On 10 October 2023, the Court of Appeal (“CoA”) ruled that the Information Commissioner’s Office (“ICO”) acted lawfully in respect of a complaint it received from a data subject in respect of their access request. The CoA upheld an earlier High Court decision by Mr Justice Mostyn to dismiss a claim by Mr. Ben Delo that the ICO had unlawfully failed to determine his complaint about an access request he made to Wise Payments Limited.
How did the data subject access request come about?
Mr. Delo was a customer of Wise Payments Limited (“Wise”). Wise provided him with an electronic account for currency conversion and a debit card for foreign currency expenditures.
On 10 November 2020, Mr. Delo transferred £30,000 from his HSBC Hong Kong account to Wise to convert it into Hong Kong Dollars and to subsequently transfer it to his Bank of China account.
Later that day, he transferred £270,000 into Wise for a similar conversion and transfer. Instead of processing these instructions, Wise asked Mr. Delo to provide information about the source and purpose of the funds. Mr. Delo provided the information.
On 19 November 2020, Wise deactivated Mr. Delo’s account. On that day, Mr. Delo submitted a data subject access request to Wise to obtain copies of his data.
On 23 November 2020, Wise submitted a suspicious activity report regarding Mr. Delo to the National Crime Agency (“NCA”). Wise responded to the data subject access request on 18 December 2020, providing some documents of Mr. Delo’s personal data but not all.
Mr. Delo was unsatisfied with his response and argued that Wise had not complied with its obligations under the UK General Data Protection Regulation (“UK GDPR”). He requested Wise to fulfil its obligations but Wise maintained its original response.
What did the ICO do?
On 4 February 2021, Wise submitted another suspicious activity report to the NCA regarding Mr. Delo. Mr. Delo then received a letter from Thames Valley Police on 15 February 2021, informing him of an investigation into the source of his funds in his Wise account.
Wise submitted a third suspicious activity report to the NCA on 22 March 2021. On 25 June 2021, Mr. Delo wrote to Wise again, requiring it to comply with its legal obligations under Article 15 of the UK GDPR. On the same day, he filed his first complaint with the ICO, asking them to require Wise to disclose all documents responsive to his data subject access request, including the suspicious activity report and to identify the exemptions it sought to rely on.
On 30 June 2021, Wise informed Mr. Delo that they might rely on exemptions, including those under the Data Protection Act 2018, to withhold disclosure of his personal data.
On 12 October 2021, the ICO decided to take no further action on Mr. Delo’s first complaint, citing that the data subject access request was too widely drawn and Wise was exempt from disclosing certain information due to its internal business processes.
What did the High Court and subsequently CoA do?
Mr. Delo argued that the ICO’s practice of recording complaints without taking further action to assess compliance with data protection laws was unlawful. The issue under consideration was whether the ICO must investigate and reach a final conclusion on every complaint made to them.
Mr Justice Mostyn noted that if Mr. Delo succeeded in his argument, it would significantly increase the workload of the ICO which was already stretched to its limits.
Mr Justice Mostyn pointed out that the question of whether the ICO should fully investigate and conclude on every complaint was a political issue that required the government’s intervention if such a duty existed. If the law mandated the ICO to fully investigate each complaint, the government would need to provide the necessary resources for the ICO to fulfil this requirement.
The ICO argued that Mr. Delo had an alternative remedy under s.166 of the Data Protection Act 2018, which allows the tribunal to make orders requiring the ICO to take appropriate steps to respond to a complaint. However, Mr Justice Mostyn disagreed, stating that s.166 did not provide Mr. Delo with an alternative remedy in this case.
Mr Justice Mostyn then addressed main arguments. Mr. Delo challenged the ICO’s decision on three grounds:
o The ICO failed to determine his complaint.
o The ICO failed to conduct a lawful investigation of his complaint.
o The ICO failed to take account of relevant considerations, proceeded on the basis of insufficient inquiry and irrationally made a determination on the basis of facts not known to them.
Mr Justice Mostyn found that the ICO had fulfilled its obligations and acted in accordance with the UK GDPR. He stated that the ICO was not obligated to reach a conclusive determination in every case where a complaint was made.
The ICO’s decision to take no further action was lawful, both procedurally and substantively. The ICO had properly considered the information available and reached a reasonable decision based on the facts.
This view was subsequently upheld by the CoA on 10 October 2023.
Aria Grace Law CIC
We have an array of highly experienced data protection lawyers with over 50 years of collective experience. Our expertise covers multiple jurisdictions and we have advised on over 100 data subject requests for both organisations and individuals. We have specific experience in interacting with data protection supervisory authorities including the ICO. If you’d like to get in touch with our team, please contact us on info@aria-grace.com.
Article by Puja Modha (Partner) and Sarah Davies (Paralegal) – 29 November 2023