First-tier Tribunal - Dennerlein v The Information Commissioner (2023) UKFTT 942 (GRC)
First-tier Tribunal - Dennerlein v The Information Commissioner (2023) UKFTT 942 (GRC) | |
---|---|
Court: | First-tier Tribunal (General Regulatory Chamber) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 77 GDPR |
Decided: | 06.11.2023 |
Published: | 06.11.2023 |
Parties: | Sandra Dennerlein The Information Commissioner |
National Case Number/Name: | Dennerlein v The Information Commissioner (2023) UKFTT 942 (GRC) |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | |
Original Language(s): | English |
Original Source: | Dennerlein v The Information Commissioner [2023 UKFTT 942 (GRC) (in English)] |
Initial Contributor: | sh |
A UK Tribunal decided that a data subject could not use Section 166 of the UK Data Protection Act 2018[1] to ask a court to force the British DPA to adopt a different complaint outcome.
English Summary
Facts
In April 2023, a data subject complained to the UK Data Protection Authority (ICO) that a bank (the controller) had failed to update their systems, resulting in her personal banking data being sent to the incorrect address. Furthermore, even after she informed the controller of this fact, they continued to send her letters and cheques to the incorrect address.
In May 2023, the ICO replied to her complaint. They stated that they had raised the issue with the controller who had provided a full response and addressed all the ICO's questions. The ICO was satisfied with the controller's response and their handling of the data subject's personal data and subject access requests. As such, the ICO closed the case.
The data subject asked the ICO to show her the response from the the controller. The ICO took 26 days to reply and told her that they would not release it as it had been provided by the the controller's DPO for the sake of the investigation.
In June 2023, the data subject appealed the ICO's decision to the First Tier Tribunal under Section 166 of the UK Data Protection Act (DPA 2018). Section 166 governs the Tribunal's jurisdiction to give orders to the Information Commissioner to progress complaints when the complaint has been made under Section 165 Data Protection Act or Article 77 UK GDPR.[2]
The data subject accused the ICO of failing to take reasonable steps to resolve her complaint in accordance with the DPA 2018. They argued that it was impossible for her to verify whether the controller had told the ICO the truth. Through appealing the decision, she wanted her complaint to be acted upon and to receive all the personal data related to her accounts held with the controller.
Holding
The Tribunal struck out the data subject's appeal because it fell outside its jurisdiction.
First, Section 166 DPA 2018 does not give data subjects a right of appeal against the merits of the Information Commissioner’s decision. This reading of Section 166 was confirmed by the Upper Tribunal in Scranage v Information Commissioner [2020] UKUT 196 (AAC) which stated that 'section 166(1)... is procedural rather than substantive in its focus. .'[3] Thus, the tribunal only has jurisdiction when the Commissioner fails to take appropriate steps to respond to a complaint, or update a data subject on the progress or outcome of a complaint. In this manner, the tribunal will only be concerned with correcting ongoing procedural flaws that impede the timely resolution of a complaint. Thus, the outcome sought by the data subject (to receive copies of her personal data held by the controller) is not something that the Tribunal can grant within the confines of Section 166 DPA.
Second, the High Court decided in Delo, R (On the Application Of) v The Information Commissioner - 2023 EWCA Civ 1141 that wide discretion is given to the ICO in its handling of complaints. It follows that it is not the Tribunal's role to determine how the ICO should conduct an investigation.
Third, Delo, R (On the Application Of) v The Information Commissioner - 2023 EWCA Civ 1141 also held that an outcome includes a decision by the Commissioner to no longer investigate a case. Since on the facts an outcome has been rendered in this case, the data subject's only option for a remedy is to to seek judicial review in the High Court.
Last, the tribunal noted that the data subject's use of the Section 166 DPA 2018 process to seek to a different complaint outcome had already been criticised by the Upper Tribunal in Killock & Veal and by the High Court in Delo, R (On the Application Of) v The Information Commissioner - 2023 EWCA Civ 1141. The Tribunal reminded the data subject that Section 166 is about procedure and that if she wanted a different complaint outcome, she should begin seperate legal proceedings under a different legal basis.
Comment
This decision is contrary to recent EU case law such as CJEU - C‑333/22 - Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policiè which ties the information provided by a supervisory auithority to the right to an effective remedy against legally binding decisions. The Tribunal may have been more likely to order the ICO to give the data subject additional information about how they arrived at their decision if they had followed the CJEU rather than the recent UK case of Delo, R (On the Application Of) v The Information Commissioner - 2023 EWCA Civ 1141.
This case also falls out of line with recent case law such as CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA which states that a legally binding decision of a supervisory authority is subject to a full substantive judicial review. The ICO requires data subjects to 'to lodge appeals with the First Tier Tribunal (Information Rights) within 28 calendar days'. However, as this case shows, the Tribunal is limited in what aspects of the ICO's decision it can review. A question is raised as to whether a data subjuects right to an effective remedy is complied with if they cannot go straight to the high court or need to start seperate legal proceedings alongside the tribunal ones.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
[New search] [Context] [View without highlighting] [Printable PDF version] [Help] Neutral Citation Number: [2023] UKFTT 942 (GRC) Case Reference: EA/2023/0311/GDPR First-tier Tribunal General Regulatory Chamber Information Rights Heard by: determination on the papers Heard on: 6 November 2023 Decision given on: 6 November 2023 Before TRIBUNAL JUDGE ALEKSANDER Between SANDRA DENNERLEIN Appellant and THE INFORMATION COMMISSIONER Respondent Decision: The appeal is struck out REASONS 1. On 9 January 2023, Ms Dennerlein made a complaint to the Information Commissioner about how Barclays Bank plc (Barclays) had been using her personal information. A summary of her complaint was that Barclays had (a) failed to update and manage their systems so that they sent sensitive data to an incorrect address; (b) sent letters and cheques to an incorrect address despite having been aware at that time that the address was incorrect and after she had instructed them not so send anything in the post as it got lost; and (c) told her that no cheques had been sent, but she had received a photograph of a letter that Barclays Bank plc had sent to an incorrect address, and the letter refers to an enclosed cheque (which she has not seen). (d) lied to her. 2. On 19 April 2023, Ms Dennerlein updated her complaint as follows: (a) letters with sensitive information sent to the wrong address, multiple times, between 2015 and 2022. This includes a cheque that has been sent. (b) various emails sent in error. (c) her subject access requests from June 2022, October 2022, and January 2023 should have been responded to within 28 days. 3. On 31 May 2023, the Information Commissioner responded to Ms Dennerleins complaint. His view of your complaint as set out in his letter was as follows: Our view of your complaint We have considered the issues you have raised with us, including the supporting evidence you have provided and also the information provided by Barclays. As explained in previous emails, we contacted Barclays with the details of your complaint and asked they explain further how they have handled your personal data and subject access requests. Barclays have provided a full response addressing our questions and your concerns. Based on the information provided by Barclays, we are satisfied with their response and their handling of your personal data and subject access requests. As such, this is not a matter we intend to pursue further. 4. On 26 June 2023, Ms Dennerlein appealed to this Tribunal. A summary of. her grounds of appeal are as follows: On 31 May 2023 the ICO responded by saying that they had received a response from Barclays and that Barclays had dealt with the complaint properly (attached). The case manager was [name redacted]. As Barclays had not provided any data, I asked the ICO to show me the response from Barclays. [Name redacted] from the ICO responded (attached) that they would have a different department that deals with this and advised that this department would send me the response "by 26 June 2023". On 26 June 2023 I received an email from [name redacted] saying that she would not release the data as it had been provided by the DPO at Barclays purely for the investigation and therefore she would not need to provide it. I would at least like to know if Barclays said they sent the data for the accounts they closed in 2022 or whether they told the ICO they would not provide the data and the reasons for that. I would like to point out that: a) it is impossible for me to see if Barclays had told the truth b) the ICO seems to wait until the last possible moment instead of responding in a timely manner. They took 26 days for a very simple response and I assume that they know very well that I need to apply to the tribunal within 28 days from the decision. The outcome sought by Ms Dennerlein is: I would like to receive my personal data in relation to my personal accounts (ISA, Sterling current currency account, and Foreign Currency Euro account). 5. Ms Dennerlein has also made an information access request in respect of information held by the Information Commissioner. This is the subject of a separate case, and is not within the scope of this appeal. 6. The Information Commissioner by his Response dated 11 September 2023 applies to strike out Ms Dennerleins appeal on the grounds that it falls outside the Tribunals jurisdiction. 7. Section 165 Data Protection Act 2018 (DPA) sets out the rights of data subjects (such as Ms Dennerlein) to complain to the Information Commissioner, it relevantly provides as follows: (2) A data subject may make a complaint to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of Part 3 or 4 of this Act. [ ] (4) If the Commissioner receives a complaint under subsection (2), the Commissioner must (a) take appropriate steps to respond to the complaint, (b) inform the complainant of the outcome of the complaint, (c) inform the complainant of the rights under section 166, and (d) if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint. (5) The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes (a) investigating the subject matter of the complaint, to the extent appropriate, and (b) informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with a foreign designated authority is necessary. 8. Section 166 DPA governs the Tribunals jurisdiction to give orders to the Information Commissioner to progress complaints. It relevantly provides as follows: (1) This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the UK GDPR, the Commissioner (a) fails to take appropriate steps to respond to the complaint, (b) fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or (c) if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months. (2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner (a) to take appropriate steps to respond to the complaint, or (b) to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order. (3) An order under subsection (2)(a) may require the Commissioner (a) to take steps specified in the order; (b) to conclude an investigation, or take a specified step, within a period specified in the order. 9. These provisions do not give data subjects a right of appeal against the Information Commissioners decision. The Upper Tribunal in Scranage v Information Commissioner [2020] UKUT 196 (AAC) at [6] observed: [ ] there is a widespread misunderstanding about the reach of section 166. Contrary to many data subjects expectations, it does not provide a right of appeal against the substantive outcome of the Information Commissioners investigation on its merits. Thus, section 166(1), which sets out the circumstances in which an application can be made to the Tribunal, is procedural rather than substantive in its focus. This is consistent with the terms of Article 78(2) of the GDPR (see above). The prescribed circumstances are where the Commissioner fails to take appropriate steps to respond to a complaint, or fails to update the data subject on progress with the complaint or the outcome of the complaint within three months after the submission of the complaint, or any subsequent three-month period in which the Commissioner is still considering the complaint. 10. The procedural focus of s166 was reaffirmed by the Upper Tribunal in its decision in Killock & Veale and others v Information Commissioner [2021] UKUT 299 (AAC) at [74]: [i]t is plain from the statutory words that, on an application under s.166, the Tribunal will not be concerned and has no power to deal with the merits of the complaint or its outcome. We reach this conclusion on the plain and ordinary meaning of the statutory language but it is supported by the Explanatory Notes to the Act which regard the s.166 remedy as reflecting the provisions of article 78(2) which are procedural. Any attempt by a party to divert a Tribunal from the procedural failings listed in s.166 towards a decision on the merits of the complaint must be firmly resisted by Tribunals. 11. In Leighton v Information Commissioner (No.2) [2020] UKUT 23 (AAC) the Upper Tribunal gave guidance at [31] as to the meaning of the requirement for the Information Commissioner to take appropriate steps: Appropriate steps means just that, and not an appropriate outcome. Likewise, the FTTs powers include making an order that the Commissioner take appropriate steps to respond to the complaint, and not to take appropriate steps to resolve the complaint, least of all to resolve the matter to the satisfaction of the complainant. 12. In Killick at [73] the Upper Tribunal held that it was not for the Tribunal to decide how the Information Commissioner should undertake his investigation: If the Tribunal itself were to decide what an appropriate investigation should comprise, that would seriously undermine the Commissioners regulatory discretion. As the expert regulator, the Commissioner is in the best position to decide what investigations she should undertake into any particular issue, and how she should conduct those investigations. Such decisions will be informed not only by the nature of a complaint itself, but also by a range of other factors of which the Tribunal will have no or only second-hand knowledge, including, for example, (i) the Commissioners regulatory priorities; (ii) other investigations that the Commissioner may have undertaken in the same subject area; (iii) the Commissioners judgment on how to deploy her limited resources most efficiently and effectively. The effect of the other parties submissions would be that the Tribunal would trespass upon the Commissioners complex judgements about how best to balance the respective rights and interests of data subjects, controllers and processors in a wide variety of different circumstances. 13. The Upper Tribunal went on at [87] to consider the scope of s166 DPA as being: [ ] concerned with remedying ongoing procedural defects that stand in the way of the timely resolution of a complaint. The Tribunal is tasked with specifying appropriate steps to respond and not with assessing the appropriateness of a response that has already been given (which would raise substantial regulatory questions susceptible only to the supervision of the High Court). It will do so in the context of securing the progress of the complaint in question. We do not rule out circumstances in which a complainant, having received an outcome to his or her complaint under s.165(b), may ask the Tribunal to wind back the clock and to make an order for an appropriate step to be taken in response to the complaint under s.166(2)(a). However, should that happen, the Tribunal will cast a critical eye to assure itself that the complainant is not using the s.166 process to achieve a different complaint outcome. 14. The High Court has recently approved the approach taken by the Upper Tribunal in Killock & Veal in its decision in R (on the application of Delo) v Information Commissioner and Wise Payments Ltd [2022] EWHC 3046 (Admin) where it confirmed the very wide discretion given to the Information Commissioner in his handling of complaints under s166 DPA as he thinks best, including entitling the Information Commissioner to decide to take no further action even on non-spurious complaints. However Mostyn J criticised the Upper Tribunals comment at [87] that a complainant could ask the Tribunal to wind back the clock and to make an order for an appropriate step to be taken - rather Mostyn J held that once an outcome has been pronounced, the complainants remedy in such a case would be to seek an order for judicial review in the High Court. 15. The Information Commissioner submits that the outcome sought by Ms Dennerlein (to receive copies of her personal data held by Barclays) is not something that the Tribunal can grant within the confines of s166 DPA. Further, s166 DPA only permits a Tribunal to make an order against the Information Commissioner if he has failed in some procedural respect. 16. Ms Dennerlein submits that the Information Commissioner failed to take reasonable steps to resolve her complaint in accordance with s165(4)(a) DPA. She submits that the Information Commissioner had the opportunity to simply look at the account numbers for the bank accounts that are the underlying subject of her complaint, and compare these with the account numbers applicable to the information provided to the Information Commissioner by Barclays. Had the Information Commissioner done so, he would have easily seen that Barclays had not provided the data requested by her. Ms Dennerlein submits that in failing to compare the data provided by Barclays to the request made by Ms Dennerlein, the Information Commissioner has failed to comply with s165(5) DPA as he failed to take what was plainly a reasonable step. 17. Ms Dennerlein submits that Barclays admitted to not having fulfilled their obligations under the subject data access request until 26 September 2023. It therefore follows that the Information Commissioners decision which states that Barclays had complied with her request must have been wrong - the data not having been provided until after the Information Commissioners decision. She submits that the Information Commissioner should have stated that Barclays had not complied with the subject data access request. 18. Ms Dennerlein submits that because of the failures of the Information Commissioner, he failed to undertake reasonable steps to investigate her complaint. She submits that her appeal has reasonable prospects of success and should not be struck out. 19. It is not clear to me that the Information Commissioners decision stated that Barclays had complied with her subject data access request - rather his decision letter says that he was satisfied with Barclays response to his enquiries. 20. In any event, irrespective of the merits of Ms Dennerleins submissions, I find that the matters that she raises are outside the jurisdiction of the Tribunal. The decisions of the Upper Tribunal and the High Court, which are binding upon me, are that the jurisdiction of the Tribunal is restricted to procedural matters. In Delo Mostyn J said the following: [132] [Counsel for the Information Commissioner] argues that: "The Claimant's challenge is not that the Commissioner's substantive decision was wrong on its merits but rather that the Commissioner failed to adequately determine the complaint (i.e. failed to take appropriate steps to respond to the complaint). That is a procedural failing of the sort where the appropriate forum for redress is the Tribunal by way of an application pursuant to section 166(2). The Claimant's complaint is that the Commissioner should have approached Wise for further information and that the Commissioner should have reached a concluded view on whether Wise had complied with its data protection obligations. The Claimant could, pursuant to s 166 DPA 2018, have asked the Tribunal to require the Commissioner to take those steps." [133] In my judgment this is precisely the sort of sleight of hand with which I disagree. The Commissioner's argument seeks to clothe a merits-based outcome decision with garments of procedural failings. The substantive relief sought by the Claimant was disclosure of the documents. The Commissioner's argument is that the Tribunal could have made a mandatory procedural order specifying as a responsive step the disclosure of those very documents. 21. In essence the argument presented on behalf of the Information Commissioner in that case is similar to the submissions made by Ms Dennerlein in this case. I find that Ms Dennerleins submission, that the Information Commissioner failed to undertake reasonable steps to investigate her complaint, is in substance using the s166 DPA process to seek to achieve a different complaint outcome - something that was the subject of criticism by the Upper Tribunal in Killock & Veal and by the High Court in Delo. I find that I have no jurisdiction in relation to Ms Dennerleins appeal under s166 DPA. 22. I also agree with the Information Commissioner that the outcome sought by Ms Dennerlein (the provision of information relating to her bank accounts) is beyond the scope of this Tribunals powers. 23. Rule 8(2)(a) of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 requires me to strike out proceedings if the Tribunal does not have jurisdiction in relation to them. As I have found that the Tribunal has no jurisdiction in relation to this appeal, I find that I must strike it out. 24. If Ms Dennerlein is dissatisfied with the decision of the Information Commissioner, and believes that Barclays has continued to infringe her information rights, her remedy is to seek an order of compliance by way of separate civil proceedings under s167 DPA before the County Court or the High Court - and not an appeal to this Tribunal. NICHOLAS ALEKSANDER TRIBUNAL JUDGE Date: 6 November 2023
- ↑ The UK follows both GDPR and the Data Protection Act 2018. The DPA 2018 incorporates GDPR into UK law and adds further provisions for specific purposes.
- ↑ Article 77 remains the same in both the UK and EU GDPR.
- ↑ This procedural reading was confirmed in Killock & Veale and others v Information Commissioner [2021] UKUT 299 (AAC) and Leighton v Information Commissioner (No.2) [2020] UKUT 23 (AAC).