Delo: clarity on ICO complaints
In October last year, the Court of Appeal handed down a ruling providing some helpful clarity on the Information Commissioner’s responsibilities vis-á-vis the handling of complaints lodged by data subjects, writes Lucy Jones.
This appeal in Delo v Information Commissioner [2023] EWCA Civ 1141 involved two main issues:
(1) Is the Commissioner obliged to reach a definitive decision on the merits of each and every complaint or does he have a discretion to decide that some other outcome is appropriate?
(2) If the Commissioner has a discretion, did he nonetheless act unlawfully in this case by declining to investigate or declining to determine the merits of the complaint made by the claimant (“Mr Delo”)?
**Spoiler alert** The appeal was dismissed with definitive answers of no, to both (1) and (2) above.
The facts
The key facts are as follows: Mr Delo made a data subject access request to Wise Payments Limited (“Wise”), a financial institution with which he had an account. Wise declined to provide much of the information sought, claiming it was exempt from doing so. Mr Delo complained to the Commissioner who, having reviewed the relevant correspondence, advised that it was likely that Wise had complied with its obligations and no further action would be taken.
Mr Delo both: (i) brought a claim for judicial review; and (ii) exercised his right to sue Wise. By the time the judicial review claim came before the High Court (Mostyn J), the case had been compromised and Mr Delo had been provided with the personal data he was seeking. Although the issues had been rendered academic, Mostyn J nevertheless decided these on the basis of the public interest. The Court of Appeal proceeded on the same basis.
The first main issue: what are the Commissioner’s responsibilities?
Turning to the first main issue, Warby LJ began his substantive analysis focusing on the wording of Articles 57, 77 and 78 of the UK GDPR, all of which deal in one way or another with the duties owed by the Commissioner and the rights enjoyed by data subjects with regard to the Commissioner. Addressing Article 57 first, the Court found “the most striking point about the language of that provision is that it does not contain any words that are redolent of decisions on the merits of a complaint” (¶59), a feature common also to Articles 77 and 78.
Assessing the wording of each Article, Warby LJ concluded that “contrary to Mr Delo’s submissions, the ordinary and natural interpretation of the language used in these provisions is that the Commissioner’s principal obligations are to address and deal with every complaint by arriving at and informing the complainant of some form of ‘outcome’, having first investigated the subject matter ‘to the extent appropriate’ in the circumstances of the case. There are also second tier obligations, to inform the complainant of the progress of the investigation and of the complaint.” (¶63) A conclusive determination or ruling on the merits that brings an end to the complaint is certainly an “outcome” but the Court noted that the word is intended to have broader connotations, including (as was the case for Mr Delo) a finding that that the conduct complained of was “likely” to be compliant with the UK GDPR (¶64).
The Court’s conclusion was buttressed by a consideration of the context in which Articles 57, 77 and 78 appear (see Recital 141 and Recital 143) and it was not persuaded by Mr Delo’s reliance on either Facebook Ireland (“it is always necessary to be cautious about extrapolation from decisions on different issues”, ¶68) or BE (“[t]he mere fact that it is permissible in principle for claims to be pursued concurrently against the data controller or processor and the supervisory authority says nothing about the content of the duties owed by the latter”, ¶75).
Lastly, on this first main issue Warby LJ turned to the objectives of the legislation which provided no assistance to Mr Delo. Although the Court accepted that “one of the main aims of the UK GDPR is to ensure a high level of protection of natural persons with regard to the processing of their personal data” it noted that “[i]t by no means follows … that the complaints-handling mechanism provided for by Articles 57 and 77 falls to be interpreted as a straight alternative to or proxy for a direct claim against the data controller who is alleged to have infringed the rights of the data subject.” (¶79)
The second main issue: did the Commissioner act unlawfully in this case?
The Court dismissed this second issue in short order. Classifying Mr Delo’s arguments as an irrationality challenge to the Commissioner’s decision-making, the Court could identify no error in the High Court’s rejection of this challenge.
Warby LJ further endorsed the High Court’s conclusion that the right of a data subject such as Mr Delo to bring a direct claim against the data controller is a relevant consideration which lends support to the legitimacy of the Commissioner’s decision. The Court recognised the resource constraint faced by the Commissioner, noting that it “must be legitimate for the Commissioner, when deciding how to deploy the available resources, to take account not only of his own view of the likely outcome of further investigation and the likely merits, but also of any alternative methods of enforcement that are available to the data subject.” (¶94)
Lucy Jones is a barrister at 11KBW. This article first appeared on the set’s Panopticon blog.
Jason Coppel KC of 11KBW appeared for the Appellant, Mr Delo. David Bedenham, also of 11KBW, appeared for the Respondent, the IC.