section 166 (DPA) – prout de jure

Last month I highlighted an interesting decision from the First-Tier Tribunal on the much-litigated section 166 of the Data Protection Act 2018 (a section which often results in data subjects being disappointed as to its scope). Yesterday, the Tribunal gave another interesting decision in relation to section 166.

In August 2021, the applicant made a subject access request to a company called Contactout Limited. In November 2021, the applicant complained to the Information Commissioner as the company had not responded to their subject access request. In February 2022, the Commissioner responded to the applicant essentially telling the applicant that there was nothing that the Commissioner could do as the controller was based in the USA. Another fact of key importance is that the applicant was based in the Netherlands and that nothing had been put forward to connect either the applicant or the controller to the UK.

As the Commissioner had provided a response to the applicant, he asked the tribunal to strike out the application as having no reasonable prospect of success. The Tribunal declined to do this (but ultimately dismissed the application). The applicant argued that no adequate explanation had been provided as to why the Commissioner was not the relevant supervisory authority. The Tribunal considered that such an argument had, at least, the potential to fall within the scope of section 166 application [para 14]. The Tribunal was somewhat critical of the Commissioner’s submission which “failed to engage with the applicant’s actual pleaded case.” [para 14] The Tribunal went on to state that it was not going “so far as holding that a sufficiency of reasoning is required in a public law sense, but the applicant must at least know what the outcome is.” [para 14]

The Tribunal found that the wording of the Commissioner’s response letter to the applicant (quoted in its decision), when taken in isolation, risked misleading the reader of the letter that the commissioner was unable to take regulatory action against a controller based in a third country; Article 3 of the UK GDPR and section 207 of the Data Protection Act 2018 create, at least, some scope for such regulatory action. However, the Tribunal decided that the phrase “In relation to your case” within the decision letter from the Commissioner was sufficient to clear-up any misunderstanding. The complaint disclosed that there was nothing linking the applicant, their personal data or the controller to the United Kingdom and it was for that reason that the Commissioner had no jurisdiction. So, with that misunderstanding cleared up there was nothing left that the Commissioner could do that could form the basis for the Tribunal issuing an order under section 166.

The application was dismissed.

Section 166 continues to be a disappointment to data subjects; the limited scope of its terms has been affirmed repeatedly by both the FtT and Upper Tribunal. It does not afford a mechanism for appeal for a data subject who is unhappy with the outcome of their complaint to the Commissioner. It is clear, however, that where there remains scope for the Commissioner to take reasonable steps to address the complaint, then there may be some scope for orders under section 166. There is a fine line between considering whether appropriate steps have been taken to respond and whether the response itself was appropriate. The Tribunal is tasked with casting “a critical eye to assure itself that the complainant is not using the s.166 process to achieve a different complaint outcome.” (Killock and ors v Information Commissioner [2021 UKUT 229 at [87]).

Section 166 of the Data Protection Act 2018 has produced a reasonable amount of litigation arising out of what appear to be repeated fundamental misunderstandings by data subjects as to what section 166 provides them with. The Upper Tribunal has authoritatively, on more than one occasion, sated that the right afforded by section 166 of the 2018 Act is limited and does not provide a route for an unhappy data subject to appeal the outcome of their complaint to the Information Commissioner.

A recent FTT decision on section 166 took a slightly different approach, striking out the appeal on the grounds that the applicant had not even made a complaint to the Commissioner and so the Commissioner’s obligation to provide information as to the progress of the complaint was not even engaged.

On 25 May 2021, the applicant copied the Information Commissioner’s Office into an E-mail that had been sent to various other organisations. In that E-mail, the applicant raised a number of issues, none of which seem to have engaged the data protection legislation. There was, attached to the E-mail, an annotated copy of an E-mail that she had received days earlier from the Home Office.

On 8 June 2021, a case officer at the ICO wrote to the applicant to inform her that none of the issues she had raised fell within the jurisdiction of the Commissioner and advised her to complete one of the ICO’s complaint forms if she wished to raise a complaint under the data protection legislation.

The Commissioner argued that as no valid complaint had been made to his office there was no complaint to progress and therefore the application under section 166 of the Data Protection Act 2018 had no reasonable prospect of success.

Judge O’Connor agreed with the Commissioner and concluded that there was no reasonable prospect that the applicant could establish the contrary. Therefore, the application was dismissed. Judge O’Connor did go on to state that even if he was wrong on this, the Commissioner’s letter dated 8 June 2021 was a response and so the Tribunal would have had no jurisdiction under section 166 of the Act in any event.

This case is rather different to the usual section 166 cases that have been seen until now. It suggests that the Information Commissioner is taking a robust approach to what is and what is not a complaint. It has been the case for many years that the ICO would not typically respond to E-mails where they have simply been copied in. The Tribunal appears to be willing, at least in this case, to conclude that no complaint in terms of Article 77 of the UK GDPR or section 165 of the Data Protection Act 2018 has been made to the Commissioner where that is appropriate, and strike out section 166 applications which follow on the back of correspondence not amounting to a proper complaint.