First-tier Tribunal - Vestani v Information Commissioner

From GDPRhub
Revision as of 14:35, 21 December 2023 by Ar (talk | contribs)
FtT - (2023) UKFTT 915 (GRC)
Courts logo1.png
Court: First-tier Tribunal (General Regulatory Chamber)
Jurisdiction: United Kingdom
Relevant Law:
Rule 8(3)(c) of the 2009 Rule
Section 165 of the Data Protection Act 2018
Section 166 of the Data Protection Act 2018
Decided: 20.10.2023
Published: 02.11.2023
Parties: Jashu Vestani (Appellant)
Information Commissioner (Respondent)
National Case Number/Name: (2023) UKFTT 915 (GRC)
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): English
Original Source: Vestani v Information Commissioner (2023) UKFTT 915 (GRC) (in English)
Initial Contributor: Maria Chiara Zaccaria

A lower UK court did not consider itself competent to review the UK DPA's decision because the latter is considered the expert regulator.

English Summary

Facts

On 2 November 2020, Capital Letters (London) Limited informed its employee, Jashu Vestani, that he was the victim of a data breach affecting the company. Mr. Vestani later experienced cyber attacks and other fraudulent activities which he concluded had resulted from Capital Letters' data breach.

On 4 January 2023, Vestani submitted a complaint about the data breach to UK DPA - the Information Commissioner's Office (ICO). On March 14, 2023, the ICO decided not to investigate the complaint further, due to lack of evidence directly linking the attacks to the breach.

On 23 June 2023, Vestani appealed the ICO's decision to the First-Tier Tribunal.

The ICO argued that under Section 166 of the Data Protection Act, the Tribunal cannot examine the underlying merits of the original complaint, only whether the ICO took appropriate action. As the expert regulator, the ICO has wide discretion in handling complaints that the Tribunal cannot override without evidence of mishandling.

The core legal dispute centred on the scope of the Tribunal's authority to review the ICO's processing of data breach complaints and whether it can evaluate the regulator's decision itself or merely the appropriateness of internal procedures followed.

Holding

The First-tier Tribunal decided that it can only review the actions of the ICO carrying out its obligations under section 165 of the UK Data Protection Act 2018, as empowered to do so by section 166 of the UK Data Protection Act 2018.

The Commissioner has wide discretion as the expert regulator in complaint investigations. The Tribunal held its role was limited under the law to assessing the “appropriateness” of steps taken by the Commissioner, not re-examining the actual merits or substance of Mr. Vestani’s complaint itself. Accordingly, the Tribunal struck out the application.

Comment

The First-tier Tribunal is not competent to review the actions of the Information Commissioner. The Commissioner, serving as the expert regulator in complaint investigations, possesses wide discretion.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

[New search] [Context] [View without highlighting] [Printable PDF version] [Help]

Neutral Citation Number: [2023] UKFTT 915 (GRC)

Appeal Reference: EA/2023/0307

First-tier Tribunal
(General Regulatory Chamber)
Information Rights

Decided without a hearing
On 20 October 2023

Decision Given On: 02 November 2023

B e f o r e :

TRIBUNAL JUDGE HEALD
____________________

Between:

JASHU VESTANI
Appellant

- and -

THE INFORMATION COMMISSIONER
Respondent

____________________

____________________

HTML VERSION OF DECISION
____________________

Crown Copyright ©

DECISION

The application is struck out.

REASONS

Background

Jashu Vestani ("the Applicant") was seconded to Capital Letters (London) Limited ("Capital"). On 2 November 2020 Capital wrote to the Applicant and said, "I am writing to you to notify you of a breach of Capital Letters' data which included some of your personal data, and the steps the company has taken to contain the breach and manage any associated risks." In the letter, as well as apologising, Capital provided an explanation as to what had happened, what personal data had been involved, the steps taken and their assessment of the risk. Additionally, they gave guidance to the Applicant about the need to be alert to the risk of the potential misuse of the data concerned.

Subsequently the Applicant was the victim of cyber-attacks and other fraudulent activity and concluded that this had occurred because of the data breach at Capital. There was correspondence about these concerns, but the matter was not resolved to the Applicant's satisfaction.

On 4 January 2023 the Applicant submitted a complaint ("the Complaint") to the Commissioner. On 14 March 2023 the Commissioner responded and in conclusion said: -

"I have considered the information available in relation to this complaint and though we appreciate you have experienced such unfortunate events it does not appear that you have provided sufficient evidence to support your concerns about Capital Letters (London) Limited's data breach being the direct cause of the cyber attacks and fraudulent activities that you have experienced. As the ICO is an evidence-based regulator, we would require strong documentary evidence to support your concern before we would consider this matter further. At this stage as we are unable to consider your concerns further, we will now close this case."

There then followed a series of exchanges between the Applicant and the Commissioner which concluded with the Commissioner indicating its position had not changed.

Procedure

6. On 23 June 2023 the Applicant submitted an application to the Tribunal ("the Application"). In it the relevant part of the outcome sought is: - "I seek fair justice with my appeal. I feel I have been unfairly treated since the start of my secondment…"

There was then a pause due to a concern that there had been some misunderstanding between the Commissioner and the Applicant. On 4 September 2023 the Commissioner apologised for the confusion but maintained its position as set out in the letter of 14 March 2023.

On 6 September 2023 the Commissioner provided its response to the Application including a request that the Application be struck out pursuant to rule 8(3)(c) of the 2009 Rules. As required by rule 8(4) of the 2009 Rules the Applicant was informed of the strike out request and asked to reply by 21 September 2023. On 15 September 2023 the Applicant provided a reply.

Strike out

Rule 8 of the 2009 Rules provides that:-

(3) The Tribunal may strike out the whole or a part of the proceedings if (c) the Tribunal considers there is no reasonable prospect of the appellant's case, or part of it, succeeding.

In HMRC -v- Fairford Group (in liquidation) and Fairford Partnership Group (in liquidation) [2014] UKUT 0329 the Upper Tribunal summarised the task to be carried out by a Tribunal in these terms at (41): -

". The Tribunal must consider whether there is a realistic, as opposed to a fanciful (in the sense of it being entirely without substance) prospect of succeeding on the issue at a full hearing……..A 'realistic' prospect of success is one that carries some degree of conviction and not one that is merely arguable…..the strike out procedure is to deal with cases that are not fit for a full hearing at all……. The tribunal must avoid conducting a 'mini-trial"

In AW-v-Information Commissioner and Blackpool CC [2013] 30 ACC the Upper Chamber set out the principles governing the application of rule 8(3)(c) of the 2009 Rules. These included: -

8. More recent rulings from the superior courts point to the need to look at the interests of justice as a whole ….It is, moreover, plainly a decision which involves a balancing exercise and the exercise of a judicial discretion, taking into account in particular the requirements of Rule 2 of the GRC Rules.

Rule 2 of the 2009 Rules refers to the overriding objective of the 2009 Rules which is "to enable the Tribunal to deal with cases fairly and justly." Rule 2(3) of the 2009 Rules provides that the Tribunal "must seek to give effect to the overriding objective when it (a) exercises any power under these rules or (b) interprets any rule or practice direction."

The DPA

Section 166 of the DPA provides: -

(1) This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the GDPR, the Commissioner

(a) fails to take appropriate steps to respond to the complaint,

(b) fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or

(c) if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months.

(2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner

(a) to take appropriate steps to respond to the complaint, or

(b) to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order.

(3) An order under subsection (2)(a) may require the Commissioner

(a) to take steps specified in the order;

(b) to conclude an investigation, or take a specified step, within a period specified in the order.

(4) Section 165(5) applies for the purposes of subsections (1)(a) and (2)(a) as it applies for the purposes of section 165(4)(a).

Relevant parts of Section 165(4) DPA provide: -

(4) If the Commissioner receives a complaint under subsection (2), the Commissioner must

(a) take appropriate steps to respond to the complaint,

(b) inform the complainant of the outcome of the complaint,

(c) inform the complainant of the rights under section 166, and

(d) if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.

(5) The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes—

(a)investigating the subject matter of the complaint, to the extent appropriate…

Summary of the Commissioner's position

The Commissioner's position in summary is that a section 166 DPA application is not concerned with the merits of the original complaint and does not provide a forum for an applicant to challenge the substantive outcome of the Commissioner's actions. It is an expert regulator, with a wide discretion to deal with complaints.

This is confirmed in Killock &Veale & others -v-Information Commissioner [2021] UKUT 299 (ACC) (para 76) in which it was held that:-

The Tribunal does not have the same expertise in determining the appropriate outcome of complaints. The Commissioner is the expert regulator. She is in the best position to consider the merits of a complaint and to reach a conclusion as to its outcome. In so far as the Commissioner's regulatory judgments would not and cannot be matched by expertise in the Tribunal, it is readily comprehensible that Parliament has not provided a remedy in the Tribunal in relation to the merits of complaints.

Killock is also authority as to the role of the Tribunal when considering whether the steps taken (by the Commissioner) were appropriate. This is not determined by the Commissioner but: -

85…..in considering appropriateness, the Tribunal will be bound to take into consideration and give weight to the views of the Commissioner as an expert regulator. The GRC is a specialist tribunal and may deploy (as in Platts) its non-legal members appointed to the Tribunal for their expertise. It is nevertheless our view that, in the sphere of complaints, the Commissioner has the institutional competence and is in the best position to decide what investigations she should undertake into any particular issue, and how she should conduct those investigations.

The outcome of the Complaint

As seen above the Commissioner responded to the Complaint by a letter dated 14 March 2023 the content of which was repeated on the 14 April 2023 and 19 June 2023. It explained that the Commissioner's decision was to "close this case." The Commissioner's letter of the 5 September 2023 said in summary: - "We are not denying that your personal data was affected by the data breach in 2020, however there is insufficient evidence to demonstrate that activity that occurred after this incident was due to the breach". "Having reviewed the matter I can confirm that this is not something we intend to pursue further".

Summary of the Appellant's position

Th Appellant says "I am inexperienced in this matter and do not have a representative." I took note of this when reviewing the Appellant's submissions and other documents provided.

The Appellant remains very concerned about the original data breach, how it was handled, the relationship with Capital and the subsequent cyber-attacks suffered. The Applicant also remains dissatisfied with the Commissioner's response both in terms of the outcome and process saying "I know I have suffered an injustice" and concludes with:-

"There is no solution. The steps taken so far have been inappropriate resulting in an unfair outcome. In this case the Commissioner cannot be trusted to reinvestigate. If this needs to be done my request is that it be followed up by an independent investigator"

Decision

Data breaches and cyber-attacks are of great concern. The Applicant has been the victim of cyber crime and the concerns expressed are understandable. However, the Tribunal can only review the actions of the Commissioner carrying out its obligations by section 165 DPA, as empowered to do so by section 166 DPA and based on the relevant authorities.

In light of this and having reviewed the position of the Applicant and the Commissioner and having considered the overriding objective I conclude that there is no reasonable prospect of the Applicant's case succeeding and that it would therefore be right for me to exercise the discretion to strike out the Application.

Accordingly, the Application is struck out pursuant to rule 8(3)(c) of the 2009 Rules.

Signed Simon Heald Judge of the First-tier Tribunal Date:20 October 2023.