Tag Archives: First-Tier Tribunal

Data Subject Complaints: delays at the regulator

At the beginning of July it was reported that the Irish High Court had given permission for a judicial review of the Irish Data Protection Commission (“DPC”) to proceed. The judicial review has been brought by the European Centre for Digital Rights in respect of significant delays at the DPC in their handling of complaints made to them under the GDPR.

The application is being brought by the applicant as a representative body under Article 80 of the GDPR. The application pertains to two complaints made by two separate complainants; one in relation to Whatsapp Ireland Limited and one against Facebook Ireland Limited (as operator of Instagram). Both complaints were made on 25 May 2018, the day on which the GDPR became applicable throughout the European Union. The complaints, having originally been made to the German and Belgium supervisory authorities (respectively), were transferred by those supervisory authorities to the DPC as the lead supervisory authority for both companies.

The DPC is still to make a decision on the complaints, more than two years after they were made. Judicial Review is sought seeking (principally): (1) a declaration that the DPC has failed to catty out an investigation into the complaints within a reasonable period, contrary to their duty under Article 57 of the GDPR and/or section 113 of the Irish Data Protection Act 2018; (2) a declaration that the DPC has not provided information and/or a draft decision to the relevant national authorities without delay, contrary to its obligation under Article 60(3); (3) a declaration that the DPC is in beach of its obligations under the GDPR and or Irish data protection law; (4) an order directing the DPC to complete its investigation of the complaints within a time frame directed by the court; (5) a reference under Article 267, if required.

This is an interesting case from Ireland that is well worth keeping an eye on to see what the ultimate result is. Those who are familiar with the UK’s supervisory authority, the Information Commissioner, will see some similarities between the ICO and the DPC. The ICO is not renowned for acting quickly in respect of its regulatory functions; it’s yet to take a decision on regulatory action against British Airways and Marriott after issuing Notices of Intent (a precursor to a Penalty Notice; or, in GDPR parlance, an “administrative fine”) in excess of twelve months ago.

What can data subjects in the UK do where the ICO’s investigation of their complaint is moving at a glacial pace? The answer is to be found in section 166 of the Data Protection Act 2018; which makes provision for the First-Tier Tribunal to make orders requiring the Information Commissioner to progress a complaint.

Section 166 is a fairly limited provision; it does not create a route of appeal to the First-Tier Tribunal where the data subject is unhappy with the outcome of the complaint. It only provides a remedy to get the Information Commissioner to move the complaint forward to an outcome. Neither section 165 (which provides a right of complaint where Article 77 of the GDPR does not apply) nor section 166 requires the Commissioner to do anything more than investigate the subject matter of the complaint to the extent that is appropriate and to inform the complainant about the progress of the complaint (including about whether further investigation or co-ordination with another supervisory authority or foreign designated authority is necessary); they do not require the ICO to do anything at all about any breaches that may have occurred. Section 166 is therefore not a right of appeal against a decision of the Information Commissioner that there has been no breach of the relevant data protection laws or against a refusal to take enforcement action in respect of a breach.

The decision of the ECJ in respect of Schrems II, which was published last month; does, however, provide some scope of challenging a failure to act by the ICO. The ECJ was very clear about the duties and obligations on supervisory authorities to ensure that the GDPR is being complied with (and that includes positive obligations to stop processing where it is not being complied with). However, such a challenge would require to be by the much more expensive route of a judicial review in the Court of Session (Scotland) or the High Court (England and Wales / Northern Ireland).

Alistair Sloan

If you are a data subject who submitted a complaint to the Information Commissioner more than 3 months ago and have not had your complaint resolved or are dissatisfied with the outcome of your complaint to the Information Commissioner then we would be happy to discuss this with you. You can contact our Alistair Sloan on 0141 229 0880 or by E-mail.

More is less and less is more

On 30th October 2017 the First-Tier Tribunal (Information Rights) promulgated its decision in McGoldrick v The Information Commissioner; the Tribunal’s decision made two points which it is worth considering.  The request for information in question was made to HM Treasure concerning the Mersey Tunnels; the full terms of the request for information are set out in the Tribunal’s decision.

The first point relates to the use of section 12 of the Freedom of Information Act 2000 where some of the information that may fall within the scope of the request is likely to be environmental information; and the second is on the duty of a public authority to provide advice and assistance.

On the first issue, the Tribunal (at paragraph 12) states that it

“agrees with the Information Commissioner that the appellant’s request could cover both non-environment and environmental information, for the purposes of regulation 2(1)(c) but that it would defeat the purpose behind section 12 and regulation 12(4)(d) if a public authority were obliged to collate the requested information in order to ascertain what information fell under either FOIA or the EIR. We agree, therefore, that HM Treasury was correct to consider the request under section 12, even though it might include some environmental information.”

The Tribunal considers that it is appropriate for an authority to not separately identify environmental information and deal with that under the Environmental Information Regulations 2004 where there is a substantial volume of information which covers both environmental and non-environmental information.  It seems that the Tribunal is of the view that there is no need to issue a refusal notice citing Regulation 12(4)(b) [although the Tribunal refers to Regulation 12(4)(d), but this seems as though it may be a typographical error] where a request is going to exceed the appropriate limit and it is likely that there is going to be environmental information within the ambit of the request.

On the second issue, the Tribunal decided that, on the facts of the present case, that HM Treasure did not comply with its obligation to provide adequate advice and assistance and overturned the Commissioner’s decision that it had.  In this case, HM Treasure told the requester that he might like to consider refining his request by reducing the amount of information requested.  The Commissioner considered that such a suggestion was sufficient in order to discharge the authority’s duty to provide advice and assistance.

At paragraph 18 of the Tribunal’s decision it stated:

“Given the widespread nature of computer-driven searches for information in connection with FOIA requests, it is, we consider, reasonable to expect large, sophisticated organisations, such as HM Treasury, to point out to requesters how the most thorough search is likely to exceed the relevant financial limit under the Regulations made by reference to section 12, and to suggest a reformulation of the request in terms specific to computerised searches. Accordingly, if HM Treasury had asked the appellant to reformulate his request by reference to emails and documents containing both the terms “Mersey tunnel” and “toll”, the appellant may well have reformulated his request.”

The Tribunal appears to be suggesting that a large public authority may have to go a bit further than a smaller authority in order to discharge its duty to provide advice and assistance.  It appears that, in certain cases, it may be necessary for a public authority to not only suggest that a requester reformulate their request but rather to go further and actually suggest ways in which it could be reformulated; especially when computer-driver searches for information are involved.

This certainly does fit with the way in which the legislation has been drafted; Section 12(1) of the Freedom of Information Act 2000 does include “so far as it would be reasonable to expect the authority to do so” within its terms.  So, where an authority is issuing a refusal notice under Section 12 of the Freedom of Information Act 2000 authorities, especially larger ones, ought to consider whether they are capable of suggesting how a request could be refined, not just that the requester may wish to consider refining it.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.