The Information Commissioner's discretion to determine complaints
Philip Coppel KC sets out the key findings from a Court of Appeal ruling on the UK Information Commissioner's responsibilities when a data subject lodges a complaint that a data controller has infringed data protection law.
In Delo v Information Commissioner [2023] EWCA Civ 1141 Delo complained to the Information Commissioner (“ICO”) that his UK GDPR Article 15 subject access request had been wrongly refused by a financial institution. The ICO advised Delo that it was likely that the institution had complied with its obligations and that the ICO would take no further action. Delo sought judicial review on the basis that the ICO had failed to discharge a legal duty under Art 57(1)(f) UK GDPR to determine a complaint and had acted unlawfully in failing to investigate it further. The claim was dismissed by the High Court. Delo appealed to the Court of Appeal.
The Court of Appeal held:
- The UK GDPR is not a codifying, consolidating, or updating measure.
- Articles 57, 77 and 78 of the UK GDPR result in a primary obligation on the ICO to address and deal with every complaint by arriving at and informing the complainant of some form of “outcome”, having first investigated the subject matter “to the extent appropriate” in the circumstances of the case. There are also second-tier obligations, to inform the complainant of the progress of the investigation and of the complaint.
- An “outcome” must be the end point of the ICO’s “handling” of a complaint. A conclusive determination or ruling on the merits that brings an end to the complaint is an “outcome”; but so is a decision to cease handling a specific complaint whilst using it to inform and assist a wider industry investigation; and so is informing a complainant of the ICO’s view that the conduct complained of was likely to be compliant with the UK GDPR, i.e. that the complaint of infringement was likely to be ill-founded.
- The functions assigned to the ICO by the UK GDPR and DPA 2018 are not those of a regulator with exclusive competence over all matters of compliance, subject to judicial supervision. Still less is the ICO designated as an adjudicatory authority with exclusive jurisdiction. The role of the ICO is supervisory.
Appeal dismissed.
Philip Coppel KC of Cornerstone Barristers appeared with David Bedenham for the Information Commissioner.