UK: Landmark Decision Handed Down On ICO's Responsibilities In Handling Subject Access Requests

On 10 October 2023, the England and Wales Court of Appeal handed down its decision in Delo, R. (On the Application Of) v. The Information Commissioner¹, in which it upheld an earlier High Court ruling that the UK's data protection regulator, the Information Commissioner's Office (ICO), is not obliged to reach a definitive decision on the merits of each and every data subject access request (DSAR) complaint, but that it – instead – has broad discretion, which it found the ICO had exercised lawfully under the UK General Data Protection Regulation (GDPR) when responding to a DSAR complaint.

Background

The claimant, Ben Delo, was a customer of Wise Payments Limited, a financial institution with which he held an account. Wise had deactivated the claimant's account and sent a suspicious activity report to the National Crime Agency following a bank transfer request of £270,000 by the claimant. As a result, Delo submitted a DSAR asking for a copy of the personal data Wise held about him. Wise provided copies of some documents to the claimant, but not a copy of the suspicious activity report or any internal communications concerning him.

Delo submitted further DSARs, and Wise declined to provide much of the data sought on the basis that it was exempt from doing so under the UK's money laundering rules. The claimant complained to the ICO that Wise's response did not comply with his rights of access. The ICO reviewed relevant correspondence and advised Delo that it was likely that Wise had complied with its obligations, and – in doing so – it made clear that no further action would be taken against Wise in respect of the matter.

Delo brought a claim for judicial review, maintaining that the ICO had failed to discharge its legal duty to determine any such complaint or, alternatively, had acted unlawfully in failing to investigate further by reaching an unlawful and irrational conclusion. However, by the time the judicial review was brought before the High Court, the case against Wise had been compromised, as Delo had been provided with the personal data he was seeking. Accordingly, the issues raised by the claim were only academic, but nevertheless were considered by the High Court on the basis that there was public interest in doing so.

The High Court dismissed Delo's application for judicial review, as it held that the ICO was not obliged to determine the merits of each and every complaint, but instead had a discretion which it had exercised lawfully. The claimant subsequently filed an appeal.

Questions considered by the Court of Appeal

The Court of Appeal was asked to consider two main questions:

• Is the ICO obliged to reach a definitive decision on the merits of each complaint, or does it have discretion to decide that another outcome is appropriate?
• If the ICO does have discretion, did it act unlawfully in this case by declining to investigate or declining to determine the merits of the complaint made by the claimant?

The first main issue: What are the ICO's responsibilities?

The Court of Appeal examined the history of data protection law and noted that, historically, the Data Protection Act 1984 and the Data Protection Act 1998 gave the supervisory authority discretion to undertake a 'light-touch' summary consideration of a complaint without determining its merits. The Court of Appeal considered the UK GDPR to be a codifying, consolidating and updating measure, which made no material change to the role of the supervisory authority in this regard. The Court of Appeal held that there is nothing to suggest that the legislature had intended to change the previous law about the handling of such complaints, and that the treatment of such complaints by the ICO remains within the ICO's exclusive discretion.

The Court of Appeal focused on the wording of the ICO's powers and on the reference to the role of the ICO in handling a complaint. The Court of Appeal noted that, on examination of Article 57(1)(f) of the UK GDPR (the ICO's tasks), it did not contain any words that were redolent of decisions on the merits of a complaint. The Court of Appeal further noted that the ICO has to 'handle' a complaint and 'investigate' the subject matter but only 'to the extent appropriate'.

On an ordinary and natural interpretation of the language, the ICO's primary obligations are to address and deal with every complaint by arriving at and informing the complainant of some form of 'outcome', having first investigated the subject matter to the extent appropriate. This process allows the ICO to decide what the appropriate extent of the investigation for each complaint should be, and it follows that the ICO has an equivalent power to determine the form of the outcome. Other articles – such as Article 77, Article 78, Recital 141, Recital 143 and case law – support that linguistic interpretation.

The Court of Appeal further held that an 'outcome' must be the end of the ICO's 'handling' of a complaint. A conclusive determination or ruling on the merits that brings an end to the complaint is an 'outcome', but so is a decision to cease handling a specific complaint whilst using it to inform and assist a wider industry investigation. The Court of Appeal held that the High Court was right to hold that 'outcome' was an apt description of the ICO's decision to conclude the investigation by informing the claimant that the conduct complained of was likely to be compliant with the UK GDPR.

The Court of Appeal highlighted that it is worth noting that the functions assigned to the ICO by the UK GDPR and the Data Protection Act 2018 are not those of a regulator with exclusive competence over all matters of compliance, subject to judicial supervision. Still less is the ICO designated as an adjudicatory authority with exclusive jurisdiction. The role of the ICO is supervisory.

The second main issue: Did the ICO act unlawfully in this case?

The Court of Appeal upheld the High Court's conclusion that the ICO had complied with all of its obligations. The ICO had:

• Received and reviewed the complaint and the attached correspondence.
• Formed the view that the case did not require further investigation.
• Reached an outcome decision.
• Informed the claimant of the outcome – specifically, that no further action would be taken by the ICO against Wise.

The ICO's decisions were 'completely lawful, both in substance and procedurally'. The Court of Appeal held that the ICO was under no obligation to seek further materials from Wise or to reach a conclusive determination as to whether Wise had complied with its obligations. It was sufficient for the ICO 'to conclude on the basis of the available information that it appeared likely that Wise had so complied'.

Takeaways

Data controllers and data subjects should take note of this judgment, as it is the first authority to address the scope of the ICO's powers when handling DSAR complaints. The Court of Appeal's decision shows that the ICO is not obliged to investigate every complaint, and that it may be more appropriate – in some cases – to take other action, such as providing advice or guidance.

The judgment is helpful from a procedural perspective too, as it clarifies that a complaint to the ICO does not preclude a civil claim being brought against a data controller. In practice, it may well be the case that data subjects pursue both avenues – either in tandem or with a civil claim following an ICO complaint.

Footnotes

1. [2023] EWCA Civ 1141.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.