that the weight that a decision-maker gives to a relevant factor is nigh on impossible to impugn on appeal”. The Commissioner disagrees. ‘Due weight’ does not necessarily contemplate great weight being given to the Commissioner’s decision. As Mr Lockley put it at the hearing, if the Commissioner were to issue a ‘wholly rotten’ decision, the Tribunal could and should give it no weight at all.
If there were any doubt as to the generality of Hope and Glory, the Commissioner argues that it was dispelled by the unanimous decision in Hesham Ali which approved the Court of Appeal’s approach in terms that generalised its application or, at least, in terms applicable to MPN proceedings. At [44], Lord Reed expressed himself using general language, and the same applies to the cited words of Lord Bingham in Huang. The language used by Lord Reed, at [45], clearly sets out a proposition of general application (“where an appellate court or tribunal has to reach its own decision”). The ‘administrative functions’ referred to in Hope and Glory, at [41], are analogous to the function of imposing an MPN and [42] cannot sensibly be read as limited to functions exercised by bodies comprised of publicly elected individuals. The common thread is an administrative decision that imposes a significant disbenefit and carries a right of appeal to a tribunal.
The Commissioner also argues that the Appellant mischaracterises the nature of the legal principle expounded in Hope and Glory, treating it as an injunction to give significant weight, or pay deference, to a regulator’s decision when the Court of Appeal said no such thing. The Court made the uncontentious point, at [44], that ‘appropriate weight’ should be given to the decision under challenge. Moreover, notably absent from the Appellant’s submissions is any specific example of undue deference having been given by the present Tribunal to the Commissioner’s decision or reasons. The Tribunal’s reference to ‘careful attention’ is unobjectionable; it is obvious that careful attention ought to be given to the decision under appeal. In any event, it cannot be argued that the Tribunal simply deferred to the Commissioner not least because it gave no weight to the Commissioner’s findings as to the number of documents seized by the MHRA. At the hearing, Mr Coppel argued that a requirement for a tribunal to give ‘appropriate’ weight to a regulator’s decision was objectionable in principle because it effectively immunised the tribunal’s decision from challenge on appeal.
At the hearing, Mr Coppell, argued that Hope and Glory was also distinguishable because involved conferral of a benefit. I asked him to explain why since it involved attaching conditions to – placing restrictions on – an existing licence and he submitted that Hope and Glory involved a regulatory act that was ‘not a positive disbenefit’. By contrast, a MPN is the imposition of a positive dis-benefit by an unelected regulatory body.
Ground 3 – civil or criminal standard of proof
This ground is that the Tribunal’s finding that the civil, rather than criminal, standard of proof applied in First-tier Tribunal MPN proceedings was based on flawed reasoning:
the Tribunal was “wrongly influenced” by the forum in which the appeal was conducted and by other provisions of DPA 2018 which allow criminal prosecutions to be brought by the Commissioner and the DPP. Neither consideration shed light on the standard of proof;
the Tribunal was “wrongly influenced” by section 155(1)(a) of the DPA 2018’s use of ‘satisfied’ since this is relevant only to the burden of proof;
the Tribunal “wrongly concentrated” on terminology, in particular the term ‘administrative fine’ which was not “dispositive of the issue”;
the Tribunal “wrongly did not take into account” certain features of a MPN all of which pointed to a criminal standard of proof. These were:
a penalty is punitive, not coercive, and the potentially large amounts involved may easily be capable of destroying a business and its employees’ livelihoods;
a penalty was potentially an additional sanction for a breach already dealt with by a coercive sanction such as an Enforcement Notice;
the quantum of a penalty is “referable to criteria that mimic the criteria imposed by criminal courts on conviction for offences”;
“a free-standing compensation regime for those harmed by the conduct the subject of the MPN, with the penalty being paid into Consolidated Revenue”;
the enforcement system is the same as that applicable to a fine imposed by a Magistrates’ Court;
ECHR and domestic authorities cited to the Tribunal (not specified in the Appellant’s notice of appeal to the Upper Tribunal); and
“the common law principle of doubtful penalisation”.
Had the Tribunal “gone about the legal analysis in the correct way”, it would have concluded that the criminal standard of proof applied on an appeal against a MPN.
Ground 3 – the arguments
By the date of the hearing before myself, the ground 3 issues had been clarified. The Appellant’s case is that domestic law authorities, that is authorities other than those under Article 6 of the European Convention on Human Rights, compel the criminal standard of proof in MPN tribunal proceedings. If the Appellant is wrong about that, its alternative argument is that MPN proceedings involve the determination of a criminal charge for the purposes of Article 6 and, for that reason, the criminal standard of proof is required. There are some spin-off arguments as well, but the main thrust of the Ground 3 arguments is as just described.
In Re B (children) (sexual abuse: standard of proof) [2008] UKHL 35, Lord Hoffman identified, at [5] a category of case which, while determined in proceedings classified as civil, “nevertheless…because of the serious consequences of the proceedings, the criminal standard of proof or something like it should be applied”. The Appellant argues that MPN proceedings have such serious consequences and, accordingly, the criminal standard of proof applies.
The Appellant argues that “the attributes and consequences of a monetary penalty are overwhelmingly consistent with it being a penal sanction” under domestic law so that, on a MPN appeal, disputed matters of fact are to be resolved according to the criminal standard of proof. The ‘attributes and consequences’ which demonstrate that the MPN is essentially a punitive measure are as follows
the immediate concern of a MPN is not compliance or enforcement, rather it is punishment for failing to comply with data protection requirements and this is shown by the terms of section 155(3), DPA 2018;
the MPN’s punitive character is underscored by comparison with the Commissioner’s other tools under the DPA 2018 for responding to non-compliance with data protection requirements. Information, Assessment and Enforcement Notices are all directed at coercing compliance. A MPN, however, may be given under section 155(1)(b), DPA 2018 where a person fails to comply with one of these coercive notices. In this respect, the MPN is indistinguishable in outcome from a fine for non-compliance with an enforcement notice under other regulatory regimes, such as planning. In those cases, the fine is an undeniably penal sanction imposed at the end of a criminal process;
the amount of the penalty is “set by reference to criteria that mimic the criteria applied by criminal courts on conviction for offences”. The criteria provided for by section 155(2) and (3), DPA 2018, resemble those under sections 63, 65, 73, 74, 124 and 125 of the Sentencing Act 2020 as well as the Sentencing Council’s guidelines for various regulatory offences. Unlike other statutory penalties, such as tax-related penalties, the amount is not set by reference to the financial benefits of non-compliance;
the maximum penalty is consistent with a punitive regime. The maxima under section 157, DPA 2018, and Article 83 of the GDPR cannot be compared with other penalty regimes, for example those under tax legislation. In this respect, MPNs are in a class of their own. The maximum penalty amounts are not theoretical. At the hearing, Mr Coppel informed me that, to his knowledge, the Commissioner has issued numerous Notices of Intent to impose penalties of “tens of millions of pounds” and, in one case, more than £100 million (Mr Coppel conceded that, in most of these cases, the final penalty was significantly reduced). The potential penalties are quite sufficient to put an end to a business and, in turn, employees’ livelihoods. The Commissioner reliance on the GDPR’s reference to administrative fines as “dissuasive” is misplaced. Given the enormous penalties that may be imposed, even if a MPN is dissuasive in effect, it is also punitive. Seriousness must be evaluated according to the penalty that could be imposed because there clearly cannot be different standards of proof for proceedings concerned with a single type of penalty.;
a MPN does not affect a data subject’s right to compensation for material and non-material damage resulting from non-compliance with data protection requirements (see sections 168 and 169, DPA 2018). It follows that the purpose of a MPN is punitive;
where a penalty is paid, the ultimate destination of the monies is the Consolidated Revenue (Schedule 12(1) to DPA 2018). The sums are used neither to compensate a data subject nor defray administrative enforcement costs;
by paragraph 9(2) of Schedule 16 to DPA 2018, enforcement of a MPN utilises the same procedure as applies to payment of a fine imposed by a Magistrates’ Court (see Magistrates’ Court Act 1980, section 87(1)).
At the hearing, Mr Coppel argued that publicity, and associated stigma, was a further factor supporting a MPN’s classification as a penal sanction (Mr Lockley, for the Commissioner, considered this a new point but did not formally object). Once a MPN is imposed, it enters the public domain. By contrast, no one knows whether someone has been given, say, a tax-related civil penalty, unless the individual chooses to disclose it. Like the situation faced by a person charged with a criminal offence, the imposition of a MPN is a matter of public knowledge. Mr Coppel even went so far as to argue at the hearing that the Commissioner publishes MPNs on his website as ‘trophies of zeal and vigour’, shielded from legal consequence by privilege. He said it was a ‘disgrace’ that, for many months after the Tribunal’s decision, the Commissioner’s website continued to display the original, much greater, MPN of £275,000. I asked Mr Coppel if he argued that the DPA 2018 created for reporting of MPNs some kind of statutory privilege against defamation claims. From his response, I think the point is that reports of published MPNs are shielded from defamation suits because the reporter may easily avail itself of the defence of justification.
The Commissioner submits that MPN proceedings do not have the ‘serious consequences’ referred to by Lord Hoffman in Re B. The Commissioner relies on the Upper Tribunal’s decision in HM Revenue & Customs v Khawaja [2013] UKUT 353 (TCC) in which it:
held, at [39], that “the application of the civil standard to penalty proceedings of the nature at issue in the appeal was in accordance with domestic law”;
observed, at [181], that it does not necessarily follow “that in all cases where an allegation is serious and has serious consequences for an individual that the allegation must be proved on the criminal standard”;
observed, at [191], that the fact that a substantial financial penalty may result does not in itself amount to the serious consequences necessary to bring a case within the category identified by Lord Hoffman.
The Commissioner also relies on the Upper Tribunal’s decision in Hackett v HM Revenue & Customs [2020] UKUT 0212 (TCC) which observed, at [86], that “neither is there any suggestion in the authorities that there may be a heightened standard simply because the matter involves a serious fraud with a large penalty”. The Upper Tribunal also noted Mann J’s recognition in HMRC v Khawaja [2008] EWHC 1687 (Ch) that, while there was a “presumed civil standard of proof” on tax penalty appeals, this was only a starting point and “there are cases in which the consequences are so serious, or the nature of the claim as such, that the imposition of a criminal standard of proof is required”. Hackett also referred to the decision in Hannam v FCA [2014] UKUT 0233 (TCC) but noted that the (civil) penalty under analysis in that case was but one of a number of disciplinary responses available to the regulator and the applicable criteria were disciplinary, rather than penal, in character. Hannam recognised, at [80], that “serious consequences of the proceedings” might call for the criminal standard of proof although the serious financial and reputational consequences of the penalty did not, of themselves, call for the criminal standard of proof. Despite the potential for large penalties, this consideration led the Tribunal, at [191], to hold that a person against whom allegations of market abuse are raised is not “entitled to the same sort of protection as a person whose fundamental liberties are at risk, any more than a person whose livelihood is at risk is entitled to such protection”.
Hackett held that the civil standard of proof applied to the tax-related penalty proceedings at issue and the Commissioner argues that the Upper Tribunal’s reasoning applies equally to MPN proceedings and points overwhelmingly to the civil standard of proof. The relevant tax legislation suggested a unified civil penalty regime for both deliberate and negligent contraventions ([84]); amount of penalty alone did not satisfy the ‘serious consequences’ test (even though Hackett involved a personal liability notice of nearly £13 million); there was no restriction on liberty ([86]); since the civil standard had already been held appropriate in dishonesty cases, it could also be applied in cases requiring proof of ‘deliberate’ conduct ([87-88]).
At the hearing, Mr Lockley disagreed that Hannam was distinguishable because it involved a penalty imposed according to a prescribed formula. Section 123 of the Financial Services and Markets Act 2000 refers to a penalty in such amount as is appropriate.
The Appellant argues that the Commissioner’s reliance on Hackett is misplaced. The liability notice in that case was given under Schedule 24(19) to the Finance Act 2007, which is in Part 6 of that Act, entitled “Investigations, Administration, etc” and includes criminal provisions. Schedule 24 operates in large part by reference to concepts of falsity and deliberateness and the calculation of a penalty involves a large arithmetical component, generally referable to the amount of tax or income not declared. The MPN, by contrast, is concerned with neither criminality nor falsity. The only common feature is the word “penalty” and the appeal mechanism.
At the hearing, Mr Coppel submitted that, in Khan, Carnwath LJ’s approach to the standard of proof was ‘inspired’ by planning cases (I observe that Carnwath LJ did not hold that the civil standard of proof applied on tax evasion penalty appeals; at [70] he simply recorded counsel’s acceptance that the civil standard of proof applied). Under planning legislation, a failure to comply with an enforcement notice may lead to prosecution for a criminal offence. Under the DPA 2018, however, it may lead to a MPN. I asked Mr Coppel why that should call for a stricter standard of proof in MPN proceedings. Mr Coppel took me to a number of other regulatory statutes under which a failure to comply with an enforcement notice may lead to a criminal prosecution. I think the argument is that the MPN acts as a substitute for a mainstream criminal sanction and should therefore be treated as a criminal sanction.
The Appellant submits that, while the procedure for imposing a MPN is very different to criminal procedure the consequence of non-compliance with a provision mentioned in section 149 of DPA 2018, is indistinguishable from the consequence of a criminal charge being proven. As Lord Atkin held in Proprietary Articles Trade Association v Attorney General for Canada [1931] AC 310 at 324:
“Criminal law connotes only the quality of such acts or omissions as are prohibited under appropriate penal provisions by authority of the state. The criminal quality of an act cannot be discerned by intuition; nor can it be discovered by reference to any standard but one: Is the act prohibited with penal consequences?”
The MPN legislation, submits the Appellant, provides for a regime operating within “the sphere of ordinary civil law as a matter of domestic legal classification” but, in substance, it is penal legislation (see Bogdanic v Secretary of State for the Home Department [2014] EWHC 2872 at [49]; ESS Production Ltd v Sully [2005] EWCA Civ 554, [2005] BCC 435 at [78]). It has long been a characteristic of our domestic law for civil monetary penalties to be categorised as penal sanctions (see Tuck v Priester (1887) 19 QBD 629 at 638). Parliament is presumed to have known this when enacting the MPN provisions of DPA 2018 but, despite that knowledge, did not provide for a departure from the presumption.
In the words of the Appellant’s skeleton argument, the “procedural construct” employed by DPA 2018 “does not transubstantiate the essential nature of the imposition of a monetary penalty under DPA s 155(1) into something other than a penal sanction”. It is the essential nature of a penal sanction which motivates attendant common law protections including a requirement for the party seeking the sanction to prove a penalty’s constituent elements beyond reasonable doubt. Parliament may choose a different course but only where its intention to do so is shown by unmistakeably clear language. This is due to the ‘principle of doubtful penalty’ mentioned by Sir Anthony Clarke MR in R (Haw) v Secretary of State for the Home Department [2006] EWCA Civ 532, [2006] QB 780 at [27], and described in Bogdanic v Secretary of State for the Home Department [2014] EWHC 2872 (QB) at [47] as a “long-standing one, of recognised constitutional importance”. The required unmistakeably clear language is absent from DPA 2018.
Bogdanic concerned civil penalties under Part II of the Immigration and Asylum Act 1999, imposed on carriers whose vehicles contained clandestine entrants to the United Kingdom. The precise issue was whether a commencement order under the Nationality, Immigration and Asylum Act 2002 brought into force in relation to immigration control zones in France amendments made by that Act to the 1999 Act. Sales J held, at [49] that “Part II of the 1999 Act is penal legislation even though the penalty regime is constructed so as to operate within the sphere of ordinary civil law as a matter of domestic legal classification”. The Appellant argues that this supports the categorisation of a MPN as a penal sanction. The Appellant also relies on Arden LJ’s judgment in ESS Production Ltd in which she said, at [78], that “the principle against doubtful penalisation…should be applied to the imposition of a civil liability as well as the imposition of criminal liability”.
The Commissioner submits that the principle against doubtful penalisation is a ‘red herring’. It is a principle of statutory interpretation which applies when a court construes the extent of penal provisions and does not therefore assist in determining whether the criminal standard of proof applies in MPN proceeding. The Appellant’s autrefois acquit argument is also ‘wide of the mark’. There is no danger under the DPA 2018 of a person being ‘tried’ twice for the same offence.
The Appellant argues that the Tribunal deployed flawed reasoning to conclude that the civil standard of proof applied:
neither the forum in which the appeal was conducted nor provisions of the DPA 2018 allowing for criminal prosecutions by the DPP and Commissioner sheds light on the standard of proof;
the term “satisfied”, in section 155(1)(a), DPA is relevant to the burden of proof not the standard;
the GDPR’s use of the term “administrative fine” is not determinative. Moreover, the term ‘civil penalty’ is not used in the DPA 2018, but is used in other legislation (for example, Finance Act 1994, section 9; Aviation Security Act 1982, section 22A; Companies Act 2006, sections 27, 453 and 463; Customs and Excise Management Act 1979, in numerous places);
features of a MPN that point to the criminal standard of proof were not taken into account namely its punitive character, that it may be an additional sanction for a breach already dealt with by coercive sanction, the penalty being fixed by reference to criteria that mimic those applied by criminal courts, the existence of a separate compensation regime, enforcement mechanism akin to that for a Magistrates’ Court fine, authorities cited to the Tribunal and the principle against doubtful penalisation.
The Commissioner argues that there were no such flaws in the Tribunal’s reasoning:
it is relevant that, in a single Act, Parliament provided for two enforcement regimes only one of which is overtly criminal in nature;
given the DPA 2018’s creation of two distinct enforcement regimes, it is of note that the Act provides that the Commissioner need only be ‘satisfied’ of certain matters. The terminology is indicative of the civil standard of proof at the Commissioner’s investigative stage. The Tribunal’s role on appeal to ‘review any determination of fact’ made by the Commissioner suggests a review according to the same standard of proof as that applied by the Commissioner. The Commissioner cites numerous authorities to the effect that the First-tier Tribunal is to take afresh the decision taken by the Commissioner, that is take it in the same way;
the Tribunal did not draw an erroneous distinction between an ‘administrative fine’, which indicates a civil matter, and ‘an offence’, which denotes a criminal matter (see paragraph 47(viii) of the Tribunal’s reasons). The same distinction is drawn by the GDPR’s Recitals 151 (sanctions to take effect as criminal penalties only in States whose legal systems do not provide for administrative fines) and 152 (distinction drawn between ‘criminal’ and ‘administrative’ penalties). It is true that the GDPR’s terminology does not determine the standard of proof, but the Tribunal did not hold otherwise;
penalties are intended to be dissuasive rather than punitive (see Article 83(1) of the GDPR). The Tribunal did not overlook the potential for large penalties (see paragraph 47(xi) of its reasons) or that a MPN may be imposed alongside an Enforcement Notice (paragraph 47(viii)). In any event, an Enforcement Notice only requires the recipient to comply with the law and so it is not clear why the possibility of concurrent Notices should render the MPN a criminal penalty. The argument that the criteria for determining the amount of a penalty ‘mimic’ those for criminal fines is simply wrong and, in fact, they are more akin to those for determining civil fines. The Appellant’s reliance on the non-compensatory nature of MPNs makes no sense. Many tribunals lack coercive powers and must rely on a court to enforce their sanctions, but this does not render the sanctions criminal in nature.
Cognate legislation respects and reflects, submits the Appellant, the common law’s default protections for a penalty amounting to a penal sanction. Under section 54(1) of the Freedom of Information Act 2000, a public authority’s failure to comply with an enforcement notice is adjudicated upon as if it were a contempt of court. Contempt proceedings have quasi-criminal characteristics, including the criminal standard of proof (In re Bramblevale Ltd [1970] Ch 128; Dean v Dean [1987] 1 FLR 517 (CA); Smith v Smith [1991] 2 FLR 55 at 61C). It would be an ‘odd thing’ if the recipient of a MPN were to enjoy less protection than a public authority proceeded against for non-compliance with an enforcement notice under the 2000 Act.
The Appellant argues that Parliament legislates on the assumption that the common law will require the criminal standard of proof in penalty-related fact-finding proceedings. The statute book shows that, where Parliament’s intention is that a regulator need only be satisfied of a matter on the balance of probabilities before issuing a monetary penalty, it makes express provision to that effect. For instance:
section 93(4) of the Consumer Rights Act 2015: “where an enforcement authority is satisfied on a balance of probabilities that a person has breached a duty or prohibition…”;
section 10(2) of the Climate Change Act 2008: “…regulations may only confer such a power [to impose a fixed monetary penalty] in relation to a case where the administrator is satisfied on the balance of probabilities that the breach has occurred”;
section 146(1) of the Policing and Crime Act 2017: “The Treasury may impose a monetary penalty on a person if it is satisfied, on the balance of probabilities, that (a) the person has breached a prohibition…”;
section 28(1) of the Coronavirus Act 2020: “This section applies [so that a financial penalty may be imposed under subsection (2)] if an appropriate authority…is satisfied on the balance of probabilities that a person has, without reasonable excuse, (a) failed to comply with the requirement…”.
The above are all examples, submits the Appellant, of Parliament deciding to displace common law default protections, including the criminal standard of proof, for particular types of monetary penalty. In the absence of similar provision, those default protections must prevail. Parliament enacts regulatory legislation on the basis that any connected penal sanctions will be adjudicated according to the criminal standard of proof which is why it makes specific provision to the contrary where that is its intention. An example of the common law defaulting to certain protections is R v Rowe, ex parte Mainwaring and others [1992] 1 W.L.R. 1059 where Farquharson LJ, at [1068D], held:
“…in my judgment a person accused of corrupt practice before an electoral court should only be held to have committed it if the allegation is proved beyond reasonable doubt. The subsection refers to a person being “guilty” of corrupt practice, and that connotes a criminal offence. It would not be desirable to have a different standard of proof in different courts on the same issue.”
If Parliament does not, through clear language, displace the common law’s default to the criminal standard of proof, it thereby demonstrates its intention for the criminal standard to apply. In this respect, it matters not whether the adjudicative body is part of the civil justice system (see R v Rowe, ex p Mainwaring [1992] 1 WLR 1059 at [1068]; Akhtar v Jahan, Iqbal v Islam [2005] All ER (D) 15 (Apr) at [536]-[548]).
The Commissioner argues that imposing the criminal standard of proof in MPN proceedings would run counter to Parliament’s intention. The offence provided for by section 47(1) of the Data Protection Act 1998 was not replicated in the DPA 2018. Parliament clearly intended to remove that offence from the statute book and its intention would be nullified by the Appellant’s submissions. The Commissioner also submits, by reference to various decisions of the First-tier Tribunal, that the Tribunal’s invariable practice has been to hold that the civil standard of proof applies on appeals against monetary penalties under the 1998 Act. In enacting legislation, Parliament is taken to be aware of the existing law which includes the practice just mentioned. Since the DPA 2018 uses materially the same language as the 1998 Act, it is to be assumed that Parliament approved the Tribunal’s approach and intended for it to continue under the DPA 2018.
The Appellant accepts that the civil standard of proof applies on an appeal against a DPA 2018 Enforcement Notice. The Commissioner notes that there is a common appeals procedure so that, as in this case, appeal proceedings may involve both an Enforcement Notice and a MPN. It cannot be right, nor can it have been Parliament’s intention, for different standards of proof to apply in determining common factual disputes. If the Appellant seeks to distinguish a MPN from an Enforcement Notice by reference to more serious consequences of the former, it seeks to establish a general proposition of law by reference to particular circumstances. The consequences may be serious in the Appellant’s case but that is not generally or necessarily true. An Enforcement Notice might, for instance, require a controller to cease the type of processing on which its whole business model is based.
If the Appellant’s domestic law arguments do not succeed, it further submits that, for the purposes of Article 6 of the European Convention on Human Rights (the Convention), as given effect by the Human Rights Act 1998, a MPN amounts to a criminal charge and the fair trial required by that article cannot be provided unless the criminal standard of proof applies. Insofar as relevant, Article 6 provides:
“(1) In the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law…
(2) Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law.
(3) Everyone charged with a criminal offence has the following minimum rights:
(a) to be informed promptly, in a language which he understands and in detail, of the nature and cause of the accusation against him;
(b) to have adequate time and facilities for the preparation of his defence;
(c) to defend himself in person or through legal assistance of his own choosing or, if he has not sufficient means to pay for legal assistance, to be given it free when the interests of justice so require;
(d) to examine or have examined witnesses against him and to obtain the attendance and examination of witnesses on his behalf under the same conditions as witnesses against him;
(e) to have the free assistance of an interpreter if he cannot understand or speak the language used in court.”
The Appellant argues that domestic categorisation that avoids the term ‘criminal’ does not displace Article 6 guarantees ((Engel and Others v The Netherlands (No. 1) (1976) 1 E.H.R.R. 647; Jussila v Finland (2007) 45 E.H.R.R. 892). Categorisation as ‘civil’ is of “relative weight” and only a starting point (Connors v United Kingdom (2004) 39 E.H.H.R. 1).
Under European Court of Human Rights authorities, the penal nature of a MPN implies a criminal charge, argues the Appellant. Article 6 is concerned with substance, not form and, where it applies, its protections cannot be avoided by recourse to domestic classification. While an appeal to the First-tier Tribunal against a MPN may not involve “criminal proceedings”, for the purposes of Article 6 initiating such an appeal constitutes denial of a criminal offence which triggers the protections required by Articles 6(1) to (3).
In Benham v United Kingdom (1996) 22 E.H.R.R. 293, the European Court said:
“56. The case law of the Court establishes that there are three criteria to be taken into account when deciding whether a person was “charged with a criminal offence” for the purposes of Article 6. These are the classification of the proceedings under national law, the nature of the proceedings, and the nature and degree of severity of the penalty.
As to the first of these criteria…under English law, the proceedings in question are regarded as civil rather than criminal in nature. However, this factor is of relevant weight and serves only as a starting point.
The second criterion, the nature of the proceedings, carries more weight. In this connection, the Court notes that…the proceedings had some punitive elements…”.
The Appellant submits that the punitive elements of a MPN satisfy the test applied by the European Court. In Janosevic, the Court, at [68], said that “the lack of subjective elements does not necessarily deprive an offence of its criminal character…the penalties are thus both deterrent and punitive. The latter is the customary distinguishing feature of a criminal penalty”. In Hackett, at [36], it was agreed that the absence of a requirement to prove fraud or dishonesty, that is subjective elements of the type referred to in Janosevic, did not necessarily render a penalty civil in character. In Connors, as described in Jussila at [31], the European Court held that “it is enough that the offence in question is by its nature to be regarded as criminal or that the offence renders the person liable to a penalty which by its nature and degree of severity belongs in the general criminal sphere”. In Ozturk v Germany (1984) 6 E.H.H.R. 409, as described in Jusilla at [31], the European Court held that “the relative lack of seriousness of the penalty cannot divest an offence of its inherently criminal character”. And in Han and another v Customs and Excise Commissioners [2001] 1 WLR 2253, the Court of Appeal, at [26], said that, under the European Court’s jurisprudence, the nature of an offence and the nature and degree of the severity of a penalty “carry substantially greater weight” than the offence’s classification under domestic law.
In Janosevic, the European Court, at [69], said that “the criminal character of the offence is further evidenced by the severity of the potential and actual penalty” which “have no upper limit and may come to very large amounts”, and the fact that “surcharges cannot be converted into a prison sentence in the event of non-payment…is not decisive for the classification of an offence as “criminal” under Art.6”. The Appellant submits that Janosevic provides strong support for the argument that MPN proceedings are the determination of a criminal charge. Benedoun v France (1994) 18 EHRR 54 also holds that the amount or severity of a penalty is relevant.
The Appellant argues that monetary penalties that are not intended as pecuniary compensation, but are predominantly punitive and deterrent, are frequently held to be criminal in character for Article 6 purposes (see, for instance, Janosevic, Ozturk and Benedoun). Moreover, in Hackett, at [36], the Upper Tribunal accepted that a personal liability penalty under the Finance Act 2007, Schedule 24(19) constituted a ‘criminal charge’ for Article 6 purposes. And in Euro Wines the Upper Tribunal held that a penalty assessment, for non-payment of excise duty, under paragraph 4(1) of Schedule 41 to the Finance Act 2008, was, for Article 6 purposes criminal in nature given the nature of the offence and the nature and severity of the penalty. The Upper Tribunal’s decision was subsequently upheld by the Court of Appeal (Euro Wines (C&C) Ltd v HMRC [2018] EWCA Civ 46, [2018] 1 WLR 3248).
The Commissioner argues that the Appellant’s submissions fail to recognise that the amount of a penalty is not, on its own, sufficient to render a penalty a criminal charge for the purposes of Article 6. More importantly, the Appellant’s case misses the key point which is not so much whether a MPN constitutes a criminal charge for Article 6 purposes but whether, if it does, that imports the panoply of rules governing proceedings in domestic criminal courts. But Article 6, in its application to criminal proceedings, does not require the criminal standard of proof deployed in the law of England and Wales. Article 6 does not deal with the standard of proof at all. Even if a matter is classified as civil for domestic purposes but ‘criminal’ under Article 6, that does not necessarily require the importation of all criminal safeguards. Jussila concerned tax surcharges classed as civil under Finnish law, but as a criminal penalty for the purposes of Article 6. The European Court decided that Article 6 did not require all of protections afforded to a person accused of a criminal offence (in that case an oral hearing).
The Commissioner also relies on Potter LJ’s judgment in Han v HMRC, at [84], where he said, “it by no means follows from a conclusion that article 6 applies that civil penalty proceedings are, for other domestic purposes, to be regarded as criminal”. Han demonstrates that the guarantees required, where a penalty amounts to a criminal charge, do not include any particular standard of proof. Further, Hannam, at [149], held that Article 6, in its application to a criminal charge, does not mandate a particular standard of proof. While HMRC accepted in Khawaja that penalty proceedings were criminal proceedings for the purposes of Article 6, the judgment noted, at [72], that “the standard of proof was not dealt with by art. 6”.
The Appellant submits that the argument that MPN proceedings do not attract Article 6’s fair trial guarantees, including the criminal standard of proof, does not stand up to analysis. It would expose a penalised controller to criminal prosecution for the same breach under sections 144, 148(2), 170(1), (4) and (5), 173(3) or 184(1) and (2) of the DPA 2018. The reverse would also apply and, additionally, prevent a plea of autrefois convict or autrefois acquit: see Interpretation Act 1978, section 18. If a controller’s MPN were followed by criminal prosecution under the DPA 2018, the controller’s privilege against self-incrimination would be prejudiced since the prosecutor could rely on evidence given by the controller in MPN appeal proceedings (see Civil Evidence Act 1968, section 14(1)(a)).
Ground 4 – law of agency
This ground is that the Tribunal “erred in law by refusing to allow itself to be informed by the law of agency in deciding whether a controller bears legal responsibility for the actions of a processor”, despite:
the GDPR’s repeated references to a processor ‘acting on behalf of’ a controller, which are “coincident with the accepted phraseology describing an agency relationship”;
making a controller legally responsible for the acts of its processor is consistent with an agency relationship; and
the need for a contract or other binding legal act in order to give rise to a controller-processor relationship is indistinguishable from the actions necessary to give rise to a principal-agent relationship.
For these reasons, the law of agency supplied valuable guidance for identifying when a controller (as the equivalent of a principal) will be liable for the acts and omissions of a processor (as the equivalent of an agent).
Ground 4 – the arguments
The Appellant submits that, before the Tribunal, the relationship between itself and Jogee Pharma was of central importance. The Appellant argued that the GDPR’s description of the relationship between a controller and a processor fitted perfectly the generally accepted definition of an agency relationship with the controller as principal and the processor as agent. Jogee Pharma, in its guise as the Appellant’s processor, had arrogated responsibility for determining the purposes and means of processing, in breach of Article 28 of the GDPR. That breach exposed the processor (Jogee Pharma) to an administrative fine (Article 83(1) of the GDPR). Unless the Appellant, as controller, connived in this arrogation of responsibility, or failed to implement the technical and organisational measures required by Articles 25 and 32 of the GDPR, the Appellant was not responsible for processing whose purposes and means were determined by the processor alone. The law of agency shed valuable light on the question whether Jogee Pharma had arrogated to itself responsibility for determining the purposes and means of processing.
The Appellant argues that the Tribunal showed ‘no interest’ in its agency arguments, briefly dismissing them on the ground that it was ‘not persuaded’ that the law of agency shed light on the extent to which the Appellant was controller of the data recovered and its responsibility for Jogee Pharma’s breaches. The Tribunal’s reasons exhibited little understanding of the law of agency, and it overlooked that it was no coincidence that the GDPR described the controller-processor relationship using the well-recognised language of an agency relationship, i.e. one legal person acting on behalf of another legal person.
At the hearing of this appeal, Mr Coppel submitted that, before the Tribunal, the Appellant’s agency arguments were connected to the Commissioner’s factual mistake concerning ownership of the premises. The Commissioner found that the premises were owned by the Appellant but that was wrong; they were owned by Mr Budhdeo. Under domestic agency law principles, if a principal allows an agent to use its premises, the acts of the agent are those of the principal but that is not necessarily the case where premises are not owned by a principal. This is why the Appellant’s agency law submissions to the Tribunal were important. Mr Lockley argued that, if the Commissioner made a mistake of fact, it was corrected by the Tribunal (see paragraphs 53(iv) and 65(ix) of the Tribunal’s reasons. Any distinction regarding ownership of the Premises was illusory and not material to the Tribunal’s decision.
The Commissioner argues that the existence of a controller-processor relationship is determined by reference to the provisions of the GDPR, in particular Articles 4(7) and (8). While it might resemble a principal-agent relationship, the concepts are not equivalent and it would have been simply a distraction for the Tribunal to have applied domestic agency law principles. Moreover, it is wholly unclear how the Appellant’s case would have been helped by applying principles of agency law. The argument that the Tribunal erred in law by ‘refusing to allow itself to be informed’ by agency law fails to identify any specific error of substance. Ground 4 is another legal point raised in a vacuum.
At the hearing before myself, Mr Lockley further argued that this ground is undermined by the Appellant’s own evidence before the First-tier Tribunal. Mr Budhdeo is recorded, at paragraph 82(viii) of the Tribunal’s reasons, as having said that Jogee Pharma’s role was ‘robotic’ which implies that it was expected simply to follow instructions given to it by the Appellant.
Ground 5 – Tribunal’s reliance on breach of Article 24(1)
Ground 5 is that the Tribunal, having concluded that a MPN could not be imposed for breach of Article 24(1) of the GDPR, subsequently made the inconsistent finding that ‘the serious breaches of the data processing principles occasioned by [the processor Jogee Pharma] were largely due to [the Appellant’s] negligence in relation to its Article 24(1) and Article 32 obligations”. Without that contradiction, “it is not beyond doubt that the FTT would have concluded as it did”.
The arguments
The Appellant argues that the Tribunal, having held in paragraph 89 of its reasons that a breach of Article 24(1) of the GDPR was not a penalisable contravention under section 155(1) of the DPA 2018, nevertheless, in paragraph 90, agreed with the Commissioner that ‘serious breaches’ of data processing principles were “largely due to [the Appellant’s] negligence in relation to its Article 24(1) and Article 32 obligations”. This strongly suggests that the Tribunal’s MPN analysis relied on an impermissible consideration namely a supposed breach of Article 24(1).
The Commissioner accepts that the Tribunal was correct to find that the MPN wrongly referred to Article 24(1) of the GDPR since infringement of that Article cannot found a MPN. However, this matter formed no part of the Appellant’s case before the Tribunal and the issue was raised by the Tribunal of its own volition. It would be surprising had the Tribunal, after raising the issue itself, gone on to make the very error it had just identified. The comment in paragraph 90 of the Tribunal’s reasons merely expressed agreement with the Commissioner that the Appellant’s failure to implement appropriate technical and organisational measures was the main cause of Jogee Pharma’s contraventions.
Even if the Tribunal erred, submits the Commissioner, the error was not material. Article 24(1), like Article 32, requires a controller to adopt appropriate technical and organisational measures. While Article 24(1) is of potentially wider scope than Article 32, which is solely concerned with the security of processing, the MPN relied on both Articles interchangeably in that the Commissioner relied on both as having given rise to breach of Article 5(1)(f), which is the data protection principle concerned with the security of processing. The Tribunal took materially the same approach, and also found that the Appellant was liable for Article 5(1)(e) breaches by virtue of Article 5(2) (paragraph 83 of the Tribunal’s reasons). The Tribunal’s reference to Article 24(1) was immaterial to the outcome.
The Commissioner’s materiality arguments are wishful thinking, argues the Appellant, and contrary to principle. The Commissioner unjustifiably elides his findings with those of the Tribunal. The Upper Tribunal cannot be confident that, absent the Tribunal’s mistake, it would have arrived at the same conclusions. The Tribunal’s error cannot be considered immaterial.
Ground 6 – considerations relevant to amount of penalty
This ground is that, in setting the penalty amount at £92,000, the Tribunal wrongly:
made no discount for “the general credibility of the ICO [Information Commissioner’s Office]” despite serious methodological flaws in its investigation resulting in a six-fold miscalculation of the number of documents involved;
took no account of the ICO’s impropriety in withholding without cause from the Appellant the primary material needed to present its case, and “this impropriety impinged on the credibility of the ICO’s evidence and case”;
based its adverse credibility finding regarding Mr Budhdeo’s evidence on a matter unrelated to the MPN appeal which was put to him without warning in cross-examination and, at a later stage of the hearing, was explained as a lapse of memory. This provided no safe basis for a finding that Mr Budhdeo’s evidence lacked credibility, a finding which permeated the Tribunal’s entire analysis of his evidence. At the hearing, I asked Mr Coppel whether this sub-ground argued that the Tribunal’s fact-finding involved an error on a point of law and he confirmed that it did, the error being one of unfair procedure;
held against the Appellant its lack of evidence, apart from Mr Budhdeo’s, without applying the same standard to the Commissioner from whom there was not “any evidence whatsoever” despite the ICO being well placed to adduce evidence. At the hearing, I asked Mr Coppel to clarify this sub-ground and he informed me that it argued that the Tribunal’s fact-finding regarding matters of mitigation involved errors of law;
deferred to the Commissioner’s conclusions on “every aspect of the case”, save number of documents, when “there was no basis for…so doing”;
rejected the Appellant’s argument that the breach documents originated from care homes when there was no countervailing evidence;
failed, or failed properly, to resolve the question whether the Appellant had, at the “time of the alleged contravention”, become controller of the personal data;
failed to deal with the points made in the Appellant’s skeleton argument at paragraphs 56(5) and (7) to (11).
The Upper Tribunal “cannot be confident that had each of the above been properly dealt with by the FTT the penalty would have been the same or that any penalty would have been imposed”.
The arguments
At the hearing of this appeal, Mr Coppell clarified sub-ground 6(h). The points that the Tribunal failed to deal with were: arguments that the Commissioner’s finding of careless storage was contradicted by CCTV evidence; at the date of the breach, the Commissioner had yet to publish his enforcement policy; this was the Appellant’s first MPN; there was no evidence of any financial harm, distress or embarrassment to any data subject; the Appellant had, of its own volition, taken steps to ‘better’ its data protection practises and there was nothing to suggest that, since 2019, it had been anything other than fully compliant; given the size of the Appellant’s undertaking, the amount of the penalty was “totally disproportionate” and bound to put it out of business.
In response to the Commissioner’s argument that this ground discloses no error on a point of law, the Appellant submits that the credibility and paucity of the Commissioner’s evidence before the Tribunal, caused by his failure either to carry out any investigation or examine the data in question, were highly relevant to penalty amount. Their relevance was heightened by the Commissioner’s failure to offer any explanation for his “extraordinary failure” and that his evidence was incapable of being challenged in cross-examination. The Appellant should not have been left to make his own inspection to ascertain the correct number of documents. The Commissioner relied entirely on the ‘secondary account’ of the MHRA, a body with no particular expertise in data protection matters, yet failed to acknowledge that this diminished the value of his evidence. The Tribunal also failed to make ‘some allowance’ for the fact that, at the date of the breach, the GDPR had only been in force for two months.
At the hearing of this appeal, I asked Mr Coppel whether the Tribunal was asked to take into account the argument that, for a year, the Commissioner had refused the Appellant access to the breach documents. According to my notes, Mr Coppel consulted his instructing solicitor, and I was informed that it should have been apparent that the Commissioner was required to give the Appellant immediate access to the documents.
At the hearing, Mr Coppel submitted that sub-ground (f) related to the Appellant’s argument before the Tribunal that documents were brought onto the premises pursuant to contractual arrangements between Jogee Pharma and care homes. This argument, which was rejected in paragraph 94 of the Tribunal’s reasons, was relevant to the application of Article 83(2)(a) to (d) of the GDPR.
The Commissioner argues that, generally, this ground fails to identify legal flaws in the Tribunal’s penalty-setting exercise. Most of the sub-grounds relate not to the penalty-setting exercise but to logically prior matters and, moreover, some are simply arguments about the facts.
According to the Commissioner, sub-grounds (a) and (b), which concern the Commissioner’s ‘credibility’, aim at the wrong target. Matters of credibility relate to a Tribunal’s weighing of evidence when resolving disputed matters of fact. In any event, the Tribunal explained how the reduced number of breach documents affected its penalty-setting determination. At the hearing, Mr Lockley argued that the assertion that the Commissioner failed even to look at the breach documents was contradicted by paragraph 58 of the Tribunal’s reasons.
Sub-paragraph (c) relates, argues the Commissioner, to the Tribunal’s primary findings of fact. To the extent that the Tribunal’s finding about the credibility of Mr Budhdeo’s evidence is challenged, the Commissioner reminds the Upper Tribunal of long-established principles that a second-tier appellate body should be slow to interfere with first-tier findings of fact. In this case, the Tribunal was entitled to draw an adverse inference against a witness who, in the hearing room, changed his account when confronted with contradictory material especially where, as here, the contradiction concerned a matter which would not normally escape a reasonable person’s memory, namely holding a directorship. This topic arose naturally in cross-examination and the Tribunal’s findings are not flawed even if, as the Appellant submits, it was ultimately of no relevance to the determination of any substantive issue. In any event, the topic was not without potential relevance since there was a live issue as to who had access to the yard from which the breach documents were seized, and ownership of the Premises was certainly not irrelevant to that issue.
Sub-ground (d), argues the Commissioner, is another challenge to the Tribunal’s primary findings of fact. In any event, it is framed in terms that hardly admit of a response. The impugned paragraph 84 of the Tribunal’s reasons simply applies primary findings of fact and gives a sustainable reason for rejecting an aspect of the Appellant’s case. The approach described in paragraph 84 is entirely orthodox and correct.
While sub-ground (e) does formulate a coherent point of law, accepts the Commissioner, it does so in terms that are ‘hopelessly generic’. To simply assert there was ‘no basis’ for nine paragraphs of the Tribunal’s reasons is not good enough. If the Appellant argues that the Tribunal paid undue deference to the Commissioner’s decision, it is based on a misconception. Undue deference is not shown by pointing out that a tribunal’s decision largely corresponded to the decision under appeal. On any fair reading of paragraphs 88 to 96 of the Tribunal’s reasons, it is clear that the Tribunal turned its own mind to the issues and did not unthinkingly adopt the Commissioner’s analysis.
Sub-ground (f) is a further attack on the Tribunal’s fact-finding, submits the Commissioner. The impugned finding was free of legal error. The Tribunal was entitled to reject Mr Budhdeo’s conjecture, or speculation, as implausible and ‘countervailing evidence’ was not required.
The legal issue raised by sub-ground (g), argues the Commissioner, concerns liability rather than penalty amount. The Appellant fails to explain why the finding that it was the data controller should influence the penalty-setting exercise rather than the prior question of liability. Rather than identifying a flaw in the Tribunal’s reasoning the Appellant simply asserts that the Tribunal failed to resolve the point, which is clearly wrong: the point was dealt with in paragraph 82(ix) of the Tribunal’s reasons.
The Commissioner argues that sub-ground (h) is misconceived and does not come close to establishing an error of law. The argument that the Tribunal overlooked parts of the Appellant’s skeleton argument does not stand up to analysis:
- paragraph 56 of the skeleton argument. The Tribunal did not disregard the submission that the Commissioner’s finding of careless storage was contradicted by CCTV evidence (see paragraphs 65(xi) and 83 of the Tribunal’s reasons);
- paragraph 56(7). The Tribunal did not err in law by failing expressly to deal with the argument that, at the breach date, the GDPR had only been in force for two months and the Commissioner had yet to publish an enforcement policy. A tribunal is not required to set out, and respond to, each and every submission made. The Tribunal said that it considered both parties’ submissions with care but only summarised those central to its decision (paragraph 66 of the reasons). Doubtless, the Tribunal considered this particular submission of modest weight. The advent of the GDPR was accompanied by significant publicity and it is difficult to see what difference a published enforcement policy would have made to a data controller that, as the Tribunal found, had “[failed] to demonstrate adequate data protection policies more than a year after serious concerns were drawn to its attention” (paragraph 100 of the reasons);
- paragraph 56(8). The MPN noted that the present case was the Appellant’s first infringement. In this respect, the Tribunal adopted the Commissioner’s analysis, and the point was not therefore overlooked;
- paragraph 56(9). Again, the point made was not overlooked;
- paragraph 56(10). This paragraph of the skeleton argument asserted that the Appellant had promptly, and without waiting for the involvement of the Commissioner’s office, ‘bettered its data protection programme’. The point was not overlooked. The Tribunal made findings of fact inconsistent with the assertion made (paragraphs 97 to 99 of the reasons);
- paragraph 56(11). The Tribunal dealt with the Appellant’s submissions regarding the financial impact of the Commissioner’s MPN (paragraph 93 of the reasons).
Ground seven – delay in Tribunal making its decision
This ground is “the time taken by the FTT to reach its decision in a case involving contested oral evidence is such as to make its decision unsafe according to binding authority”.
Ground seven – the arguments
The Appellant submits that the Tribunal’s decision was given some eight months after it heard the Appellant’s appeal, and some seven months after post-hearing written submissions were filed. The Appellant argues that it was essential for the Tribunal to have retained a fresh memory of the only oral evidence given, that of Mr Budhdeo. Despite Mr Budhdeo’s vigorous and lengthy cross-examination on his three witness statements, the Tribunal’s reasons dealt with his oral evidence in “remarkably short fashion” while his witness statement evidence, by contrast, took up some four pages of the reasons. Of particular significance was the Tribunal’s adverse assessment of Mr Budhdeo’s credibility since, in the words of Mr Coppell’s skeleton argument for the Appellant, “immediacy has a premium for this sort of assessment, with time prone to distort highly subjective reactions such as these, and the memories on which they depend rapidly collapsing into a memory of the memories”.
The Commissioner concedes that the delay in the Tribunal giving its decision was ‘not ideal’ but observes that some 10 pages of the Tribunal’s reasons were devoted to dealing with post-hearing written submissions, which were necessary because the Appellant’s skeleton argument had raised “two new and weighty legal issues”. This misses the point, argues the Appellant, and overlooks that the submissions were drafted within “a couple of weeks of the hearing” and filed with the Tribunal some seven months before it gave its decision.
The Appellant argues that the Commissioner relies on a ‘leading authority’ – Bangs v Connex South East [2005] EWCA Civ 14 – that has been overtaken by more recent Court of Appeal authorities. These authorities “speak of” judgments being delivered within 3 months of a hearing (see Bank St Petersburg PJSC & Anor v Arkhangelsky & Anor [2020] EWCA Civ 408, [2020] 4 WLR 55; Plant v Pickle Properties Ltd [2021] UKPC 6; NatWest Markets plc v Bilta (UK) Ltd [2021] EWCA Civ 680; Dansingani & Anor v Canara Bank [2021] EWCA Civ 714). The delay in giving a decision rendered the Tribunal’s evaluative conclusions unsatisfactory, unfair and unsafe.
The Commissioner argues that the leading authority on delay in the tribunal context is Bangs in which a decision was promulgated more than a year after a tribunal heard evidence on a claim of racial discrimination. The Court of Appeal found that the tribunal’s decision was ‘not unsafe’ and, at [43], held that, of itself, unreasonable delay cannot be a free-standing ground of appeal. In order to succeed, a challenge which relies on unreasonable delay must demonstrate that a tribunal’s decision is, as a result, perverse in its conclusion or on specific matters of fact and credibility. The Court went on to say that there may be exceptional cases of unreasonable delay which may properly be treated as a serious procedural irregularity or “material irregularity giving rise to a question of law” in tribunal proceedings and “such a case could occur if the appellant established that the failure to promulgate the decision within a reasonable time gave rise to a real risk that, due to the delayed decision, the party complaining was deprived of the substance of his right to a fair trial under article 6(1)”.
Bangs applies by analogy to the Upper Tribunal, argues the Commissioner, in the exercise of its jurisdiction over the First-tier Tribunal. It is to be preferred to subsequent case law relied on by the Appellant since those authorities concerned delay in mainstream courts and, in any event, concur with Bangs in that, of itself, delay is not a ground for allowing an appeal.
The Commissioner submits that the Appellant’s arguments scarcely identify any finding of fact that is unsafe, or wrong, due to delay. The Appellant asserts the importance of Mr Budhdeo’s evidence but goes little further. The only specific complaint concerns the Tribunal’s adverse credibility finding but, significantly, the Appellant does not challenge what was said in the Tribunal’s reasons concerning (a) Mr Budhdeo’s initial denial that he was the ‘S Budhdeo’ recorded at Companies House as director of a company, and the director was in fact his brother; and (b) when this denial was shown to have been false, Mr Budhdeo’s claim to have forgotten about this particular directorship. The Commissioner submits that this is hardly a forgettable matter. The Appellant really argues that it was unsafe for the Tribunal, which is likely to have taken a contemporaneous note of the evidence given, to have decided some months later whether it believed Mr Budhdeo. That argument is hopeless, submits the Commissioner.
Conclusions
Ground 1
Sub-ground (a) of Ground 1 covers the same ground as Ground 2 and so will not be dealt with here.
The Tribunal is said to have erred by (a) accepting as ‘broadly correct’ that the burden of proof was of secondary importance on a full merits review, and (b) by holding that the Commissioner had only an initial evidential burden which shifted to the Appellant once evidence of the infringements was introduced. In my judgment, the Tribunal did not err in law as the Appellant submits.
The correct approach, according to both the Commissioner and, on my understanding of the submissions, the Appellant, required the Tribunal to consider for itself whether the MPN statutory conditions were met and, if so, whether it would be appropriate to impose a MPN at all and, if so, in the amount set by the Commissioner. I agree that is the correct approach but none of the Appellant’s submissions persuade me that the Tribunal deviated from it. This was not a case of a tribunal abdicating its decision-making responsibilities and unthinkingly confirming the decision under appeal. The Tribunal found that the Commissioner had, in one respect, mistakenly assumed that a MPN could be issued for contravention of Article 24(1) of the GDPR. The Tribunal also found that the Commissioner mistakenly found that the Appellant’s contravention involved some 500,000 documents when the correct number was around 67,000. Had the Tribunal been slavishly following the Commissioner’s penalty-setting approach, one might have expected it to reduce the penalty amount in the same proportion as the reduction in the number of breach documents. On the Tribunal’s findings, the number of documents involved was about 13% of the amount on which the Commissioner’s penalty was based (66,362 is approximately 13% of 500,000). Had the Tribunal simply made a proportionate reduction to the penalty, it would have imposed a penalty of approximately £36,000, but its revised penalty amount was £92,000. The Tribunal also found an additional breach of the GDPR (Article 5(1)(e)).
The correct approach, as just described, itself explains why the burden of proof (and the burden of persuasion in relation to the exercise of any statutory judicial discretion) may properly be described as of secondary importance in tribunal proceedings. To apply strict burdens of proof (or persuasion) may prevent the Tribunal from properly discharging its responsibility to decide the facts for itself and exercise any discretion afresh. This may explain why the Supreme Court in Hewage warned against making ‘too much’ of the role of burden of proof provisions. That advice has even more force in tribunal proceedings, such as the present, under legislation that does not include express provision about the burden of proof.
The Appellant characterises the Commissioner’s submissions as follows. Provided that the Commissioner acts rationally in finding an infringement, on appeal the evidential burden shifts to the Appellant who is required to prove there was no infringement. I do not think that is a fair description. It is accepted that the Tribunal’s responsibility under the DPA 2018 is to determine the facts for itself and to make up its own mind (or exercise its own statutory discretion) as to whether a MPN is called for and, if so, in what amount. That responsibility would not be discharged if a tribunal were to adopt an approach which effectively presumes the validity of a MPN unless the Appellant proves no infringement. However, this was not the approach taken by the present Tribunal. In referring to the Commissioner’s initial evidential burden, the Tribunal was simply identifying an evidential fact of life in proceedings before a tribunal charged with making its own findings of fact and exercising statutory discretions afresh. If the Commissioner adduces evidence which he argues shows a breach of the GDPR, an Appellant can either do nothing and hope that the Tribunal is not persuaded, or it can counter the Commissioner’s evidence with its own evidence. I agree with the Respondent that this is what the Tribunal meant when it referred to the Commissioner’s initial evidential burden.
The Commissioner’s evidential burden submissions rely on the Court of Appeal’s decision in Khan but, according to the Appellant, the Respondent misunderstands Khan. I do not agree that Khan was intended to be confined to civil penalties under the VAT legislation. I agree with Mr Lockley’s submissions that there is nothing in Khan, at [70] to [73], to suggest that the Court’s words were intended, as the Appellant submits, to have a restricted application to all or any of the following: VAT civil penalties; penalties calculated by ‘purely arithmetical means’; penalties whose imposition allows an individual to avoid the stigma associated with criminal prosecution; regulatory decisions that do not involve the imposition of a dis-benefit.
Even if a MPN amounts to a criminal charge for the purposes of Article 6 of the Convention, I agree with the Commissioner that the guarantees in Article 6(2) and (3) do not require a formal burden to be placed on the Commissioner of the type contended for by the Appellant. I agree with the Commissioner that the issue is whether the MPN scheme, as a whole and as applied in any particular case, is compatible with those guarantees. As Janosevic demonstrates, the burden may fall on the citizen, in relation to certain issues, even if the citizen faces a criminal charge. If the Tribunal’s approach to burdens of proof may properly be described as involving a presumption of fact or law, I agree with the Commissioner’s submission that, by reference to Lord Bingham’s Sheldrake criteria, it was not a presumption that ran counter to the requirements of Article 6.
Mr Coppel argued, with some conviction on behalf of the Appellant, that the Tribunal’s approach raised matters of deep constitutional concern. The deviant course taken had to be corrected to protect the citizenry from an overbearing state. However, these submissions were not supported by any persuasive authority.
For the above reasons, Ground 1 is not made out.
Ground 2
I agree with Mr Lockley for the Commissioner that, where a tribunal hears an appeal against a regulatory decision, it is an integral aspect of the judicial role that careful attention should be paid to that decision and the reasons given for the decision. After all, the decision is the only reason why the case is before a tribunal. I also reject the argument that, by paying ‘careful attention’ to the Commissioner’s reasons / decision the Tribunal must have failed properly to re-hear the facts or determine afresh the merits. Paying careful attention to the reasons for a particular regulatory decision does not, without more, show that a tribunal failed to make its own findings on disputed matters of fact or unthinkingly adopted a regulator’s assessment of the merits.
The Appellant makes a determined attempt to confine Hope and Glory’s injunction to pay ‘careful attention’ to the reasons given for the decision under challenge. I find none of the Appellant’s submission’s persuasive.
At times, the Appellant’s submissions seemed to assume that paying ‘careful attention’ to a regulator’s reasons (or decision) was synonymous with giving them significant weight. But that was not what the Court of Appeal said, or required, in Hope and Glory. The Court, at [45], began by stating that, in all cases, careful attention should be paid to a licensing authority’s reasons and ended that paragraph with the following words which clearly show that paying ‘careful attention’ involves no presumption as to the weight to be given to an authority’s reasons:
“The weight which the magistrates should ultimately attach to those reasons must be a matter for their judgment in all the circumstances, taking into account the fullness and clarity of the reasons, the nature of the issues and the evidence given on the appeal.”
The Appellant’s portents of doom about the implications of the Tribunal paying ‘careful attention’ to the Commissioner’s decision and reasons – ‘the enormity of its reasoning cannot be overstated’; ‘not something that any respectable legal system would countenance’ – seem to me based on this misreading of Hope and Glory. The Court of Appeal did not require first-instance judicial bodies to load the dice in favour of regulators by requiring any particular weight to be given to regulators’ reasons for their decisions. The Court was quite clear that weight was a matter for the first-instance judicial body.
The Appellant argues that paying ‘careful attention’ to the Commissioner’s decision and reasons unfairly tilts the field in the Commissioner’s favour and I think that is why the Appellant strives to distinguish Hope and Glory and its approval by the Supreme Court in Hesham Ali. The ‘field’ would only be tilted in the Commissioner’s favour if, as a matter of course, his reasons had to be given some degree of positive weight but, as I have said, that is not the case. For this reason, the Appellant’s attempts to distinguish Hope and Glory and Hesham Ali do not go anywhere. Moreover, I accept the Commissioner’s submission that the Appellant fails to identify any aspect of the Tribunal’s reasons which disclose undue deference, or pre-determined weight, having been given to the Commissioner’s reasons. Ground 2 is not made out.
Ground 3
I shall deal first with the question whether domestic law (leaving Article 6 of the Convention out of account) requires the criminal standard of proof to be adopted in MPN proceedings before the First-tier Tribunal. I shall then consider the parties’ arguments under the Human Rights Act 1998 and European Convention on Human Rights.
Lord Hoffman identified, in re B a category of proceedings which, despite their formal classification as civil, should apply the criminal standard of proof, or something like it, to determine disputed matters of fact. These are proceedings which are ‘so serious’ that it is appropriate to apply the criminal standard. That describes a category but does not really elucidate its contents. However, some light is shed by the two cases which Lord Hoffman identified as falling within this category. B v Chief Constable of Avon and Somerset Constabulary [2001] 1 WLR 340 concerned the making of a sex offender order by a magistrates’ court. It was a decision of the High Court, but judgment was given by the then Lord Chief Justice, Lord Woolf. His Lordship, at [41], said that the standard of proof to be applied, for the purposes of determining under section 2(1)(a) of the Crime and Disorder Act 1998 whether a person was a sex offender, would “for all practical purposes be indistinguishable from the criminal standard”. As Lord Hoffman observed, at [8], such orders “may impose restrictions upon the person’s freedom of movement and activity”. The other case mentioned by Lord Hoffman was the decision of the Judicial Committee of the House of Lords in R (McCann v Crown Court at Manchester) [2003] 1 AC 787. This concerned anti-social behaviour orders which, again, may restrict a person’s freedom of movement and activity.
I note that the cases referred to by Lord Hoffman shared two characteristics. Firstly, they both involved orders that place restrictions on an individual’s freedom of movement and activity. Secondly, breach of the terms of either order would constitute a criminal offence. While Lord Hoffman did not say so in terms, in my view these cases provide some indication of the ‘serious consequences’ necessary under domestic law for the criminal standard of proof to be required in civil proceedings.
Decisions of the Upper Tribunal’s Tax and Chancery Chamber have sought to illuminate the ‘serious consequences’ category identified by Lord Hoffman. Khawaja held that the fact that an allegation is serious and has serious consequences for an individual, including a substantial financial penalty, is not necessarily sufficient. Hackett held that the heightened standard was not called for simply because a matter involved a serious fraud with a large penalty nor because it involved an allegation of dishonesty. Hannam held that serious financial and reputational consequences of a penalty were not, of themselves, sufficient. Hannam also gave some indication of cases that might fall within Lord Hoffman’s category namely where a person’s fundamental liberties were at risk which it contrasted with a person only whose livelihood was at risk.
The Appellant argues that it has long been a characteristic of our common law for civil monetary penalties to be categorised as penal sanctions. However, the authority relied on, Tuck v Priester, which dates back to 1887, is not, in my view, authority for the proposition advanced. In R v Z (Northern Ireland) [2005] UKHL 35, at [16], the Judicial Committee of the House of Lords described Tuck v Priester as authority for the proposition that “a person should not be penalised except under a clear law, should not (as it is sometimes said) be put in peril on an ambiguity”. That is not the same thing at all as the proposition that civil monetary penalties should be categorised and treated as penal sanctions. If our common law had a characteristic of the type argued for by the Appellant, and had done so since 1887, I would have expected clear supporting case law authorities, but none are cited.
The Appellant also argues that, if the common law regards a penalty as a penal sanction, it ‘defaults’ to certain protections which include the criminal standard of proof in proceedings challenging the penalty. Again, supporting case law authorities are conspicuous by their absence from the Appellant’s submissions. The only case cited is the Court of Appeal’s decision in Rowe. However, in Rowe the Court was clearly influenced by the relevant statutory language which referred to a person being “guilty” of corrupt electoral practice which, as the Court remarked, “connotes a criminal offence”.
In my judgment, the cases referred to by Lord Hoffman as instances of civil proceedings in which the criminal standard of proof should be applied are a guide to what he meant by the ‘serious consequences’ of proceedings. Civil proceedings are more likely to satisfy the test where they may result in individual freedoms being restricted by some measure breach of which would be a criminal offence. In my judgment, there is a categorical difference between that type of case and those involving imposition of a penalty for conduct which is not itself a criminal offence. While paying the penalty may have serious financial implications for the penalised person, the penalty leaves the person’s freedom of action untouched. It might possibly be different if legislation required a penalty that inevitably caused, or came close to, a complete deprivation of a person’s assets but this is not the case for a MPN.
While the Upper Tribunal authorities mentioned above are not binding on me, I find their reasoning persuasive. I consider them to be consistent with the category described by Lord Hoffman in re B and the two cases which his Lordship identified as exemplifying that category. I therefore find that our domestic law does not require the Tribunal, in MPN proceedings, to resolve disputed matters of fact according to the criminal standard of proof. A MPN may impose a very significant penalty but, of itself, that is not sufficient to bring MPN proceedings within the ‘serious consequences’ category identified by Lord Hoffman.
The Appellant advances numerous arguments why MPN proceedings fall within the ‘serious consequences’ category identified by Lord Hoffman and/or is an essentially punitive measure. However, I find none of them persuasive:
almost inevitably, there is a punitive aspect to any measure styled as a ‘penalty’ (the measure would probably be described by the legislature as some kind of compensatory or restitutionary order if no punitive effect was intended). The element of punishment arises because the penalised person suffers a financial loss that is not in proportion to any financial benefit gained or any financial detriment visited upon another. There is clearly also a dissuasive aspect to MPNs. I do not think it can sensibly be disputed that, in general, the prospect of significant financial penalties for breach of data protection requirements makes a controller or processor more likely to eschew a lackadaisical approach to data protection compliance and less likely to take deliberate action in breach of data protection requirements. I do not accept the argument that the character of a MPN is essentially punitive. The MPN is part of a scheme for promoting compliance with data protection requirements and cannot be considered essentially punitive or penal in character;
I am not convinced that the criteria used to fix the amount of a MPN ‘mimic’ those applied by the criminal courts in determining the amount of a fine for a criminal offence. There may be some similarities such as some regard being had to a person’s ability to pay and a positive relationship between severity of misconduct and penalty amount but that is only to expected. In relation to the latter point, it is obvious that a positive relationship between penalty amount and severity of misconduct is far more likely to promote regulatory compliance than a regulatory scheme which makes no such link;
the Appellant argues that the potential amount of a MPN may easily put an end to a business and it is not disputed that the DPA 2018 permits the Commissioner to impose very significant or, in the Appellant’s words, ‘enormous’ financial penalties. However, the penalty rules provide for a normal maximum penalty and penalties in excess of this are constrained by reference to a formula that takes account of the financial size of a business undertaking. I also note that, in this case, the Commissioner agreed to a significant reduction in penalty amount in the light of the Appellant’s pre-MPN representations. If I were satisfied that a MPN would almost inevitably spell financial Armageddon for the penalised person, I might be persuaded that the MPN is essentially punitive in character. However, I am not so satisfied;
I do not agree that a data subject’s separate right to seek compensation under the DPA 2018 means that the MPN’s purpose is purely punitive. Whether or not a data subject will exercise the right to seek compensation in any particular case is unknowable which means it is uncertain whether the existence of the right to compensation will, to any meaningful extent, act to restrain non-compliant behaviour. The data subject’s right to seek compensation under the DPA 2018 does not therefore dilute the regulatory character of the MPN to any meaningful degree; it does not render the MPN an essentially punitive measure;
I do not understand why the ultimate destination of monies paid to satisfy a MPN should be of any relevance to its essential character or why it should tend to show that MPN proceedings have the ‘serious consequences’ mentioned in re B. The destination of monies has no bearing on the severity of the sanction. The same applies to the procedure for enforcing payment. A duly imposed MPN should be paid and the fact that the legislature might have made provision to assist in recovery of the penalty amount is irrelevant;
the Commissioner does not accept that, as a matter of fact, MPNs may be distinguished from tax-related civil penalties because the former are publicised, but the latter are not. In any event, whether or not the Commissioner publishes details of MPNs on his website makes no material difference. The implications of such publication in any particular case would be inherently uncertain and not a proper basis for finding that, as a rule, MPNs are essentially punitive or that MPN proceedings have the serious consequences identified by Lord Hoffman. Moreover, the efficacy of the MPN as a dissuasive measure would obviously be impeded were they were to be kept confidential. Assuming that the Commissioner does publish MPNs on his website, I am satisfied that he does so not to punish the penalised person but to encourage better general compliance with data protection requirements.
I am not persuaded that the Tribunal relied on flawed reasoning to reject the Appellant’s argument that the criminal standard of proof applied. The fact that MPN proceedings are not assigned to a branch of the criminal justice system was legitimately relied on as one factor, amongst others, that tended to show that the civil standard applied. Similarly, the Tribunal’s reasoning was not logically flawed because it took into account the DPA 2018’s creation of certain criminal offences. The DPA 2018’s use of the term ‘satisfied’ is, in my judgment, a neutral consideration since it is coupled with neither ‘beyond criminal doubt’ nor ‘on a balance of probabilities’ (or words to similar effect). I agree that the GDPR’s use of the term ‘administrative penalty’ is not determinative, but the Tribunal did not treat it as such.
I do not accept that express legislative provision applying the civil standard of proof in certain regulatory contexts evinces a Parliamentary understanding that, in the absence of such provision, the common law would ‘default’ to the criminal standard. Such an understanding would need to be supported by binding authority to that effect, but none is drawn to my attention. The authorities relied on by the Appellant do not establish a proposition of the breadth asserted. The electoral court authorities do not purport to establish any proposition of law applicable outside the electoral law context.
I should add that I do not accept the Commissioner’s argument that Parliament, in enacting the DPA 2018, is presumed to have had knowledge of First-tier Tribunal decisions that the civil standard of proof applies in penalty proceedings under the Data Protection Act 1998 so that, by omitting to legislate to the contrary in the DPA 2018, Parliament signalled its intention for that position to be maintained. Decisions of the First-tier Tribunal do not establish binding propositions of law and do not therefore constitute ‘the law’ of which Parliament might be assumed to have knowledge when enacting legislation.
I agree with the Commissioner that the principle of statutory interpretation that penal provisions are to be construed strictly (or that a person is not to be punished under ambiguous legislation) takes matters no further. The principle has a role to play when the extent of a penal provision falls to be construed so that, in the case of doubt, a narrow construction is to be preferred to a broader one. In my judgment, it does not assist in determining whether the MPN provisions are essentially penal or punitive in character or whether the ‘serious consequences’ threshold is reached. None of the submissions on this appeal argue that there is any material doubt as to the conduct for which a MPN may be imposed nor is it argued that the provisions dealing with the amount of a MPN are uncertain or ambiguous.
Having rejected the Appellant’s argument that domestic law requires the criminal standard of proof in MPN proceedings, I must consider whether a different result is called for by Article 6 of the Convention.
I agree with the Commissioner that, even if MPN proceedings amount to the determination of a criminal charge for the purposes of Article 6, its fair trial guarantees do not mandate resolution of disputed matters of fact by reference to our domestic criminal standard of proof. The guarantees provided for by Article 6(3) do not mention the standard of proof and, as the Court of Appeal stated in Han, the designation of a matter as ‘criminal’ for Article 6 purposes does not, in order to secure compliance with Article 6, thereby import the full panoply of protections afforded by our domestic law to a defendant in criminal proceedings.
I am not persuaded by the Appellant’s arguments that, in the present context, the fair trial required by Article 6 (assuming MPN proceedings amount to the determination of a criminal charge) necessitates application of the criminal standard of proof. If a penalised controller also faced criminal prosecution, then, in the criminal proceedings, the controller’s prospects of a successful outcome would be enhanced, as compared with MPN proceedings, because it would enjoy the protection afforded by the criminal standard of proof. The question whether a subsequent criminal prosecution might amount to ‘double jeopardy’ is a matter for the criminal courts to consider. It is not for me to anticipate such consideration by finding that, in order to prevent a person from being prosecuted twice for the same offence, it is necessary to hold, before any criminal prosecution has been brought, that the criminal standard of proof applies in MPN Tribunal proceedings.
For the above reasons, ground 3 is not made out.
Ground 4
In my judgment, the simple answer to the Appellant’s law of agency arguments is that the GDPR applies across all Member States of the European Union and, as its recitals show, is intended to secure a consistent level of protection across the Union. For this reason, the GDPR cannot have intended to import the principles of the law of England and Wales governing relationships between a principal and agent. Moreover, I agree with the Commissioner that it not at all clear how the Tribunal might have arrived at a different result had it applied domestic principles of agency law when determining, under the GDPR, the Appellant’s responsibility for data protection breaches occasioned by the acts or omissions of Jogee Pharma. Ground 4 is not made out.
Ground 5
At first glance, this ground may appear to have merit but, on closer analysis, I am satisfied that it is not made out.
Firstly, it is necessary to consider in more detail the role played by Article 24(1) of the GDPR in the Commissioner’s reasons for imposing an MPN and in setting the penalty amount (I have already described Article 24(1) role in the Tribunal’s analysis: see paragraphs 23 to 29 above).
Paragraph 2 of the MPN recited, “the penalty is being issued because of contraventions by Doorstep Dispensaree of: a. Articles 5(1)(f), 24(1) and 32…[and] b. Articles 13 and/or 14 GDPR”.
Paragraphs 36 to 46 of the MPN were headed “The Contraventions”. Much of the analysis in this section was by reference to what the notice described as ‘the Breach’. This was defined by paragraph 37: “It is clear that the data were not processed securely: the documents were left outside, in unlocked containers (“the Breach”).”. Having explained why the Commissioner found a contravention of the data processing principle in Article 5(1)(f) (security of processing), the MPN added, at paragraph 42, “for the same reasons that Doorstep Dispensaree has infringed Article 5(1)(f) GDPR, the processing is also a contravention of Article 24(1) GDPR” and, at paragraph 43, “for the same reasons, the processing is also a contravention of Article 32(1)”. At paragraph 45, the MPN stated that, due to inadequate data protection policies and inadequate records of processing activities and security measures, “Doorstep Dispensaree is unable to demonstrate that its processing is performed in accordance with GDPR: a further infringement of Article 24(1) GDPR”.
Paragraphs 47 to 67 of the MPN were headed “Factors relevant to whether a penalty is appropriate, and if so, the amount of the penalty”. For the most part, the Commissioner’s analysis of the considerations specified in Article 83(2) of the GDPR was by reference to ‘the Breach’. Express mention was made of the Appellant’s obligations under Articles 13 and/or 14 (paragraphs 50, 54, 55, 56, 57 and 59). At times, ‘the Breach’ and Articles 13/14 were addressed together such as in paragraph 57 where the MPN stated, “the Commissioner has treated both the Breach and Article 13 and 14 infringements as a case of a negligent rather than a deliberate infringement”. At paragraph 60, the MPN addressed the Appellant’s compliance with the requirements of Articles 25 and 32. There was no mention of Article 24(1) in this section of the MPN.
Article 83 of the GDPR identifies the maximum permitted administrative fines for breach of specified provisions of the GDPR. Article 24 is mentioned in neither paragraph (4) nor (5) of Article 83 and it is presumably for this reason that section 155(1) does not mention it either.
Article 24(1) requires a controller to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”. That requirement relates to the entirety of a controller’s other obligations under the GDPR in relation to the processing of personal data.
The Tribunal found that the Appellant failed to implement the measures required by Article 24(1). That failure was also a breach of Article 32 (which is a penalisable breach) in that the Appellant failed to implement appropriate measures to ensure a level of security appropriate to the risks involved.
It seems to me that, in most cases, any contravention by a controller of the GDPR will entail a breach of Article 24(1). For this not to happen, a controller’s breach would need to have occurred despite the implementation of appropriate technical and organisational measures to ensure that processing is performed in accordance with the GDPR. This seems unlikely.
In determining that issuing a MPN was an effective, proportionate and dissuasive response, the Tribunal relied on its finding that the Appellant’s contraventions were largely due to its negligence in relation to its obligations under Article 24(1) and 32. I note that a breach of Article 32 is bound to involve a breach of Article 24(1). A controller’s failure to implement appropriate measures to ensure an appropriate level of security (Article 32) is bound to entail a controller’s failure to implement appropriate measures to ensure that processing is performed in accordance with the GDPR (Article 24(1)). I am therefore satisfied that, in deciding that a MPN was appropriate, if the Tribunal relied on a finding that Article 24(1) had been contravened, it was of no real consequence. On my reading of the Tribunal’s reasons, the breach of Article 32 was, in substance, also the breach of Article 24(1). In other words, I am satisfied that the Tribunal would have decided a MPN was appropriate even if it had left out of account its finding that Article 24(1) had been contravened.
The next question is whether the Tribunal’s finding that the controller breached Article 24(1) influenced its determination of the amount of the penalty. I must first consider the extent to which the Commissioner relied on his finding that the Appellant had contravened Article 24(1) when setting the amount of the penalty. There is no mention of Article 24(1) in the section of the MPN that addressed the appropriate penalty amount. ‘The Breach’ featured heavily in the Commissioner’s analysis but, by this, the MPN meant simply not processing data securely by leaving documents outside in unlocked containers. The MPN’s definition of ‘the Breach’ made no causal link with deficient technical and/or organisational measures. In other words, ‘the Breach’ definition was not connected with any of the Articles of the GDPR that require various types of appropriate technical and organisational measures to be taken. At paragraph 60, the MPN found that the Appellant had contravened the requirements of Articles 25 and 32 both of which require certain appropriate technical and organisational measures to be taken. But, in the section of the MPN which addressed the appropriate penalty amount, there was no mention of Article 24(1). While the MPN did not say so in terms, the only sensible reading of this section of the MPN is that the Commissioner ascribed ‘the Breach’ to the Appellant’s failure to take the appropriate technical and organisational measures required by Articles 25 and 32. The Commissioner did not, when setting the amount of the penalty, rely on his finding that the Appellant had contravened the requirements of Article 24(1).
The reason why I have laboured over the role played by Article 24(1) in the MPN is because it demonstrates that, when the Commissioner came to determine the amount of the penalty, he did not take into account his finding that the Appellant had contravened Article 24(1). In other words, the Tribunal was not presented with a a decision whose analysis of the appropriate penalty amount improperly took into account a finding that Article 24(1) had been contravened.
I now turn to consider whether the Tribunal’s determination of the penalty amount took into account the Appellant’s contravention of Article 24(1) of the GDPR. In this respect, I note that the Tribunal did not proportionately reduce the penalty amount set by the Commissioner in accordance with its finding that only some 67,000 documents had been seized by the MHRA rather than the 500,000 assumed by the Commissioner. As mentioned above, had the Tribunal made a pro rata reduction, it would have imposed a penalty of £36,000 rather than £92,000. Another way of looking at it is that the Commissioner’s penalty amounted to 55 pence per breach document whereas the Tribunal’s penalty was £1.73 per document. Does this demonstrate that the Tribunal, unlike the Commissioner, took into account a finding that the Appellant had contravened Article 24(1)? I decide that it does not.
Had the Tribunal failed to explain why its per document penalty was greater than the Commissioner’s, the Appellant may have had a better chance of persuading me that the Tribunal impermissibly relied on a breach of Article 24(1) in determining the penalty amount. However, the Tribunal did provide an explanation which made no reference, direct or indirect, to Article 24(1). The Tribunal justified not making a pro rata reduction in the amount of the penalty by reason of its additional finding of a contravention of Article 5(1)(e) of the GDPR and the “long list of aggravating factors”. The Tribunal’s reasons for setting the penalty amount at £92,000 made no mention of Article 24(1) and I am satisfied that it was not taken into account at that stage of the Tribunal’s analysis.
In my judgment, the Tribunal did not err in law, as the Appellant argues, by relying on a breach of Article 24(1) either when deciding that a MPN was appropriate or when setting the amount of the penalty. Ground 5 is not made out.
Ground 6
The Tribunal did not err in law as described in the sub-grounds of Ground 6 and this ground is not made out. By reference to those sub-grounds, my reasons are as follows:
it is not obvious why the ‘general credibility’ of the Commissioner / the Commissioner’s evidence should have been relevant at the penalty-setting stage of the Tribunal’s consideration of the appeal. If the argument is that the penalty-setting stage involved findings of fact as to the severity of the Appellant’s contraventions of the GDPR and, at this point, the Commissioner’s credibility was improperly left out of account, I reject it. The argument is based on an unproven assertion that the Commissioner’s investigation involved ‘serious methodological flaws’;
this sub-ground is also based on an unproven assertion - that the Commissioner acted improperly – and fails to establish any error on a point of law;
the Tribunal heard live evidence from Mr Budhdeo and I remind myself that the Upper Tribunal should be slow to interfere with a tribunal’s assessment of a witness’ oral evidence. The argument that it was not open to the Tribunal to reject Mr Budhdeo’s explanation for having failed to remember that he, and not his brother, was the director of a particular company cannot succeed. The Tribunal, having assessed Mr Budhdeo giving evidence in person, was entitled to regard his explanation as fanciful. I am also satisfied that the Tribunal did not act unfairly by permitting Mr Budhdeo to be questioned about his role in this particular company. I agree with Mr Lockley for the Commissioner that the topic was capable of being relevant to the question of who had access to the Premises, which was an issue before the Tribunal. In any event, the Appellant was represented by counsel before the First-tier Tribunal and it is not argued that counsel objected to this line of questioning at the time, which is a further reason for rejecting Ground 6(c);
it is not correct that the Commissioner adduced no evidence whatsoever before the Tribunal. His case was supported by various items of written evidence. In my judgment, the Tribunal’s analysis was not, or was not to any great extent, based on a finding of paucity of evidence on the part of the Appellant. It is true that the Appellant’s evidence was considered lacking in the sense that it failed to persuade the Tribunal of various matters but that was a qualitative, not quantitative, consideration. Many relevant matters of fact were accepted by the Appellant, as set out in the Tribunal’s reasons, and the Tribunal’s finding that Mr Budhdeo’s evidence lacked credibility did not rely on a finding that, in general, there was a lack of evidence provided by the Appellant;
this sub-ground strays in the territory occupied by Ground 2. In any event, the Tribunal did not defer to the Commissioner’s conclusions on ‘every aspect of the case’ save the number of documents. The Tribunal found an additional breach of the GDPR and declined to reduce the penalty amount in proportion to the reduction in the number of breach documents;
since the Upper Tribunal’s jurisdiction is limited to errors on points of law, I take this sub-ground to argue that it was not open to the Tribunal, on the evidence before it, to reject the argument that breach documents originated from care homes. The argument is not made out. The Tribunal gave intelligible reasons for rejecting the argument. In any event, it is not clear to me how this consideration had relevance beyond the liability stage of the Tribunal’s consideration;
the issue was whether the Appellant retained responsibility, as controller, for Joogee Pharma’s breaches. This issue was addressed, and the Tribunal’s conclusions properly explained. In any event, it is again not at all clear why this issue was relevant at the penalty-setting, as opposed to the liability of breach, stage to of the Tribunal’s consideration;
I find none of the arguments in this sub-ground persuasive. The Appellant does not argue that the Tribunal overlooked some transitional period during which there was an easing of the GDPR’s requirements. The fact that the GDPR had only been in force for some two months at the date of the breach did not lessen the Appellant’s obligation to comply with its requirements and the present breaches would almost certainly also have breached some requirement of the predecessor data protection legislation. It is not as if, before the GDPR came into force, it was acceptable to store large quantities of documents containing sensitive personal data outdoors in unlocked crates/boxes. Endeavouring to view matters objectively, it seems to me that the CCTV evidence argument was difficult to square with the agreed facts before the Tribunal, which included that the MHRA seized from the premises 73,000 documents stored in unlocked crates, boxes and bags. Moreover, the Tribunal did in fact refer to the CCTV evidence in its reasons (see paragraphs 65(xi) and 83). If the Commissioner had not published an enforcement policy at the date of the breach, this did not absolve the Appellant of its duty to comply with the GDPR and it was not argued before the Tribunal that the Appellant was waiting for a published enforcement policy to tell it what to do in order to comply with the GDPR. The Tribunal took into account the absence of evidence that any data subject had suffered any financial harm, distress or embarrassment since this was addressed in a part of the MPN’s analysis with which the Tribunal agreed. The Tribunal also took into account steps taken by the Appellant subsequent to the breach date; it may not have agreed with the Appellant that the steps were adequate but that is not the same thing as overlooking them (see paragraphs 97 to 99 of the Tribunal’s reasons). That this was the Appellant’s first infringement was also mentioned in the Tribunal’s reasons (paragraph 56(8)). Finally, the Appellant could not have argued before the Tribunal that a penalty of £92,000 was bound to put it out of business because it went into the appeal facing a penalty of £275,000 and, in any event, financial implications were dealt with at paragraph 93 of the Tribunal’s reasons.
Ground 7
My understanding of the submissions is that the Appellant accepts that, of itself, the Tribunal’s delay in giving its decision did not amount to an error on a point of law. I say that because, at the hearing of this appeal, Mr Coppel’s arguments focussed on the safety of the Tribunal’s finding that Mr Budhdeo’s evidence lacked credibility. In my judgment, the Tribunal’s credibility finding was not rendered unsafe by virtue of delay. As Mr Lockley argues for the Commissioner, the Tribunal did not rely on the general impression or demeanour of Mr Budhdeo when giving oral evidence. Its adverse credibility finding was largely based on the more hard-edged matter of Mr Budhdeo’s initial denial that he was the ‘S Budhdeo’ recorded by Companies House as the director of a particular company, and that it was in fact his brother, followed by his response when that denial was shown to have been incorrect. I am certain that the judge’s contemporaneous note of the hearing would have recorded these features of Mr Budhdeo’s evidence so that any dimming of the judge’s memory of what happened at the hearing had no bearing on the safety of the adverse credibility finding. Ground 7 is not made out.
Conclusion
None of the Appellant’s grounds of appeal are made out. This appeal is therefore dismissed.
Finally, I should apologise for the delay in giving this decision. As I understand the parties were informed, I fell ill shortly after the hearing in July 2022 and was absent from my duties for most of the rest of that year. A further relapse upon my return to work in 2023 caused further delay. I apologise for the frustration that is likely to have been experienced by the parties while awaiting this decision.
Upper Tribunal Judge Mitchell
Authorised for issue on 1 June 2023