Data Subject Complaints: delays at the regulator

At the beginning of July it was reported that the Irish High Court had given permission for a judicial review of the Irish Data Protection Commission (“DPC”) to proceed. The judicial review has been brought by the European Centre for Digital Rights in respect of significant delays at the DPC in their handling of complaints made to them under the GDPR.

The application is being brought by the applicant as a representative body under Article 80 of the GDPR. The application pertains to two complaints made by two separate complainants; one in relation to Whatsapp Ireland Limited and one against Facebook Ireland Limited (as operator of Instagram). Both complaints were made on 25 May 2018, the day on which the GDPR became applicable throughout the European Union. The complaints, having originally been made to the German and Belgium supervisory authorities (respectively), were transferred by those supervisory authorities to the DPC as the lead supervisory authority for both companies.

The DPC is still to make a decision on the complaints, more than two years after they were made. Judicial Review is sought seeking (principally): (1) a declaration that the DPC has failed to catty out an investigation into the complaints within a reasonable period, contrary to their duty under Article 57 of the GDPR and/or section 113 of the Irish Data Protection Act 2018; (2) a declaration that the DPC has not provided information and/or a draft decision to the relevant national authorities without delay, contrary to its obligation under Article 60(3); (3) a declaration that the DPC is in beach of its obligations under the GDPR and or Irish data protection law; (4) an order directing the DPC to complete its investigation of the complaints within a time frame directed by the court; (5) a reference under Article 267, if required.

This is an interesting case from Ireland that is well worth keeping an eye on to see what the ultimate result is. Those who are familiar with the UK’s supervisory authority, the Information Commissioner, will see some similarities between the ICO and the DPC. The ICO is not renowned for acting quickly in respect of its regulatory functions; it’s yet to take a decision on regulatory action against British Airways and Marriott after issuing Notices of Intent (a precursor to a Penalty Notice; or, in GDPR parlance, an “administrative fine”) in excess of twelve months ago.

What can data subjects in the UK do where the ICO’s investigation of their complaint is moving at a glacial pace? The answer is to be found in section 166 of the Data Protection Act 2018; which makes provision for the First-Tier Tribunal to make orders requiring the Information Commissioner to progress a complaint.

Section 166 is a fairly limited provision; it does not create a route of appeal to the First-Tier Tribunal where the data subject is unhappy with the outcome of the complaint. It only provides a remedy to get the Information Commissioner to move the complaint forward to an outcome. Neither section 165 (which provides a right of complaint where Article 77 of the GDPR does not apply) nor section 166 requires the Commissioner to do anything more than investigate the subject matter of the complaint to the extent that is appropriate and to inform the complainant about the progress of the complaint (including about whether further investigation or co-ordination with another supervisory authority or foreign designated authority is necessary); they do not require the ICO to do anything at all about any breaches that may have occurred. Section 166 is therefore not a right of appeal against a decision of the Information Commissioner that there has been no breach of the relevant data protection laws or against a refusal to take enforcement action in respect of a breach.

The decision of the ECJ in respect of Schrems II, which was published last month; does, however, provide some scope of challenging a failure to act by the ICO. The ECJ was very clear about the duties and obligations on supervisory authorities to ensure that the GDPR is being complied with (and that includes positive obligations to stop processing where it is not being complied with). However, such a challenge would require to be by the much more expensive route of a judicial review in the Court of Session (Scotland) or the High Court (England and Wales / Northern Ireland).

Alistair Sloan

If you are a data subject who submitted a complaint to the Information Commissioner more than 3 months ago and have not had your complaint resolved or are dissatisfied with the outcome of your complaint to the Information Commissioner then we would be happy to discuss this with you. You can contact our Alistair Sloan on 0141 229 0880 or by E-mail.