Ben Peter Delo, R (on the application of) v The Information Commissioner

This appeal concerns the scope of the Information Commissioner’s duties under the UK GDPR and the Data Protection Act 2018 when a data subject lodges a complaint about a controller’s response to a subject access request (Article 15). The court held that Articles 57, 77 and 78 and the corresponding provisions of the DPA 2018 do not oblige the Commissioner to investigate and determine the merits of every complaint. Instead the Commissioner must "handle" complaints, investigate the subject-matter "to the extent appropriate" and inform the complainant of progress and of an "outcome"; that outcome may lawfully be a decision to take no further action after limited investigation. Applying those principles, the court concluded that the Commissioner acted lawfully and rationally in the facts of this case in concluding, on the material before him, that it was likely the controller had complied and that no further action was required.

The appellant, Mr Delo, submitted a subject access request to Wise Payments Limited and complained to the Information Commissioner when Wise withheld material including suspicious activity reports, citing exemptions said to relate to prevention or detection of crime (Schedule 2 Part 1 paragraph 2 of the DPA 2018). The Commissioner reviewed correspondence and informed Mr Delo that, on the material available, it was likely Wise had complied and that no further action would be taken. Mr Delo brought judicial review challenging (i) the Commissioner’s alleged duty to determine the merits of every complaint, (ii) the lawfulness of the Commissioner’s investigation and (iii) errors in the decision-making process. The High Court (Mostyn J) treated the issues as fit for decision despite academic elements and dismissed the claim. On appeal the questions were (1) whether the Commissioner is obliged to reach a definitive merits decision on every complaint under Articles 57/77/78 and related DPA 2018 provisions, and (2) whether, on the facts of this case, the Commissioner acted unlawfully in declining to determine the merits further.

The Court of Appeal undertook an interpretative analysis of Articles 57, 77 and 78, relevant recitals (including Recitals 141 and 143), and the DPA 2018 provisions (notably ss 115, 165, 166 and 167). The court also considered CJEU authorities relied upon by the appellant (Data Protection Commissioner v Facebook Ireland, Case C-311/18; BE v Nemzeti Adatvédelmi és Információszabadság Hatóság, Case C-132/21) and domestic tribunal authority (Killock v Information Commissioner [2021] UKUT 299). The court concluded that the statutory language (the requirement to "handle" complaints, to investigate "to the extent appropriate" and to inform complainants of an "outcome") points to a regulatory discretion over the extent of investigation and over what form the outcome takes. Recitals and the DPA 2018 are consistent with that reading. The CJEU authorities do not require a different result; they permit concurrent and independent remedies and require effective judicial remedies where the Commissioner fails to handle or inform, but do not impose a blanket duty to determine every complaint on the merits.

On the facts the court found no error of law or irrationality in the Commissioner’s decision: the ICO had received submissions and documents, had formed a view that Wise’s position was likely compliant or justified by exemptions, and reasonably took into account that direct remedies against the controller existed. The appeal was dismissed.

Appeal dismissed. The court held that Articles 57, 77 and 78 of the UK GDPR and the relevant provisions of the DPA 2018 require the Commissioner to "handle" complaints, investigate the subject-matter only "to the extent appropriate" and to inform the complainant of progress and of an "outcome"; those provisions do not impose a duty to investigate and determine the merits of every complaint. Applying that interpretation, the Commissioner did not act unlawfully or irrationally in this case in concluding, on the material before him, that no further action was required.

Appeal from the Administrative Court (Mr Justice Mostyn) [2022] EWHC 3046 (Admin). Permission to appeal was granted and the Court of Appeal (Civil Division) delivered judgment at [2023] EWCA Civ 1141.