The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Information Commissioner’s discretion on ending complaint investigations

26 October 2023

The Information Commissioner has a range of tools at its disposal once a complaint is made to it about the handling of personal data, both during an investigation and after it has upheld a complaint. For example, it can compel the provision of information, compel a data controller to provide people for interview or permit it to examine documents or processes via an assessment notice, compel or ban a data controller from taking specified steps through an enforcement notice, and of course impose those much-feared fines of up to the higher of £17.5m or 4% of annual worldwide turnover. It can also, of course, rule that a complaint is not upheld. But is it obliged to do any of those things, or can it simply decide not to issue a final decision on a complaint?

The Court of Appeal in R (Delo) v Information Commissioner [2023] EWCA Civ 1141 held that it was within the IC’s discretion to decide to resolve or progress a complaint in some way other than upholding or rejecting it. Warby LJ (with whom Laing and Peter Jackson LJJ agreed) held that ‘The legislative scheme requires the Commissioner to receive and consider a complaint and then provides the Commissioner with a broad discretion as to whether to conduct a further investigation and, if so, to what extent. I would further hold […] that having done that much the Commissioner is entitled to conclude that it is unnecessary to determine whether there has been an infringement but sufficient to reach and express a view about the likelihood that this is so and take no further action.’

That followed a detailed review of the history of UK data protection legislation back to the Data Protection Act 1984, and the changing roles of the regulator. Warby LJ also examined the relevant EU case law and legislation to assist in interpreting the DPA 2018. The upshot was that the IC’s handling of Mr Delo’s complaint about his DSAR was lawful, even though it did not reach a concluded view on whether to uphold his complaint or not, but simply expressed a view that it was likely that he had been provided with all the information to which he was entitled.

That will be a welcome decision for the IC, who would otherwise have had to commit substantial additional resources to resolving complaints. As for data subjects, it leaves claims for compliance orders under s.167 DPA as the only route by which a definitive answer to whether their data rights have been breached. We have been saying for a while that claims based on s.167 is an area to expect further developments from the courts. This decision does nothing to change that view.

Further reading:

R (Delo) v Information Commissioner [2023] EWCA Civ 1141

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Affiliations

 

Affiliations

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)