BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £5, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

England and Wales Court of Appeal (Civil Division) Decisions


You are here: BAILII >> Databases >> England and Wales Court of Appeal (Civil Division) Decisions >> Delo, R (On the Application Of) v The Information Commissioner (Rev1) [2023] EWCA Civ 1141 (10 October 2023)
URL: http://www.bailii.org/ew/cases/EWCA/Civ/2023/1141.html
Cite as: [2023] WLR(D) 407, [2024] 1 WLR 263, [2024] WLR 263, [2023] EWCA Civ 1141

[New search] [Printable PDF version] [View ICLR summary: [2023] WLR(D) 407] [Buy ICLR report: [2024] 1 WLR 263] [Help]


Neutral Citation Number: [2023] EWCA Civ 1141
Case No: CA-2022-002471

IN THE COURT OF APPEAL (CIVIL DIVISION)
ON APPEAL FROM THE HIGH COURT OF JUSTICE
KING'S BENCH DIVISION (ADMINISTRATIVE COURT)
Mr Justice Mostyn

[2022] EWHC 3046 (Admin)

Royal Courts of Justice
Strand, London, WC2A 2LL
10/10/2023

B e f o r e :

LORD JUSTICE PETER JACKSON
LADY JUSTICE ELISABETH LAING
and
LORD JUSTICE WARBY

____________________

Between:
THE KING (on the application of BEN PETER DELO)
Claimant/Appellant/

- and –


THE INFORMATION COMMISSIONER
Defendant/Respondent

____________________

Jason Coppel KC (instructed by Pallas Partners LLP) for the Appellant
Philip Coppel KC and David Bedenham (instructed by in-house legal team) for the Respondent

Hearing date: 18 July 2023

____________________

HTML VERSION OF JUDGMENT APPROVED
____________________

Crown Copyright ©

    LORD JUSTICE WARBY:

    Introduction

  1. The UK GDPR protects the rights of individuals with regard to the processing of their personal data. The Information Commissioner is the supervisory authority in the United Kingdom with responsibility for monitoring the application of the UK GDPR. This appeal is about the Commissioner's responsibilities when a data subject lodges a complaint that a data controller has infringed data protection law.
  2. The appeal involves two main questions: (1) is the Commissioner obliged to reach a definitive decision on the merits of each and every such complaint or does he have a discretion to decide that some other outcome is appropriate? (2) if the Commissioner has a discretion, did he nonetheless act unlawfully in this case by declining to investigate or declining to determine the merits of the complaint made by the claimant ("Mr Delo")?
  3. The context in which those questions arise is as follows. Mr Delo made a data subject access request ("DSAR") to Wise Payments Limited ("Wise"), a financial institution with which he had an account. Wise declined to provide much of the data sought, claiming that it was exempt from doing so. Mr Delo complained to the Commissioner that this response was not in accordance with his rights of access. The Commissioner reviewed relevant correspondence and advised Mr Delo that it was likely that Wise had complied with its obligations, making clear that no further action would be taken.
  4. Mr Delo brought a claim for judicial review, maintaining that the Commissioner had failed to discharge a legal duty to determine any such complaint or alternatively had acted unlawfully in failing to investigate further and/or by reaching an unlawful and irrational conclusion. Separately, Mr Delo exercised his right to sue Wise, alleging that it had wrongfully refused him access to the personal data covered by his DSAR.
  5. By the time the judicial review claim came before Mostyn J ("the judge") the case against Wise had been compromised and Mr Delo had been provided with the personal data he was seeking. The judge considered that the issues raised by the present claim were accordingly academic but he proceeded to decide them nonetheless on the grounds that, applying the principles identified in R v Secretary of State for the Home Department ex p Salem [1999] 1 AC 450, there was a public interest in doing so. The judge held that the Commissioner was not obliged to determine the merits of each and every complaint but had a discretion which he had exercised lawfully. He therefore dismissed the claim.
  6. On this appeal Mr Delo endorses the judge's decision to address the two substantive questions but maintains that he gave the wrong answer to each of them. The Commissioner argues that the judge answered both questions correctly, but by a Respondent's Notice he asks us to say that the judge should not have answered either of them. The Commissioner contends that the judge should have dismissed the claim without examination of its merits because (a) Mr Delo had adequate alternative remedies and/or (b) both questions were academic and there was no wider public interest in deciding them.
  7. The Commissioner's arguments about alternative remedies raise points of some interest which the judge did not decide. I do not think it necessary to do so. Assuming there was some adequate alternative remedy, that is a matter that goes to discretion not jurisdiction. In all the circumstances of this case, for reasons I shall develop, I would consider the merits in any event. And although the settlement with Wise meant that Mr Delo had achieved his main objective, and in that sense at least the claim was academic, the issues raised are of importance to data subjects generally and to the Commissioner. The judge's decision that it was in the public interest to decide them was a legitimate exercise of judgment with which we have no grounds to interfere. Furthermore, the judge has decided the issues, permission has been granted for this appeal, and we have heard full argument. To dismiss the appeal on the procedural grounds advanced by the Commissioner would be a waste of resources and a recipe for uncertainty.
  8. For these reasons I conclude that it is clearly in the public interest for this court now to decide both the questions I have identified.
  9. The legal framework

  10. Data protection law has gone through three main phases of development in this jurisdiction. The Data Protection Act 1984 gave effect to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data. The 1984 Act created a novel but relatively basic regime to protect individuals against misuse of personal data being processed by computers. It established the office of the Data Protection Registrar, with responsibility for dealing with complaints. The Data Protection Act 1998 ("the DPA 1998") gave domestic effect to Directive 95/46/EC ("the Data Protection Directive"). It created the role of Information Commissioner with expanded functions compared with those of the Data Protection Registrar. The General Data Protection Regulation 2016/679 ("the GDPR") replaced the Data Protection Directive. It was made in May 2016 and came into force with effect from 25 May 2018.
  11. The GDPR had direct effect in EU Member States, including the UK, until the end of the Brexit implementation period on 31 December 2020 ("IP Completion Day"). It was supplemented domestically by the DPA 2018 which came into force at the same time as the GDPR. Part 2 of the DPA 2018 was designed to be read with the GDPR, and as complementary to it. Part 3 was intended to give effect to the EU Law Enforcement Directive (2016/680) by making provision about the processing of personal data for law enforcement purposes, which is outside the scope of the GDPR. Part 4 deals with processing for intelligence purposes, which is also beyond the scope of the GDPR. Part 5 deals with the powers of the Information Commissioner. Part 6 makes provision about enforcement of the data protection legislation.
  12. I have spoken of only three main phases in the law because the UK Parliament decided that from IP Completion Day the content of the GDPR should remain part of English law, with certain modifications and amendments, under the title "UK GDPR". The legislative measures used to achieve this are identified and summarised in R (Open Rights Group) v Secretary of State for the Home Department [2021] EWCA Civ 800, [2021] 1 WLR 3611 [5] and [12]-[13]. They included some textual amendments to the GDPR and to the DPA 2018 but none that affects the substantive provisions that are relevant in this case.
  13. So, although Mr Delo's DSAR and Wise's response to it came before IP Completion Day, nothing turns on this. Mr Delo's complaint to the Commissioner was made after IP Completion Day so the relevant rights, duties, powers and responsibilities are to be found in the UK GDPR and the DPA 2018 as amended. For simplicity, I shall refer to the UK GDPR except where I am referring to an aspect that appears only in the EU version.
  14. The provision relied on by Mr Delo for his DSAR is Article 15 of the UK GDPR. This confers the "Right of access by the data subject": the right to obtain from the data controller access to the personal data themselves and information as to the purposes of the processing and the identities of those to whom the data have been or will be disclosed, as well as other rights.
  15. The right of access is an important one but it is not absolute. There are several exemptions. The one relevant to this case is provided for by paragraph 2 of Schedule 2 Part 1 of the DPA 2018. This provides that "the listed GDPR provisions", which include Article 15, do not apply to personal data processed for the purposes of preventing or detecting crime, apprehending or prosecuting offenders, or assessing or collecting taxes, "to the extent that the application of those provisions would be likely to prejudice" any of those matters. This qualified exemption, which has been called "the Crime and Taxation Exemption", is relevant here because, as I shall explain, the Commissioner inferred that this was the exemption on which Wise had relied when responding to Mr Delo's DSAR.
  16. A data subject dissatisfied with the data controller's response to a DSAR has two options: a regulatory complaint to the Commissioner about the conduct of the data controller and a direct claim for a judicial remedy against the data controller itself. Both are provided for in Chapter VIII of the UK GDPR, which is headed "Remedies, liability and penalties".
  17. Article 77 of the UK GDPR is headed "Right to lodge a complaint with the Commissioner". It says this:
  18. "1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with the Commissioner if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
    2. The Commissioner shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78."
  19. Article 78 is headed "Right to an effective judicial remedy against the Commissioner" and provides as follows:
  20. "1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the Commissioner concerning them.
    2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the Commissioner does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77."
  21. The language of Articles 77(2) and 78(2) ("handle", "inform", "progress", and "outcome") reflects the wording of Article 57(1)(f), which is contained in Chapter VI, entitled "The Commissioner". Article 57 itself is headed "Tasks". Article 57(1) provides, so far as relevant, that:
  22. "Without prejudice to other tasks set out under this Regulation the Commissioner must:
    a. monitor and enforce the application of this Regulation;
    f. handle complaints lodged by a data subject … and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period …"
  23. Article 57(2) requires the Commissioner to "facilitate" the submission of complaints covered by Article 57(1)(f). Article 57(3) provides that "[t]he performance of the Commissioner's tasks is to be free of charge for the data subject …" Article 57(4) provides for an exception to this where a complaint is "manifestly unfounded or excessive". Recital (120) states that each supervisory authority should be provided with the resources "necessary for the effective performance of their tasks" and "a separate, public annual budget".
  24. Article 58 confers on the Commissioner a variety of regulatory powers including investigation, correction, prohibition, authorisation and advice. Among these are powers to suspend or prohibit future transfers of personal data (Article 58(2)(f) and (j)).
  25. Part 6 of the DPA 2018 ("Enforcement") contains two sections that make further provision about regulatory complaints.
  26. Section 165 is headed "Complaints by data subjects". Section 165(1) describes the rights to complain conferred on data subjects by Articles 57(1)(f) and 77 of the UK GDPR. Subsections 165(2)-(7) go further. They provide that a data subject may complain to the Commissioner about infringements of Part 3 or Part 4 of the DPA 2018 and make provision about how such complaints should be dealt with. Section 165 therefore extends the right to complain to cases involving processing by law enforcement or intelligence agencies which, as I have mentioned, are beyond the scope of the GDPR. This case is not concerned with processing of those kinds, but it is relevant to note the language used in s 165. Subsections (3) and (4) prescribe what the Commissioner has to do if he receives a complaint of this kind. This includes "facilitate the making of complaints", "take appropriate steps to respond", and "inform the complainant of the outcome …" The similarities with the language of Article 57(1)(f) are obvious, although in this context there does not appear to be any obligation to perform these tasks free of charge.
  27. Section 166 is headed "Orders to progress complaints". It applies to a case in which a data subject has made a complaint under Article 77 of the UK GDPR or under s 165 of the DPA 2018, and the Commissioner has failed "to take appropriate steps to respond" or "to provide the complainant with information about progress on the complaint, or of the outcome of the complaint" within a specified time period. In such a case the First-tier Tribunal has power to order the Commissioner to take appropriate steps "to respond to the complaint" or to inform the complainant "of progress on the complaint, or of the outcome of the complaint" within a period specified in the order. The order may require the Commissioner to take specified step, or to conclude the investigation, or to take a specified step within a specified period.
  28. The data subject's right to bring a direct claim against the alleged infringer is provided for by Article 79 of the UK GDPR, headed "Right to an effective judicial remedy against a controller or processor". Article 79 provides:
  29. "Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with the Commissioner pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation."

    If the language does not seem wholly apt, the intention is clear. A data subject who "considers that" his or her rights have been infringed by non-compliant processing has the right to bring legal proceedings; a judicial remedy will be provided if the court or tribunal agrees that there has been an infringement which requires a remedy.

  30. That is more clearly reflected in s 167 of the DPA 2018, which appears in a part of the Act headed "Remedies in the court". Section 167 itself is headed "Compliance orders". It applies to a case where, on an application by a data subject, a court "is satisfied that there has been an infringement of the data subject's rights under the data protection legislation". In such a case the court has power to make an order "for the purposes of securing compliance" with the data protection legislation by requiring a data controller to take or refrain from taking specified steps. Section 167 therefore gives effect to Article 79, although it has wider effects because "the data protection legislation" is a defined term that embraces parts of the DPA 2018 as well as the UK GDPR: see ss 3(9) and 167(4).
  31. Case law

  32. There is no authority directly concerned with the questions that arise in this case. Mr Delo has however relied on two decisions of the CJEU. The first is Data Protection Commissioner v Facebook Ireland Ltd (Case C-311/18) [2021] 1 WLR 751, which was heavily relied on before the judge. The other is BE v Nemzeti Adatvédelmi és Információszabadság Hatóság, Case C-132/21, a judgment delivered in January 2023, after the judgment of Mostyn J.
  33. In Facebook Ireland the data subject alleged that the respondent company had transferred his personal data from Ireland to the United States in circumstances which made the data subject to surveillance laws that were incompatible with the Charter and/or EU data protection law. The data subject demanded that the supervisory authority exercise its powers under Articles 58(2)(f) and (j) of the GDPR. In proceedings brought by the Commissioner to determine his obligations the Irish High Court referred 11 questions to the CJEU for a preliminary ruling. Mr Delo relies on the CJEU's reasoning in support of its answer to question 8.
  34. The CJEU identified the essence of that question at [106]:
  35. "whether article 58(2)(f) and (j) of the GDPR must be interpreted as meaning that the competent supervisory authority is required to suspend or prohibit a transfer of personal data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority … the protection of the data transferred that is required by EU law, in particular by articles 45 and 46 of the GDPR and by the Charter, cannot be ensured, or as meaning that the exercise of those powers is limited to exceptional cases".

    The court's answer was that data transfers could be permitted in such circumstances if there was "a valid Commission adequacy decision" but that otherwise "the supervisory authority is required to suspend or prohibit a transfer of data to a third country … if, in the view of that supervisory authority … the protection of the data transferred that is required by EU law, in particular by articles 45 and 46 of the GDPR and the Charter, cannot be ensured by other means …": see [121].

  36. The issue in Facebook Ireland was clearly different from that which arises here. Mr Delo has however relied on passages in the Opinion of the Advocate General and the judgment of the court as supportive of his case. The Advocate General stated at [148] that the supervisory authority was "required to carry out in full the supervisory task entrusted to it". At [150] he observed that "The recognition of the right to a judicial remedy assumes the existence of a strict, and not purely discretionary, power on behalf of the supervisory authorities." In the judgment there are references to Article 57(1) of the GDPR and passages which discuss the role of the supervisory authority using the language of obligation. At [107] the court stated that "in accordance with … article 57(1)(a) of the GDPR the national supervisory authorities are responsible for monitoring compliance with the EU rules …" on data protection and therefore vested with the power to check whether transfers to third countries comply with the GDPR. At [109], the court referred to the duty imposed by Article 57(1)(f) and said that the supervisory authority "must handle such a complaint with due diligence". At [111], the court stated that "if a supervisory authority takes the view … that a data subject whose personal data have been transferred to a third country is not afforded an adequate level of protection in that country it is required … to take appropriate action to remedy any findings of inadequacy …" At [112], the court said that although the supervisory authority must determine what action is appropriate and necessary in all the circumstances it "is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence." Mr Delo also points to a passage at [147] of the court's judgment, stating that "as is clear from … Article 57(1)(a) the task of enforcing the [GDPR] is conferred, in principle, on each supervisory authority on the territory of its own member state".
  37. The decision in BE related to proceedings before the courts of Hungary. The data subject, BE, sought a copy of a sound recording made at a company general meeting which he had attended. The company provided only an edited extract. BE asked the supervisory authority to order the provision of the entire recording. When the authority declined to do so BE brought proceedings against it under Article 78. At the same time BE sued the company pursuant to Article 79. The court upheld the Article 79 claim but the proceedings against the supervisory authority remained pending. Domestic law provided that the court deciding that claim was not bound by the decision in the Article 79 proceedings. The Hungarian court, perceiving a risk of inconsistent decisions and legal uncertainty, referred several questions to the CJEU.
  38. The CJEU distilled the questions posed as follows (at [30]):
  39. "Whether Article 77(1), 78(1) and Article 79(1) of [the GDPR], read in the light of Article 47 of [the Charter] are to be interpreted as meaning that the remedies provided for in Article 77(1) and Article 78(1) of that regulation, on the one hand, and Article 79(1) thereof, on the other, are capable of being exercised concurrently with and independently of each other, or whether one of them has priority over the other."

    The court's answer was that Articles 77(1), 78(1) and 79(1), read in the light of Article 47 of the Charter (which guarantees the right to an effective judicial remedy) "must be interpreted" as permitting the remedies to be operated concurrently with and independently of each other.

  40. At [33]-[43] the court gave four main reasons for that conclusion: (1) this was the natural reading of the language of the three provisions in question which made clear that each remedy "must be capable of being exercised 'without prejudice' to the others" and laid down no order of priority or precedence; (2) this reading was borne out by the context: whereas the GDPR expressly regulated situations where the supervisory authorities or courts of several member states were simultaneously seised of related issues, there was no such regulation of simultaneous domestic complaints or claims; (3) it followed from Article 78(1) read in the light of recital 143, that "courts seised of an action against a decision of a supervisory authority should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them"; (4) granting data subjects the option to exercise the remedies concurrently with and independently of each other was consistent with the objectives pursued by the GDPR: recitals 10, 11 and 141 made clear that the aim was "to ensure a high level of protection of natural persons with regard to the processing of personal data" which required "the strengthening of the rights of data subjects" and a guarantee that those whose rights are infringed have "the right to an effective judicial remedy". The court added that these conclusions were supported by the obligations on Member States under the Treaty on the Functioning of the European Union and the Charter. Mr Delo relies on the court's third and fourth reasons.
  41. It is also relevant to note the CJEU's further conclusions at [45]-[57]. The court held that it was "for the Member States … to lay down detailed rules as regards the relationship between" the available remedies. It was therefore for the Hungarian court to determine how the remedies should be implemented in a situation such as that which had arisen in BE's case. Domestic rules and decisions on the issue should however "ensure the effective protection of the rights guaranteed by [GDPR] and the consistent and homogeneous application of its provisions" as well as the right to an effective remedy referred to in Article 47 of the Charter. The court observed that if domestic law allowed different courts considering claims under Articles 78 and 79 to reach contradictory decisions that would be at odds with the objective of homogeneous application expressly stated in Recital 10 of the GDPR and would weaken the protection given to natural persons and create a situation of legal uncertainty.
  42. As for domestic case law, we have been referred to a number of cases in which the Upper Tribunal has considered the meaning of s 166 of the DPA 2018. The most recent is Killock v Information Commissioner [2021] UKUT 299, [2022] 1 WLR 2241 in which a constitution composed of Farbey J (the President), UTJ West and Pieter De Waal decided three appeals raising similar issues.
  43. The UT reviewed three previous cases which had all decided that s 166 is procedural rather than substantive in its focus. The UT agreed. Its conclusions, accurately summarised in the headnote to the report, were that the remedy provided for by s 166 was "limited to the procedural failings identified in s 166", so that "on an application under s 166 the tribunal would not be concerned and had no power to deal with the merits of the complaint or its outcome which were matters for the Commissioner as the expert regulator": see [74]. The UT further held (at [87]) that s 166 is "a forward-looking provision, concerned with remedying ongoing procedural defects that stand in the way of the timely resolution of a complaint".
  44. The UT was not required to interpret the term "outcome" in Articles 57 and 77 but a clear indication of its view on that issue can be gleaned from its decision in the first of the three cases before it. In that case, the Commissioner investigated the data subjects' complaint and wrote to them to say that the "outcome" was to cease handling the complaint but to continue with a wider industry investigation which had been informed and assisted by the complaint. The data subjects complained that in reality this was not an "outcome" but a decision to take no further investigative steps, in breach of the duties imposed by s 165. The UT disagreed, holding that the Commissioner had complied with the statute holding (at [100]):
  45. "[T]he outcome of the complaint was contained in the Commissioner's letter … The quality, adequacy or merits of the Complaint outcome fall outside the scope of s 166 and outside the jurisdiction of the Tribunal".

    The Commissioner's role in practice

  46. The cases considered in Killock provide some evidence of how the Information Commissioner's Office ("ICO") operates in practice. The Commissioner has also put some factual material before the court on that issue. A witness statement was submitted from Mary Morgan, a Group Manager with responsibility for managing the teams handling all complaints to the ICO regarding the finance sector. She said that the legislation required the ICO to investigate to the "extent appropriate" and "to provide individuals with an outcome", which had been done in this case. She said the ICO has "a very broad discretion as to how we can handle complaints" and is often able to provide an outcome based on the evidence provided, without any need to contact the data controller. As a regulator, said Ms Morgan, "we have to be selective in the complaints we investigate further, concentrating on the cases which we believe give us the most opportunity to improve the information rights practices of organisations."
  47. In addition, the judge had regard to the page on the ICO website which tells people "What to expect from the ICO when making a data protection complaint", some statistical information drawn from the Commissioner's annual report, and the judge's own analysis of the implications of that information. We have been given further statistical information drawn from the latest ICO Annual Report. This was done informally, not in a witness statement. I do not need to detail or analyse this material here. It is enough to say the following.
  48. It is plain, and common ground, (1) that the ICO has been operating and continues to operate on the footing that when a data subject complains the Commissioner is not required to determine the merits of the complaint; a variety of other "outcomes" is possible and lawful, one of which is to "record the complaint without taking further action"; (2) that a decision in favour of Mr Delo would have at least some resourcing implications: a regime which called for more decisions would naturally take more time and require more staff and that would call for more money. The extent of the resourcing implications is a matter of dispute. It seems obvious to me that they would be considerable, but precisely what they would be, and whether this should have a bearing on our decision, are different questions.
  49. Mr Delo's claim

  50. The "Decision" complained of in Mr Delo's judicial review claim form is "The decision of the [Commissioner] to dismiss [Mr Delo's] complaint against [Wise] of infringement of Article 15…". The statement of facts and grounds advances three alternative grounds of review: (1) a failure "to determine the Claimant's complaint, in breach of the Commissioner's statutory duty to do so"; or (2) a failure "to conduct a lawful investigation" in accordance with the statute; or (3) error of law in the decision-making process. The remedies sought are an order quashing the Decision and a mandatory order requiring the Commissioner to reopen its investigation into the complaint or to re-take the Decision.
  51. An alternative remedy?

  52. As I have said, the Commissioner has failed to persuade me that this appeal and the underlying claim should be dismissed on the grounds that Mr Delo has an adequate alternative remedy. I should expand on the brief reasons I have given already.
  53. Judicial review being a discretionary remedy of last resort, arguments about whether there is an adequate alternative remedy often feature at the permission stage. But as the Commissioner points out, the existence of an alternative remedy can in principle justify the dismissal of the claim even if it proceeds to a full substantive judicial review hearing: R (Glencore Energy UK Limited) v Revenue and Customs Commissioners [2017] EWCA Civ 1716, [2017] 4 WLR 213 [52]-[58], [71] (Sales LJ).
  54. In the present case, the Commissioner put forward two alternative remedies in pre-action correspondence: a direct claim against the data controller under s 167 of the DPA 2018 and a complaint to the Parliamentary and Health Service Ombudsman ("PHSO"). The court was not persuaded that either provided a reason to refuse permission and the claim was allowed to proceed. The Commissioner nonetheless adhered to the alternative remedy point. By the time of the substantive hearing he had abandoned reliance on the PHSO. But he maintained his contention in response to Ground 1 that Mr Delo had an alternative remedy via his direct claim against Wise. By amendment of his Grounds of Resistance he added a new argument: that the claims under Grounds 1 and 2 could and should have been pursued by means of an application to the First-tier Tribunal under s 166 of the DPA 2018.
  55. The judge rejected the argument under s 166, holding (at [128]) that the powers conferred on the FtT by that section:
  56. "… would not extend to telling the Commissioner that he had to reach a conclusive determination on a complaint where the Commissioner had rendered an outcome of no further action without reaching a conclusive determination… section 166 by its terms applies only where the claim is pending and has not reached the outcome stage."

    The judge endorsed the reasoning of the FtT in Killock. He found that the same reasoning applied to this case, which was in substance a claim for a merits-based outcome rather than a complaint about the Commissioner's procedural approach. The judge's full reasoning on this aspect of the case is to be found in paragraphs [46]-[47] and [128]-[134]. The judge did not directly address the Commissioner's reliance on the s 167 claim against Wise as affording an alternative remedy. He did hold (at [145]) that the existence of that claim provided the Commissioner with additional justification for providing an outcome of the kind he did.

  57. The Commissioner now advances a sophisticated argument about the scope of s 166 which does not appear to have been advanced to the UT in Killock and was not advanced at the permission stage in this case. Mr Delo says the argument was not advanced at the final hearing either. The Commissioner maintains that it was. If so, there is no trace of it in the judgment.
  58. The Commissioner submits that the judge was wrong to hold that s 166 applies only where a complaint is "pending" and has not reached an "outcome". A data subject is always entitled to complain to the FtT of any failure by the Commissioner to "handle" a complaint or to "take appropriate steps" to respond to it (such as to investigate "to the extent appropriate"). These rights are not taken away just because the Commissioner complies with his duty to provide an "outcome". So, a data subject who complains that the Commissioner has provided an "outcome" without first "handling" the complaint or taking "appropriate steps" to respond or investigate it can rely on s 166. In such a case, the FtT has jurisdiction. Judicial review is not necessary or appropriate.
  59. All the more so, says the Commissioner, when s 167 creates the potential for a claim to enforce the provision of subject access by the data controller. That, it is submitted, is a direct means of providing what a claimant such as Mr Delo is ultimately after when he seeks to enforce his rights against the Commissioner via an application to the FtT or a claim for judicial review. All of this is said to apply equally if, as Mr Delo contends, the obligation to provide the data subject with an "outcome" means that the Commissioner must determine the merits of the complaint.
  60. I can see the logic of the argument about the scope of s 166. And it may be that in a case where s 166 does not avail the claimant (because his grievance is about the "outcome" of a complaint to the Commissioner) a private law claim against the data controller under s 167 could be considered an adequate alternative to judicial review. I am not convinced that refusal of judicial review on that basis would necessarily be at odds with the CJEU's reasoning in BE. But I do not think this is the right case in which to decide these points.
  61. The Commissioner's argument about the effect of s 166 is an important one but it is subtle and it was raised belatedly. He evidently failed to make it clear in the court below. We do not have the benefit of the lower court's assessment of that contention. Nor, as it happens, do we have the lower court's view on the s 167 argument. Whatever their merits, those arguments would provide no answer to Mr Delo's Ground 3, so a judicial review claim was the only means of pursuing that aspect of the claim. And for reasons I have already given, the public interest favours a decision from this court on all the substantive issues raised by the appeal.
  62. The first main issue: what are the Commissioner's responsibilities?

    The judge's reasoning

  63. At [6]-[7], the judge reviewed and analysed the figures for complaints and staffing set out in the ICO's Annual Report, concluding that if the ICO had to investigate every complaint fully and reach a final conclusion on each and every one the delays and pressure imposed on the workload "would become extreme and take the system to breaking point if not beyond". He said, however, that this was a political problem not one for the court to resolve. If the law was that the Commissioner must investigate and reach a final conclusion on every complaint then Recital 120 required the government to provide the necessary resources.
  64. At [8] - [58] the judge examined the history of data protection law from 1984 to date, concluding that this gave "with certainty an illumination of the meanings of the relevant provisions of the UK GDPR". He noted the provisions of the 1984 Act and the DPA 1998 about the obligations of the supervisory authority. He considered that these gave that authority a discretion to undertake a "light-touch" summary consideration of a complaint without determining its merits. He considered the UK GDPR to be "a codifying, consolidating and updating measure" which made no material change to the role of the supervisory authority. He said there was nothing to suggest that the legislature had intended to change the previous law about the handling of complaints: "The treatment of such complaints by the Commissioner, as before, remains within his exclusive discretion."
  65. In this section of his judgment the judge addressed (at [48]-[50]) Mr Delo's argument that it was at least implicit in the CJEU's reasoning in Facebook Ireland that the obligation on a supervisory authority to take "appropriate action" entails a duty to investigate to the point of reaching a conclusion on whether the complaint discloses a breach of data rights. The judge rejected the argument, considering it to be a "red herring" because (1) unlike Facebook Ireland, the present case is not about the exercise of the Commissioner's extensive investigative powers under Article 58; (2) the CJEU was concerned with the "effective judicial remedy" provided for by Article 58(4), not Article 78; and (3) Article 58(4) is not part of UK law.
  66. At [59] the judge turned to what he saw as the central question, namely whether Article 57(1)(f) "contains an implicit instruction to the Commissioner requiring him to investigate, to the extent necessary to reach a conclusive determination, each and every complaint made under Article 77.1". Between [60] and [72] he approached the question of interpretation "literally, purposively and contextually", concluding that each method of construction led to the same answer.
  67. (1) The express words of Article 57(1)(f) required the investigation to be carried out "to the extent appropriate". This reflected Recital 141, which required the investigation to be carried out "to the extent that is appropriate in the specific case". This language meant, clearly and unambiguously, that "the Commissioner decides on each complaint what the appropriate extent of the investigation should be". It followed that he has an equivalent power to determine the form of the outcome.

    (2) A purposive approach, taking account of the Commissioner's role and functions, the task of handling complaints which is allotted to him, and the legislative history pointed "inexorably" to the same conclusion.

    (3) A contextual or inferential construction led clearly to an interpretation that allows the Commissioner to decide, after investigating a complaint to a limited extent, that no further action should be taken on it. This was for two particular reasons. First, a close and careful reading of Recital 141 in conjunction with Article 78(2) showed that "an outcome of no action (or no further action) was within the lawful powers of the Commissioner". Secondly, Mr Delo had accepted that the Commissioner can summarily reject, with minimal investigation, a complaint that is clearly spurious, vexatious or abusive. If that was so "it must follow that it was a lawful exercise of power for the Commissioner to decide after investigating a complaint to a limited extent that, although it was not spurious, nonetheless no further action should be taken on it."

  68. The judge went on to say (at [72]-[84]) that if he had any lingering doubts – which he did not - they would be "banished" by the terms of the DPA 2018. He focused on two provisions. First, he assessed s 115. He considered that in that provision Parliament had "specifically highlighted the Commissioner's advisory and educational role", emphasising that the complaints powers under Articles 57 and 77 were "bundled up and march hand-in-hand with these chief functions". Secondly, the judge reviewed s 165. He considered it clear that Parliament had intended to place a complaint under s 165(2) "on what it perceived to be the same footing as a general complaint under Article 77(1)". Parliament had not said that the Commissioner had to render a conclusive determination of a s 165(2) complaint. It would be "bizarre" if the Commissioner was fixed with a more rigorous standard in respect of a complaint under Article 77(1).
  69. For all these reasons the judge concluded at [85] that the legislative scheme was one that "requires the Commissioner to receive and consider a complaint and then provides the Commissioner with a broad discretion as to whether to conduct a further investigation and, if so, to what extent. … This discretion properly recognises that the Commissioner is an expert Regulator who is best placed to determine on which cases he should focus."
  70. The appeal

  71. Eight main points have been debated in the argument in this court. I can deal quite briefly with two of them.
  72. (1) Legislative history. Before us it is common ground that the UK GDPR was not a "codifying, consolidating, or updating measure" and that the predecessor legislation does not cast any light on the issues for decision. Neither party submitted to the judge that it did. Investigation of the legislative history was undertaken on the judge's own initiative after the hearing. When giving judgment he had the benefit of an agreed note about the earlier provisions but no submissions from either party. Mr Delo argues that the judge's reasoning on this point was flawed in several respects and that his conclusions were wrong. The Commissioner does not argue the contrary. I accept that the judge was wrong to place reliance on this point.

    (2) Resources. The argument for the Commissioner has laid considerable emphasis on resource implications as a factor that favours a narrower interpretation of the responsibilities imposed by the UK GDPR and DPA 2018. But I do not think we can place any significant weight on this. As the judge pointed out, the financial implications could not provide the answer to the question of law. They might in principle be one factor for consideration when deciding what the legislature intended by the words it used. But the facts relied on by the Commissioner are limited; most of them have never been formally put in evidence; the judge placed no reliance on this point; and it is not covered by the respondent's notice. Counsel for Mr Delo was in some understandable difficulties in confronting this argument at short notice. I would accept his invitation to put the issue to one side.

  73. What remains are six points about the language of the UK GDPR itself and the two CJEU decisions I have mentioned. These are relied on individually and cumulatively as indicators that the legislative intention was to impose a duty on the Commissioner to determine the merits of any complaint. The points, in the order they were presented on behalf of Mr Delo, are these.
  74. (1) Article 77(1). It is submitted that the right to "lodge a complaint" with the Commissioner implies a corresponding duty on the Commissioner to decide whether the complaint is well-founded or not. That is, he argues, the natural and logical implication; clear language would be required to exclude it. The Commissioner's role, submits Mr Delo, is to operate a dispute resolution mechanism.

    (2) GDPR Policy. Mr Delo relies on the decision in BE for the proposition that the UK GDPR requires a "high level of protection" for the rights of data subjects, and the right to complain to a supervisory authority free of charge must be an "effective alternative" to bringing legal proceedings against the data controller. That would not be so, it is argued, if the supervisory authority could lawfully decide not to investigate a complaint, and to reach no conclusion as to whether it disclosed an infringement of the data subject's rights.

    (3) Facebook Ireland. Mr Delo contends that the judge was wrong to dismiss this case as a "red herring". It is the only relevant authority on the central question and the judge's reasons for distinguishing the case do not withstand careful scrutiny. Mr Delo relies on the passages I have mentioned as containing "important guidance" on the interpretation of the Commissioner's duties vis-à-vis complaints. We are invited to conclude that a duty to decide the merits of complaints is implicit in the Commissioner's "responsibility" to "ensure enforcement" with "all due diligence" and his "task" of "examining" complaints.

    (4) Article 78. It is argued that in conferring rights to an "effective judicial remedy" against acts or omissions of the Commissioner the legislature assumed that the Commissioner would decide whether or not an infringement of GDPR rights has taken place. These provisions would be "emasculated" if any other interpretation were adopted.

    (5) Article 57(1)(f). Mr Delo submits that this does not contain any of the "clear language" that would be needed to displace the natural interpretation of Article 77, and to indicate that the Commissioner need not determine a complaint on its merits. The proper interpretation of Article 57(1)(f) is that the Commissioner is obliged both to investigate and to determine any non-spurious complaint. The word "investigate" is not, as the judge held, an indication that the Commissioner could properly stop short of a final determination; it merely states what the Commissioner must do before reaching a conclusion on whether or not there has been an infringement. The word "outcome" can cover the rare case where there is no need for a decision.

    (6) Article 79. Mr Delo says that an actual or potential claim against the data controller is a separate and distinct matter which should not affect or qualify the Commissioner's duty to determine a complaint or the right to an effective judicial remedy if the Commissioner fails to do so. The Article 79 right is expressly stated to exist "without prejudice" to other remedies and, as BE confirms, the rights under Articles 78 and 79 can be operated independently and concurrently. The one should not exhaust or preclude the other.

    Discussion

  75. The UK GDPR and relevant EU case law pre-dating IP completion day are all "retained EU law" and binding on us: see Open Rights (above) at [12(1)] and ss 5(2) and 6(1) of the European Union (Withdrawal) Act 2018 ("EUWA"). It has been settled EU case law for a very long time that provisions of EU law must be given an autonomous interpretation, independent of any rules or principles of the law of any member State; and that in arriving at that interpretation it is necessary to consider the wording of the provision, its context, and the objectives pursued by the legislation of which it forms part.
  76. The wording on which we have to focus is that of Articles 57, 77 and 78 of the UK GDPR, all of which deal in one way or another with the duties owed by the Commissioner and the rights enjoyed by data subjects with regard to the Commissioner. As the question before us concerns the duties of the Commissioner, it makes sense to start with the "tasks" listed in Article 57. As the specific question concerns the Commissioner's tasks in respect of complaints I would begin with Article 57(1)(f).
  77. For present purposes the most striking point about the language of that provision is that it does not contain any words that are redolent of decisions on the merits of a complaint. Article 57 does not adopt any of the familiar ways of designating a decision-making function. We are not told that the Commissioner must (for instance) adjudicate, decide, determine, rule upon, or resolve a complaint, or that complaints must be "upheld" or not upheld by the Commissioner. Rather, we are told that the Commissioner must "handle" a complaint. He must "investigate the subject-matter of the complaint" but even then only "to the extent appropriate". He must "inform" the complainant of the "progress" of the complaint and its investigation and its "outcome".
  78. The same points can be made about Articles 77 and 78. Article 77(2) does not state that the data subject who exercises the Article 77(1) right to lodge a complaint is entitled to have the Commissioner adjudicate, or decide, or determine or resolve that complaint. It states that the Commissioner "shall inform" the complainant "on the progress and the outcome" of the complaint. No remedy is identified other than an "outcome". Article 78 does confer a right to an "effective judicial remedy" but it does not say there must be such a remedy where the Commissioner fails to determine the merits of a complaint. The conduct for which Article 78 requires an effective judicial remedy is failure to "handle" the complaint or to "inform" the data subject of its "progress" or "outcome".
  79. These are all distinctive and unusual words to use in a context of this kind. As Mr Delo submits, a regulatory scheme usually provides for decisions to be made by the regulator. A dispute resolution mechanism calls for a definitive conclusion of the dispute. But in my view these are points against the interpretation advocated by Mr Delo rather than in favour of it. If this were domestic UK legislation intended to impose on the Commissioner a duty to reach and pronounce a decision on the merits of all complaints lodged by data subjects, in the same way that a court or tribunal would be bound to do if seised of a disputed allegation of infringement, then one would expect to see language of the kind I have mentioned at [60] above. From the perspective of an English lawyer, the absence of any such language and the use of the quite different terminology which I have highlighted are both remarkable features of Articles 57, 77 and 78. Making all due allowance for differences between the legislative methods of the UK and the EU, these are indications – and in my opinion strong ones – that the legislative intent was not to require the Commissioner to determine every complaint on its merits.
  80. In my view, contrary to Mr Delo's submissions, the ordinary and natural interpretation of the language used in these provisions is that the Commissioner's principal obligations are to address and deal with every complaint by arriving at and informing the complainant of some form of "outcome", having first investigated the subject matter "to the extent appropriate" in the circumstances of the case. There are also second tier obligations, to inform the complainant of the progress of the investigation and of the complaint.
  81. An "outcome" must be the end point of the Commissioner's "handling" of a complaint. A conclusive determination or ruling on the merits that brings an end to the complaint is certainly an "outcome" but that word is intended to have broader connotations. In Killock, the Upper Tribunal decided, in my view correctly, that it embraced a decision to cease handling a specific complaint whilst using it to inform and assist a wider industry investigation. In the present case, Mostyn J held that the word "outcome" is an apt description of the Commissioner's decision to conclude his consideration of Mr Delo's complaint by informing him of the Commissioner's view that the conduct complained of was "likely" to be compliant with the UK GDPR (or, put another way, that the complaint of infringement was "likely" to be ill-founded). Again, I would agree with that.
  82. Turning to the context in which those provisions appear, my view is that this lends some support to the linguistic interpretation I have identified. I do not consider that the context or the authorities relied on support Mr Delo's case.
  83. Recital 141 makes clear that the Commissioner has a broad discretion to decide the intensity of any investigation, according to the facts of the matter: "the investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case." Recital 141 goes on to state that data subjects must have a judicial remedy available to them "where the supervisory authority does not act on a complaint" or "does not act where such action is necessary to protect the rights of the data subject". This language clearly requires a remedy for a complete failure to act on or, in the words of Article 57, "handle" a complaint. However, Recital 141 plainly contemplates a case in which the supervisory authority does "act on" or handle a complaint but having done so ends up taking no action upon it. In such a case a judicial remedy is only required if action by the supervisory authority was "necessary" to protect the data subject's rights.
  84. Recital 143 requires that any natural or legal person should have a judicial remedy against "a decision of a supervisory authority which produces legal effects concerning that person". Illustrative examples of decisions which might fall within that category are given, including "the dismissal or rejection of complaints". The recital goes on to say that the right to a judicial remedy "shall not encompass measures … which are not legally binding, such as opinions issued or advice provided…" This supports a reading of Article 77 which confines the judicial remedy in cases of complaints by data subjects to those in which the Commissioner makes a legally binding decision dismissing or rejecting the complaint on its merits (Article 77(1)) and those where the Commissioner fails to perform his duties to "handle" and "inform" (Article 77(2)). The recital conspicuously does not suggest that a data subject has a judicial remedy in any and every case where the Commissioner handles and investigates a complaint but resolves to take no action.
  85. Some reliance has been placed on Article 57(1)(a), and what was said about it in Facebook Ireland. I have not found this persuasive. The provision itself is very broad. To interpret it as imposing a blanket obligation to enforce the UK GDPR in every case of alleged non-compliance would in my view be extravagant. As for Facebook Ireland, it is always necessary to be cautious about extrapolation from decisions on different issues. Particular caution is appropriate when it comes to decisions of the CJEU, the traditions and methods of which are quite different from those of England and Wales. As Elisabeth Laing LJ observed in Balogun v Secretary of State for the Home Department [2023] EWCA Civ 414 at [117]:
  86. "First, it is hard to derive reliable general principles from decisions of the Court of Justice, which, necessarily, answer a question or questions which have been referred by a national court, and which have been referred on the facts of a particular case. Second, the reasoning in the decisions of the Court invites selective readings of sentences or paragraphs which make it harder, not easier, to work out what the relevant principles are."

    Moreover, the language of any CJEU decision needs to be considered in its full and proper context.

  87. Facebook Ireland was a case about the enforcement duties of a supervisory authority in a case of continuing non-compliance with the GDPR. More specifically still, it was about whether the supervisory authority could lawfully refrain from action to prevent the export of personal data to a foreign state, beyond the reach of the Irish authorities, where the data subject's rights would be in peril and might be set at naught with no prospect of a remedy. The case would appear to be one where the protection of the rights of the data subject made it imperative for the supervisory authority to exercise the powers conferred by Article 58(2).
  88. In the light of these points, I do not think we get any real help from broad statements such as that made by the court at [108], that the primary responsibility of a supervisory authority is "to monitor the application of the GDPR and to ensure its enforcement". The same is true of the other passages from the judgment that are relied on by Mr Delo. As for the statement in paragraph [148] of the Advocate General's Opinion that the duties of the supervisory authority are "strict" and not purely discretionary, this seems to me no more than a way of putting the uncontroversial proposition that the authority's decisions on whether or not to pursue enforcement action cannot be immune from judicial review. Similar reasoning applies to the other passages relied on by Mr Delo.
  89. I see force in the point made by the Commissioner that the highly regulated and formal nature of the investigative powers conferred upon him tells against Mr Delo's construction. To take two examples, Article 58(1)(a) allows the Commissioner to order a data controller to provide information but that can only be done by an Information Notice which is appealable to the Information Tribunal: see s 115(5) of the DPA 2018. Section 115(7) of the DPA 2018 provides that the power under Article 58(1)(e) to obtain access to personal data necessary for the performance of the Commissioner's tasks is subject to detailed regulation via Section 146 and Schedule 15 of the 2018 Act. It is inherently improbable that a legislator which intended to impose on the Commissioner a decision-making duty equivalent to that of a court or tribunal would establish a regime of this kind.
  90. I fail to see the force of Mr Delo's argument in reliance on Article 79. That article confers a right to a judicial remedy for infringement by data controllers and processors. That right is distinguished from "the right to lodge a complaint" under Article 77 which is identified as an "available administrative or non-judicial remedy" (emphasis added). Article 79 makes clear that the Article 77 right or remedy is not to be prejudiced by the exercise of the Article 79 right. These rights can be exercised concurrently. But Article 79 says nothing about the Article 78 right to an effective judicial remedy against the Commissioner. It does not state that the pursuit of an Article 79 claim shall not prejudice the pursuit of another judicial remedy, under Article 78 or otherwise. These drafting points seem to me to lend a degree of support to the interpretation I have identified. They suggest that there is at least room – in appropriate circumstances - for prioritising the data subject's right to make a direct claim against the data controller over his Article 78 right to claim against the Commissioner.
  91. That brings me to the CJEU's decision in BE. That case is authority that as a matter of EU law the rights and remedies provided for by Articles 78 and 79 are not mutually exclusive; the pursuit of one does not of itself preclude the pursuit of the other; they may be operated independently of one another and concurrently. As a decision handed down after IP Completion Day, BE is not binding on us; but we can "take account" of it: s 6(2) of EUWA. I would do so. I have some reservations about the decision in the light of the point I have just made about the language of Article 79, which does not appear to have featured in the court's reasoning. But it is not necessary to express disagreement with the CJEU. It is enough to note that the court did not go further than to say that the two remedies are separate and distinct and can be exercised independently and concurrently. It does not follow, nor did the CJEU decide, that it is always legitimate to do that and that a court must always allow it.
  92. The overriding point in BE was that the domestic regime as a whole must meet the overall objective of the GDPR of providing "a high level of protection of rights", meaning the substantive data protection rights conferred on individuals. For that reason, the court held, there can be no rigid rule of EU law that the pursuit of a claim against the data controller or even a judgment on such a claim makes it illegitimate to continue with a claim against the supervisory authority. A decision on the interaction between the remedies in the particular circumstances of a given case should be made by the courts of the member state. Those courts should have "full jurisdiction" so that they can take whatever action they deem necessary to achieve the overall objective. The CJEU would not interfere with a decision of that kind provided the domestic court had fulfilled its duty to ensure that (as the Court put it at [51]) "the practical arrangements for the exercise of the remedies provided for in Article 77(1), Article 78(1) and 79(1) of the [GDPR] do not disproportionately affect the right to an effective remedy before a court or tribunal referred to in Article 47 of the Charter." The CJEU was alive to the risk that parallel claims might lead to conflicting decisions which would create legal uncertainty. As I read the decision, the court contemplated that a national court facing such a dilemma might in principle address it by staying or declining a remedy in the Article 78 claim.
  93. Further, and crucially, the CJEU did not decide in BE that the Article 78 remedy is a cost-free proxy for or alternative to a direct claim under Article 79. The mere fact that it is permissible in principle for claims to be pursued concurrently against the data controller or processor and the supervisory authority says nothing about the content of the duties owed by the latter. Those, as it seems to me, are to be identified by focusing on the language of Articles 57, 77 and 78, as I have done above.
  94. Standing back, it is worth noting that the functions assigned to the Commissioner by the UK GDPR and DPA 2018 are not those of a regulator with exclusive competence over all matters of compliance, subject to judicial supervision. Still less is the Commissioner designated as an adjudicatory authority with exclusive jurisdiction. The role of the Commissioner is described in the recitals to the UK GDPR and in the body of the EU GDPR as "supervisory". The list of "tasks" in Article 57 is a long one that includes promoting awareness, providing information and advice about rights, and a wide range of other functions that have no adjudicatory content.
  95. The Commissioner is plainly expected to bring specialist knowledge and expert judgment to bear in performing these functions. But as I have shown, there is nothing that spells out any duty to reach a conclusion on the merits of every complaint. The Commissioner's functions in respect of compliance sit alongside those of the courts and tribunals. The Information Tribunal has enforcement powers in respect of the Commissioner's complaints-handling procedures. The High Court has powers to review the lawfulness of the Commissioner's decision-making. Of the provisions under discussion the only one which plainly does require a conclusive decision to be made on the substantive merits of an allegation of non-compliant processing is Article 79. In that context the decision-making role is assigned to a court or tribunal.
  96. When legislating for the Commissioner to operate a system of complaint handling in respect of alleged infringements of Parts 3 and 4 of the DPA 2018, Parliament adopted the terminology of Articles 57 and 77 of the UK GDPR. Section 165 of the DPA 2018 requires the Commissioner to "inform the complainant of the outcome" of their complaint having taken "appropriate steps to respond" to it, which includes "investigating the subject matter … to the extent appropriate." Mostyn J treated this as an important factor in the interpretation of the UK GDPR provisions at issue. I am not convinced he was right to do so. The most likely explanation is that the draftsman was seeking to replicate the wording of the GDPR so as to bring the two systems of complaint handling into line with one another. That is a decision which seems equivocal as to the true interpretation of the GDPR provisions. What can perhaps be said is that there is nothing in the language of s 165, or for that matter s 166, to suggest that Parliament read the GDPR as requiring the Commissioner to determine the merits of complaints. I would certainly conclude that the DPA 2018 provides no independent support for Mr Delo's case. But I would regard that as no more than a makeweight point. My own assessment is grounded in the language of the UK GDPR provisions relating to general processing.
  97. Finally, on this issue, I turn to the objectives of the legislation or, as Mr Delo puts it, GDPR policy. I do not think these point in favour of Mr Delo's argument. I would accept that one of the main aims of the UK GDPR is to ensure a high level of protection of natural persons with regard to the processing of their personal data. Recitals 6 and 10 say as much. Recitals 7and 11 also tell us that the system should be "strong", "coherent" and "effective". It by no means follows, however, that the complaints-handling mechanism provided for by Articles 57 and 77 falls to be interpreted as a straight alternative to or proxy for a direct claim against the data controller who is alleged to have infringed the rights of the data subject. In my view that is too simplistic an approach. As indicated by the CJEU decisions cited to us, there may sometimes be cases in which the Commissioner cannot decline to act. But there may be more than one way in which the overall legislative objective can be met on the facts of an individual case. It makes perfect sense to delegate the decision on that question to the Commissioner. Such decisions would be subject to judicial review for lawfulness, but not otherwise.
  98. For the reasons I have given I would uphold the conclusion of the judge at [85] that the legislative scheme requires the Commissioner to receive and consider a complaint and then provides the Commissioner with a broad discretion as to whether to conduct a further investigation and, if so, to what extent. I would further hold, in agreement with the judge, that having done that much the Commissioner is entitled to conclude that it is unnecessary to determine whether there has been an infringement but sufficient to reach and express a view about the likelihood that this is so and to take no further action. By doing so the Commissioner discharges his duty to inform the complainant of the outcome of their complaint.
  99. The second main issue: did the Commissioner act unlawfully in this case?

    The essential facts

  100. These are summarised in paragraphs [87] - [100] of the judgment below, which I gratefully reproduce:
  101. "87…. On 1 August 2018 Wise provided [Mr Delo] with an electronic account to facilitate currency conversion. It also provided him with a debit card allowing expenditure in foreign currencies.
    88. On 10 November 2020, [Mr Delo] transferred £30,000 from his account with HSBC in Hong Kong to his Wise account to convert to Hong Kong Dollars ("HKD"), from where the converted funds were to go to his account with the Bank of China ("BOC account"). Wise effected these instructions the next day on 11 November 2020. Later that day, [Mr Delo] transferred £270,000 into his Wise account from his HSBC Hong Kong account, instructing Wise to convert that sum into HKD and to transfer it to his BOC account.
    89. Wise did not action [Mr Delo's] instruction and instead asked him to provide information on the source of the funds to be transferred and the purpose of the transfer. [Mr Delo] provided that information on the same day. On 19 November 2020, Wise informed [Mr Delo] that it was deactivating his account. On that day, [Mr Delo] submitted a … DSAR… to Wise, asking to be provided with a copy of the personal data it held about him.
    90. On 23 November 2020, Wise submitted a suspicious activity report ("SAR") regarding [Mr Delo] to the National Crime Agency ("NCA").
    91. Wise responded to the DSAR on 18 December 2020, providing [Mr Delo] with copies of some of documents but it did not provide by any means all of [Mr Delo's] personal data that it had processed or was processing. It did not provide the suspicious activity report or any internal communications regarding [Mr Delo]. The covering letter from Wise stated:
    "The information is complete to the best of our knowledge […] Please note that some information may have been exempted in accordance with the GDPR and is therefore not subject to disclosure through the Right of Subject Access."
    92. [Mr Delo] did not consider that Wise's response complied with its obligations under Article 15 UK GDPR. He therefore wrote to Wise on 18 January 2021 arguing that its response was deficient and requiring it to fulfil its obligations. Wise's response on 21 January 2021 was that it had "determined that [its] original response remains the same in line with the provisions of the GDPR and Data Protection Act 2018."
    93. On 4 February 2021, Wise submitted a further SAR regarding [Mr Delo] to the NCA. [Mr Delo] then received a letter from Thames Valley police on 15 February 2021 to inform him of their investigation into the source of his funds in a Wise account. Wise submitted a third SAR to the NCA on 22 March 2021.
    94. On 25 June 2021, [Mr Delo] again wrote to Wise requiring it to comply with what he saw as its legal obligations under Article 15 GDPR. On that same day [Mr Delo] filed his first complaint with the Commissioner, asking the Commissioner to require Wise (i) to disclose all documents responsive to his DSAR which Wise had unlawfully withheld, including all [SARs] filed, and all materials recording Wise's decision to close the account ("the documents"), and (ii) to identify and explain the exemptions on which it sought to rely.
    95. On 30 July 2021, Wise wrote to [Mr Delo] informing him that they had filed three SARs about him with the NCA. They further informed the Claimant that they
    "…may rely on exemptions including, pursuant to the Data Protection Act 2018, schedule 2, part 1, paragraph 2 (crime and taxations) and paragraph 5 (information required to be disclosed by law) …"
    to justify withholding disclosure of the Claimant's personal data.
    96. On 12 October 2021, the Commissioner decided to take no further action on [Mr Delo's] first complaint. His justification was that the scope of [Mr Delo's] DSAR was too widely drawn and supported Wise's contention that it was exempt from giving the disclosure under the DPA, as this disclosure would reveal information regarding Wise's internal business processes or measures.
    97. On 22 October 2021, [Mr Delo] again wrote to Wise asking it to comply with its obligations under Article 15 of the UK GDPR. On the same day, [Mr Delo] made a second complaint to the Commissioner about Wise, asking the Commissioner to reconsider his decision of no further action, and stating that if his position remained unchanged, then [Mr Delo] would apply to the court to review their final decision.
    98. [Mr Delo] asked the Commissioner to reconsider on the basis that he (the Commissioner) must have misunderstood or mischaracterised the scope of his request to Wise: he was not asking it to explain its decision to close his account but, rather, was seeking disclosure of the documents which named him (and which therefore included his personal data) recording the decision and the reasons for it.
    99. [Mr Delo] further invited the Commissioner to reconsider his decision arguing that there was no exemption in law entitling the withholding of data which contains information regarding business processes, and that Wise could have redacted words or proposed a confidentiality agreement if that was the case. The Claimant also complained that the Commissioner had not addressed Wise's failure to disclose the SARs.
    100. On 24 November 2021, the Commissioner dismissed [Mr Delo's] second complaint. …"
  102. Mr Delo then challenged the November decision by way of a letter of claim and, in due course, this judicial review claim.
  103. The Commissioner's decisions

  104. The Commissioner's first decision of 12 October 2021 set out "Our view". This was: "Having reviewed the correspondence provided, in our view it is likely that TransferWise have complied with their data protection obligations." The letter went on to explain that Wise was not obliged under the data protection legislation to explain to Mr Delo why they had decided to close his account or how it had reached that decision. The letter also noted that within the correspondence provided to the Commissioner there was "reference to the prevention of crime exemption." The Commissioner assumed this was the Crime and Taxation Exemption, the effect of which he summarised. The letter went on to state that "The organisation is not required to tell an individual what exemption has been applied and why if this would undermine the exemption, for example in prejudicing a criminal investigation."
  105. The second decision dated 24 November 2021 reaffirmed this position. It identified the two grounds put forward by Mr Delo for seeking a review of the case and responded as follows:
  106. "Your request for a review of the case would appear to be on two grounds. Firstly, you believe that [Wise] must disclose the exemption(s) they have used and should in particular provide details of the [Suspicious Activity Report] …. Secondly, you believe that they should provide documents recording their decision to close the account and their reasons for this… I have addressed both concerns below.
    1) The ICO provides guidance to organisations on the use of exemptions. You believe that a [SAR] was completed by [Wise] but that details of this have not been provided as they have used the crime and taxation exemption under the prevention or detection of crime. Our guidance states that an organisation needs to judge whether complying with the SAR would prejudice the purpose of the document. They are satisfied that they have done this and there is no requirement for them to explain the exemption used to an individual.
    2) Although [Wise] would be required to provide details of any document regarding the decision to close Mr Delo's account if it contained his personal data, they would again need to judge whether disclosure of such would prejudice the reasons for the decision. Again, they are also not required to state and explain the exemption if it would prejudice the purpose of the data/document.
    There is no evidence to suggest that [Wise] have a blanket approach as they appear to have made a decision based on the information on this particular SAR and also confirmed on 8 February 2021 that they had revisited their decision. Also, if they have made a considered judgement not to provide this data using the exemptions mentioned above, they would also be unlikely to agree to provide them confidentially to Mr Delo's advisors as you suggest."

    The judge's reasoning

  107. The judge said that although this was not explicitly spelt out, by implication the formal outcome of the complaint was one of No Further Action. The judge accepted the submission that the Commissioner had complied with all the obligations imposed on him. He had received and reviewed the complaint and the attached correspondence; formed the view that the case did not require further investigation; reached an outcome decision as set out in the letter of 12 October 2021; and, having confirmed that decision upon review, informed Mr Delo of the outcome "namely that no further action would be taken by the ICO against Wise." The Commissioner's decisions were "completely lawful, both in substance and procedurally". He was under no obligation to seek further materials from Wise or to reach a conclusive determination as to whether or not Wise had complied with its obligations. It was sufficient for the Commissioner "to conclude on the basis of the available information that it appeared likely that Wise had so complied."
  108. At the time of these decisions Mr Delo had yet to bring his civil claim against Wise but the Commissioner was aware that this claim was available to Mr Delo. On the facts of this case, said the judge, that was a further good reason for the Commissioner to have reached his decisions. He therefore dismissed the claim.
  109. The argument for Mr Delo

  110. The argument on this aspect of the appeal is that the Commissioner's decision was flawed by errors of logic or reasoning. Four main points are made: (1) Mr Delo's complaint raised matters of importance affecting the fundamental data protection right of Mr Delo, with the potential to affect a large number of other customers of Wise, which is a substantial financial organisation holding much personal data. (2) Wise had been the subject of numerous complaints in recent years. (3) In these circumstances it was impossible or irrational for the Commissioner to reach a conclusion on whether it was "likely" that Wise had complied with its obligations, or whether it had applied a "blanket" approach without conducting further inquiries to ascertain what data had been withheld and why. (4) It is not legitimate for the Commissioner to rely on the availability of a civil claim against Wise pursuant to Article 79 because the remedy against the Commissioner is a separate and independent and concurrent remedy.
  111. Having made these points Mr Delo contends that the judge erred in concluding that the Commissioner acted lawfully in failing to reach a conclusive determination of Mr Delo's complaint.
  112. Discussion

  113. The arguments outlined above are in substance an irrationality challenge to the Commissioner's decision-making. As emerged at the hearing the contention, stripped to its essentials, is that even if (as I have concluded) the Commissioner is not invariably required to conduct a detailed investigation or to reach a conclusive determination of the merits of every complaint, nonetheless the Commissioner was legally obliged to do both those things on the facts of this case. But this is an appeal against the judge's rejection of that contention. The appeal is not a re-hearing. It proceeds by way of a review. Although there has been criticism of the adequacy of the judge's reasoning, the ground of appeal is not that he gave insufficient reasons but that he was wrong. To succeed in that contention, Mr Delo has to identify one or more legal errors in the judge's assessment. I do not consider the judge committed any such error. Indeed, I consider his conclusions were right.
  114. There is no indication that the judge applied the wrong legal test to the decision-making of the Commissioner. In my judgment, his application of the law to the facts cannot be impeached.
  115. The judge plainly accepted the importance of the right at issue but rejected the central contention of Mr Delo, that the materials available to the Commissioner were insufficient to enable him to reach a rational decision about the likelihood that Wise had acted lawfully. The judge was entitled to reach that conclusion. I would have done the same.
  116. Mr Delo's solicitors provided the Commissioner with written submissions and a bundle of supporting materials running to 29 pages. This documented the entirety of the correspondence between, on the one hand, Mr Delo and his representatives and, on the other, Wise and the Thames Valley Police. The material we have been shown makes sufficiently clear that the following was apparent to or could reasonably be inferred by Mr Delo and the Commissioner: (1) Wise had "tipped off" the authorities that transactions on Mr Delo's account might involve some form of criminality; (2) Wise was maintaining that (a) it was legally obliged to take that action; (b) it could not comply with Mr Delo's DSAR without compromising the purposes of preventing or detecting crime; (c) Wise could not provide a further explanation without compromising those purposes; and (d) it was accordingly entitled to rely on the Crime and Taxation Exemption. In their submissions to the Commissioner Mr Delo's solicitors noted that he had been indicted by the US Department of Justice for alleged breaches of the Banking Secrecy Act but argued that this could not justify withholding his personal data from him, as it was of course a matter of which he was aware.
  117. This stance on the part of Wise is ostensibly legitimate. The Commissioner will have been aware of the other complaints referred to by Mr Delo. There is no evidence to suggest, nor has it been alleged, that these were ignored. The Commissioner's assessment that there was nothing to suggest that Wise had operated a blanket approach is legitimate on its face. Mr Delo has not identified any basis for supposing, rather than speculating, that a more detailed investigation might falsify that conclusion.
  118. I would also endorse the judge's conclusion that the right of a data subject such as Mr Delo to bring a direct claim against the data controller is a relevant consideration which lends support to the legitimacy of the Commissioner's decision. As I have made clear, I do not accept Mr Delo's argument that the Commissioner is obliged to operate the complaints regime as a cost-free alternative to a claim under Article 79. The Commissioner has a discretion. The funding obligation enshrined in Recital 120 is not to be read as a blank cheque, or as authorising unnecessary or wasteful regulatory action. It must be legitimate for the Commissioner, when deciding how to deploy the available resources, to take account not only of his own view of the likely outcome of further investigation and the likely merits, but also of any alternative methods of enforcement that are available to the data subject.
  119. I would therefore dismiss the appeal on this second ground also.
  120. LADY JUSTICE ELISABETH LAING:

  121. I agree.
  122. LORD JUSTICE PETER JACKSON:

  123. I also agree.


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/ew/cases/EWCA/Civ/2023/1141.html