The Information Commissioner has a range of tools at its disposal once a complaint is made to it about the handling of personal data, both during an investigation and after it has upheld a complaint. For example, it can compel the provision of information, compel a data controller to provide people for interview or permit it to examine documents or processes via an assessment notice, compel or ban a data controller from taking specified steps through an enforcement notice, and of course impose those much-feared fines of up to the higher of £17.5m or 4% of annual worldwide turnover. It can also, of course, rule that a complaint is not upheld. But is it obliged to do any of those things, or can it simply decide not to issue a final decision on a complaint?
The Court of Appeal in R (Delo) v Information Commissioner  EWCA Civ 1141 held that it was within the IC’s discretion to decide to resolve or progress a complaint in some way other than upholding or rejecting it. Warby LJ (with whom Laing and Peter Jackson LJJ agreed) held that ‘The legislative scheme requires the Commissioner to receive and consider a complaint and then provides the Commissioner with a broad discretion as to whether to conduct a further investigation and, if so, to what extent. I would further hold […] that having done that much the Commissioner is entitled to conclude that it is unnecessary to determine whether there has been an infringement but sufficient to reach and express a view about the likelihood that this is so and take no further action.’
That followed a detailed review of the history of UK data protection legislation back to the Data Protection Act 1984, and the changing roles of the regulator. Warby LJ also examined the relevant EU case law and legislation to assist in interpreting the DPA 2018. The upshot was that the IC’s handling of Mr Delo’s complaint about his DSAR was lawful, even though it did not reach a concluded view on whether to uphold his complaint or not, but simply expressed a view that it was likely that he had been provided with all the information to which he was entitled.
That will be a welcome decision for the IC, who would otherwise have had to commit substantial additional resources to resolving complaints. As for data subjects, it leaves claims for compliance orders under s.167 DPA as the only route by which a definitive answer to whether their data rights have been breached. We have been saying for a while that claims based on s.167 is an area to expect further developments from the courts. This decision does nothing to change that view.
A monthly data protection bulletin from the barristers at 5 Essex Chambers