Delo, R (On the Application Of) v The Information Commissioner - 2023 EWCA Civ 1141
Court Of Appeal (Civil Division) - 2023 EWCA Civ 1141 | |
---|---|
Court: | EWCA (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 15 GDPR Article 57(1)(f) GDPR |
Decided: | |
Published: | 10.10.2023 |
Parties: | ICO Mr Delo |
National Case Number/Name: | 2023 EWCA Civ 1141 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | English |
Original Source: | [2023 EWCA Civ 1141 (in English)] |
Initial Contributor: | sh |
The Court Of Appeal (Civil Division) determined that the Information Commissioner is not obliged to reach a decision on every complaint in light of Art 57(1)(f) UK GDPR.
English Summary
Facts
The data subject made an access request (DSAR) to Wise Payments Limited ("Wise"), a financial institution with which he had an account. Wise declined to provide much of the data sought, claiming that it was exempt from doing so as this disclosure would reveal information regarding Wise's internal business processes. The data subject complained to the Commissioner that this response was not in accordance with his rights of access under Article 15 UK GDPR. The Commissioner reviewed relevant correspondence and advised the data subject that it was likely that Wise was compliant with the UK GDPR, making clear that no further action would be taken.
The data subject brought a claim for judicial review against the ICO at the High Court, on the basis that the ICO had failed to discharge a legal duty under Art 57(1)(f) UK GDPR to determine a complaint and had acted unlawfully in failing to investigate it further. The judge decided that the Commissioner was not obliged to determine the merits of each complaint and had discretion which he exercised lawfully.
This decision was then appealed to the Court of Appeal by the data subject. The appeal involved two main questions:
(1) Is the Commissioner obliged to reach a definitive decision on the merits of each and every such complaint or does he have a discretion to decide that some other outcome is appropriate?
(2) If the Commissioner has a discretion, did he nonetheless act unlawfully in this case by declining to investigate or declining to determine the merits of the complaint made by the claimant (the data subject)?
Holding
The High Court rejected the data subject’s appeal on both grounds.
On the first point, it held that Articles 57, 77 and 78 of the UK GDPR result in a primary obligation on the ICO to address and deal with every complaint by arriving at and informing the complainant of some form of “outcome”, having first investigated the subject matter “to the extent appropriate” in the circumstances of the case. An “outcome” must be the end point of the ICO’s “handling” of a complaint. However, the Commissioner has a broad discretion to determine outcomes and appropriate extent of investigation. A conclusive determination or ruling on the merits that brings an end to the complaint is an “outcome”; but so is a decision to cease handling a specific complaint whilst using it to inform and assist a wider industry investigation; and so is informing a complainant of the ICO’s view that the conduct complained of was likely to be compliant with the UK GDPR (such as in this case).
The court came to this decision by analysing the indicators that the legislative intention was to impose a duty on the Commissioner to determine the merits of any complaint:
- The judges noted the flexible languange of Article 57(1)(f) UK GDPR. The Commissioner must "handle" a complaint. He must "investigate the subject-matter of the complaint" but even then only "to the extent appropriate". He must "inform" the complainant of the "progress" of the complaint and its investigation and its "outcome". It is not the case, for example, that the Commissioner must (for instance) adjudicate, decide, determine, rule upon, or resolve a complaint, or that complaints must be "upheld" or not upheld by the Commissioner. This same argument can be extended to to Articles 77 and 78.
- Recital 141 is also drafted with flexibility. It only requires there to be a judicial remedy to be available where action by the supervisory authority is "necessary" to protect the data subject's rights. Similarly, Recital 143 does not suggest that a data subject has a judicial remedy in any and every case where the Commissioner handles and investigates a complaint but resolves to take no action.
- The judges also differentiated the case from BE Case C-132/21. The CJEU did not decide in BE C-132/21 that the Article 78 GDPR remedy is a cost-free proxy for or alternative to a direct claim under Article 79. The mere fact that it is permissible in principle for claims to be pursued concurrently against the data controller or processor and the supervisory authority says nothing about the content of the duties owed by the latter. Those, are to be identified by focusing on the language of Articles 57, 77 and 78, as the judges did above.
- The judges factually differentiated this case from Facebook Ireland C-311/18. In comparison to this case, Facebook Ireland is a case where the export of personal data to a foreign state, beyond the reach of the Irish authorities, periled a data subject's rights giving them no prospect of a remedy. This is not the case here where the data subject can claim judicial review and subsequent appeals. The provision adopted in Facebook Ireland C-311/18 is itself very broad. To interpret it as imposing a blanket obligation to enforce the UK GDPR in every case of alleged non-compliance would in the judges view, be extravagant.
As to the second point, given the conclusion above, it was decided that the Commissioner acted lawfully when failing to reach a conclusive determination of the data subject’s complaint. The Court of Appeal agreed with the High Court that the Commissioner had complied with all the obligations imposed on him. He had received and reviewed the complaint and the attached correspondence; formed the view that the case did not require further investigation; reached an outcome decision; and, having confirmed that decision upon review, informed Mr Delo of the outcome "namely that no further action would be taken by the ICO against Wise." The Commissioner's decisions were "completely lawful, both in substance and procedurally".
Comment
It should be noted that while UK left the European Union by 2020, the UK GDPR remains substantively the same as the EU's GDPR. This is acknowledged by the judges in this case at [11] who state 'the content of the GDPR [remains] part of English law, with certain modifications and amendments, under the title "UK GDPR". The legislative measures used to achieve this are identified and summarised in R (Open Rights Group) v Secretary of State for the Home Department [2021] EWCA Civ 800, [2021] 1 WLR 3611 [5] and [12]-[13]. They included some textual amendments to the GDPR and to the DPA 2018 but none that affects the substantive provisions that are relevant in this case.'
This decision is interesting from a procedural perspective because as of 2023 the EU has been proposing procedural amendments to the GDPR. One of the concepts floated has been the idea to make DPA's issue legally challengeable decisions for each complaint. Should this pass it would place the UK on a seperate path to its EU counterparts within the similarly shared overarching structure of the GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.