Last month I highlighted an interesting decision from the First-Tier Tribunal on the much-litigated section 166 of the Data Protection Act 2018 (a section which often results in data subjects being disappointed as to its scope). Yesterday, the Tribunal gave another interesting decision in relation to section 166.
In August 2021, the applicant made a subject access request to a company called Contactout Limited. In November 2021, the applicant complained to the Information Commissioner as the company had not responded to their subject access request. In February 2022, the Commissioner responded to the applicant essentially telling the applicant that there was nothing that the Commissioner could do as the controller was based in the USA. Another fact of key importance is that the applicant was based in the Netherlands and that nothing had been put forward to connect either the applicant or the controller to the UK.
As the Commissioner had provided a response to the applicant, he asked the tribunal to strike out the application as having no reasonable prospect of success. The Tribunal declined to do this (but ultimately dismissed the application). The applicant argued that no adequate explanation had been provided as to why the Commissioner was not the relevant supervisory authority. The Tribunal considered that such an argument had, at least, the potential to fall within the scope of section 166 application [para 14]. The Tribunal was somewhat critical of the Commissioner’s submission which “failed to engage with the applicant’s actual pleaded case.” [para 14] The Tribunal went on to state that it was not going “so far as holding that a sufficiency of reasoning is required in a public law sense, but the applicant must at least know what the outcome is.” [para 14]
The Tribunal found that the wording of the Commissioner’s response letter to the applicant (quoted in its decision), when taken in isolation, risked misleading the reader of the letter that the commissioner was unable to take regulatory action against a controller based in a third country; Article 3 of the UK GDPR and section 207 of the Data Protection Act 2018 create, at least, some scope for such regulatory action. However, the Tribunal decided that the phrase “In relation to your case” within the decision letter from the Commissioner was sufficient to clear-up any misunderstanding. The complaint disclosed that there was nothing linking the applicant, their personal data or the controller to the United Kingdom and it was for that reason that the Commissioner had no jurisdiction. So, with that misunderstanding cleared up there was nothing left that the Commissioner could do that could form the basis for the Tribunal issuing an order under section 166.
The application was dismissed.
Section 166 continues to be a disappointment to data subjects; the limited scope of its terms has been affirmed repeatedly by both the FtT and Upper Tribunal. It does not afford a mechanism for appeal for a data subject who is unhappy with the outcome of their complaint to the Commissioner. It is clear, however, that where there remains scope for the Commissioner to take reasonable steps to address the complaint, then there may be some scope for orders under section 166. There is a fine line between considering whether appropriate steps have been taken to respond and whether the response itself was appropriate. The Tribunal is tasked with casting “a critical eye to assure itself that the complainant is not using the s.166 process to achieve a different complaint outcome.” (Killock and ors v Information Commissioner [2021 UKUT 229 at [87]).