Ben Peter Delo, R (on the application of) v The Information Commissioner & Anor

The court considered whether the Information Commissioner is obliged under Article 57.1(f) of the UK GDPR to investigate and reach a conclusive determination on every complaint made under Article 77.1. The judge reviewed the historical development of the Commissioner’s role (under the Data Protection Acts 1984 and 1998), the EU Data Protection Directive, and the retained UK GDPR and concluded that the Commissioner’s functions are a bundled package of monitoring, education, advice and complaint-handling conducted consistently with an overarching observance objective.

The court held that Article 57.1(f) and related provisions (including Recital 141 and Article 78) permit the Commissioner to decide the appropriate extent of an investigation and to lawfully take the outcome of ‘no further action’ in appropriate cases. Section 166 of the Data Protection Act 2018 was interpreted as a procedural, forward-looking remedy for delay or procedural defect in complaint handling and not as a route to force a merits determination once an outcome has been given. On the facts the Commissioner lawfully reviewed the complaint, concluded further investigation was not necessary and lawfully decided to take no further action; judicial review was therefore dismissed.

Background and parties: The claimant, Ben Peter Delo, brought judicial review proceedings against the Information Commissioner after the Commissioner decided to take no further action on his complaints about Wise Payments Limited (Wise) allegedly withholding personal data in response to a data subject access request (DSAR). Wise was joined as an interested party. The claimant had also pursued a parallel civil action against Wise for disclosure under Article 15 and subsequently obtained the withheld documents from Wise.

Nature of the claim / relief sought: The claimant sought a quashing order and mandatory relief requiring the Commissioner to reopen or re-take his decision, and alternatively a declaration that the Commissioner’s decision of 24 November 2021 was unlawful. The substantive object was to secure disclosure of documents the claimant asserted Wise had unlawfully withheld.

Procedural posture: Permission for judicial review was granted. The Commissioner contended the claim was academic after the claimant obtained the documents from Wise and that, in any event, the claimant had an alternative remedy under section 166 of the Data Protection Act 2018.

Issues framed:

• Whether Article 57.1(f) of the UK GDPR requires the Commissioner to investigate every complaint to the extent of reaching a conclusive determination;
• Whether section 166 DPA 2018 provided an alternative remedy that the claimant should have pursued;
• Whether, on the facts, the Commissioner failed to determine the complaint, failed to conduct a lawful investigation, or acted irrationally or unlawfully by taking no further action.

Court’s reasoning and conclusion: The court undertook a historical and textual analysis of the Commissioner’s functions under earlier Acts and the GDPR. It concluded that complaint-handling has always been part of a bundle of regulatory, advisory and educative functions aimed at promoting observance of data protection principles, and that the Commissioner has a broad discretion to determine the appropriate extent of any investigation (Article 57.1(f) and Recital 141). Section 166 was held to be a procedural remedy to remedy delay or failure to take procedural steps while a complaint is pending, not a vehicle to obtain a different merits outcome after the Commissioner has given an outcome. Applying those principles, the court found the Commissioner lawfully reviewed the material, reasonably concluded further investigation was not required, and validly recorded the outcome of no further action. The judicial review claim was dismissed.

The claim for judicial review is dismissed. The court held that Article 57.1(f) of the UK GDPR and the statutory scheme (including the Data Protection Act 2018) permit the Commissioner to decide, in his regulatory discretion, the appropriate extent of investigation of complaints and to lawfully take the outcome of no further action in appropriate cases. Section 166 DPA 2018 provides a procedural remedy for delay or procedural failures while a complaint is pending and does not require the Commissioner to reach a merits determination in every case. On the facts the Commissioner lawfully exercised his discretion and his decisions of 12 October and 24 November 2021 were lawful.