The Court of Appeal judgment in Delo v The Information Commissioner [2023] held that under the UK GDPR, the Information Commissioner's Office ("ICO") is not required to determine the merits of every data subject complaint that it receives. Instead, looking at the wording in the legislation, the requirement is for the ICO to: (i) "handle" a complaint; (ii) investigate it "to the extent appropriate"; and (iii) inform the data subject of the "progress" and "outcome" of their complaint.
Although the ICO may arrive at an "outcome" by determining the merits of a complaint, it does not mean that every complaint needs to be handled in this way. For example, one outcome could be that the ICO stops considering a complaint to pursue a wider investigation into the industry. Alternatively, the ICO may decide that on balance, the likelihood is that the organisation in question had complied with its obligations under the UK GDPR and that no further action would be taken (which was the outcome in the present case). The ICO is therefore able to discharge its duty to inform a data subject of the "outcome" of their complaint without necessarily having to make a merits-based determination.
In this sense, the Court viewed that the legislation provides the ICO with "broad discretion" as to whether to conduct further investigations into a complaint and if so, to what extent. Importantly, the legislation does not designate the ICO as an adjudicatory authority with exclusive authority. Instead, the role of the ICO is "supervisory" as described in the UK GDPR.
In arriving to its decision, the Court examined the wording under Articles 57, 77 and 78 UK GDPR as detailed below*. Together, these Articles deal with the duties of the ICO and the rights that data subjects have in relation to the ICO.
*Note that this case commentary does not cover all the issues and points covered in the judgment but highlights the key points that the Court considered when arriving to its conclusion that the ICO is not required to determine the merits of each and every complaint that it receives.
Articles 57, 77 and 78 UK GDPR do not require the ICO to determine every complaint on its merits
Article 57 sets out the tasks of the ICO. In particular, Article 57(1)(f) UK GDPR requires the ICO to "handle complaints lodged by a data subject…and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation…"
The Court observed that there are no words in this Article that require the ICO to adjudicate, decide, determine, rule upon or resolve a complaint or that complaints must be upheld or not upheld by the ICO. As such, the Court concluded that the language used in this Article does not adopt any of these "familiar ways" of designating the ICO with a decision-making function, nor does it make any reference to making decisions on the merits of a complaint. Instead, the wording in this Article tells us that the ICO must:
- "handle" a complaint;
- "investigate the subject matter of the complaint" but even then, only "to the extent appropriate"; and
- "inform" the complainant of the "progress" and "outcome" of the investigation.
Similarly, where a data subject exercises his or her right to lodge a complaint with the ICO under Article 77(1), the Court observed that the language in Article 77(2) does not state that the data subject is entitled to have the ICO adjudicate, decide, determine or resolve that complaint. Instead, the wording in Article 77(2) requires the ICO to "inform" the data subject "on the progress and outcome" of the complaint. No remedy is identified other than an "outcome".
In addition, the Court observed that although Article 78 provides individuals with a right to an "effective judicial remedy" against the ICO, it does not state that there must be such a remedy where the ICO fails to determine the merits of a complaint. Instead, the conduct for which Article 78 requires an effective judicial remedy is the failure to "handle" the complaint or to "inform" the data subject of its "progress" or "outcome".
Therefore, according to the Court, the words used in Articles 57, 77 and 78 were "all distinctive and unusual words to use in a context of this kind". In the absence of language that designates a decision-making function to the ICO or that requires the ICO to make decisions on the merits of a complaint, the Court concluded that the legislative intent was not to require the ICO to determine every complaint on its merits.
The ICO is supervisory not adjudicatory
The Court highlighted that the UK GDPR and Data Protection Act 2018 do not assign the ICO with functions of a regulator with exclusive competence over all matters of compliance, subject to judicial review; in other words, the ICO is not designated as an adjudicatory authority with exclusive authority – instead, the role of the ICO is supervisory as described in the UK GDPR.
Looking at the tasks assigned to the ICO under Article 57 UK GDPR, the Court observed that this included tasks such as promoting awareness, providing information and advice about rights and a wide range of other functions that have "no adjudicatory content". According to the Court, the ICO is plainly expected to bring specialist knowledge and expert judgment to bear in performing these functions. But, as demonstrated above, there is nothing that "spells out any duty to reach a conclusion on the merits of every complaint".
The Court also pointed out that the ICO's function in relation to compliance sit alongside those of the courts and tribunals. For example, the Information Tribunal has enforcement powers in respect of the ICO's complaints-handling procedures whereas the High Court has powers to review the lawfulness of the ICO's decision making.
Out of the relevant Articles under discussion in the judgment, the Court noted that Article 79 UK GDPR (which provides individuals with a right to an effective judicial remedy against a controller or processor) is the only one which clearly requires a conclusive decision to be made on the substantive merits of an allegation of non-compliant processing – and within this context, the decision making role is assigned to a court or tribunal.
Concluding remarks
The Information Commissioner John Edwards welcomed the Court's judgment stating that he was "pleased that the Court agrees that it's important we're able to prioritise appropriately, taking into account the merits of each complaint and likely outcome of further investigation".
Subject to any further appeal, the confirmation in this case not only provides the ICO with the clarity it requires when dealing with data subject complaints, but also equips organisations subject to the UK GDPR with the knowledge that not every complaint against them will lead to further regulatory investigation that will inevitably require the complaint to be determined on its merits.
For more information please get in touch with the author Tuğhan Thuraisingam below, or your usual DWF contact.