The Court of Appeal has issued its ruling in Ben Peter Delo, R (on the application of) v The Information Commissioner [2023] EWCA Civ 1141.
The case concerned a long-running court battle over a subject access request complaint.
The Court of Appeal upheld an earlier High Court decision by Mr Justice Mostyn to dismiss a claim by Mr Ben Delo that the ICO had unlawfully failed to determine his complaint about a subject access request he had made to Wise Payments Limited. He effectively argued that the ICO should decide his complaint, rather than having to make a claim under Article 79 of the UK GDPR.
The case involved two main questions:
- is the Commissioner obliged to reach a definitive decision of the merits of each and every such complaint or does he have a discretion to decide that some other outcome is appropriate?
- if the Commissioner has a discretion, did he nonetheless act unlawfully in this case by declining to investigate or declining to determine the merits of the complaints made by the claimant (“Mr Delo”)?
Mr Delo made a data subject access request to Wise Payments Limited, a financial institution with which he had an account. Wise declined to provide much of the data sought, claiming that it was exempt from doing so.
Mr Delo complained to the Commissioner that this response was not in accordance with this rights of access. The Commissions reviewed relevant correspondence and advised Mr Delo that it was likely that Wise had complied with its obligations, making clear that no further action would be taken.
Mr Delo brought a claim for judicial review, maintaining that the Commissioner had failed to discharge a legal duty to determine any such complaint or alternatively had acted unlawfully in failing to investigate further and/or by reaching an unlawful and irrational conclusion. Separately, Mr Delo exercised his right to sue Wise, alleging that it had wrongfully refused him access to the personal data covered by his DSAR.
The first instance judge held that the Commissioner was not obliged to determine the merits of each and every complaint but had a discretion which he had exercised lawfully. he therefore dismissed the claim. Mr Delo appealed.
The Court of Appeal’s ruling
The Court of Appeal confirmed that the ICO had broad discretion in deciding the extent to which it investigates each complaint and is entitled to reach and express a view on the complaint, without necessarily determining whether there has been an infringement.
It said that legislative history did not assist in the case and that the ICO’s resources (levels of staffing) could not have a bearing on the law.
The court said that the law did not say that the ICO had to rule upon a complaint, only that it had to deal with it. The law does not prescribe a remedy for a complainant, only that the ICO must inform the complainant of the outcome of their complaint. The law does not make the ICO into a court or tribunal. An “outcome” meant something along the lines of telling Mr Delo that the conduct complained of was likely to breach the UK GDPR, or that it was not. The law gives the ICO a supervisory role rather than being a regulator with exclusive powers. The Commissioner’s functions in respect of compliance sit alongside those of the courts and tribunals. The UK GDPR also gives the ICO a wide discretion about the intensity of any investigation. This can mean considering a complaint in the first isntance but taking no further action.
The Court also ruled that the ICO acted lawfully in deciding the outcome of Mr Delo’s complaint and that the first instance judge had decided correctly. The judge concluded:
“I would also endorse the judge’s conclusion that the right of a data subject such as Mr Delo to bring a direct claim against the data controller is a relevant consideration which lends support to the legitimacy of the Commissioner’s decision. As I have made clear, I do not accept Mr Delo’s argument that the Commissioner is obliged to operate the complaints regime as a cost-free alternative to a claim under Article 79. The Commissioner has a discretion. The funding obligation enshrined in Recital 120 is not to be read as a blank cheque, or as an authorising unnecessary or wasteful regulatory action. It must be legitimate for the Commissioner, when deciding how to deploy the available resources, to take account not only of his own view of the likely outcome of further investigation and the likely merits, but also of any alternative methods of enforcement that are available to the data subject.”