Tribunal Rejects Application in Hoyland v Information Commissioner Due to Procedural Delays and Jurisdictional Limits

Citation: [2023] UKFTT 1073 (GRC)
Judgment on

Introduction

The case of Declan Hoyland v The Information Commissioner concerns an application to extend time for a complaint under section 166 of the Data Protection Act 2018 (DPA 2018). This article analyzes the judgment by Tribunal Judge Buckley and elucidates the legal principles applied, providing insight into the tribunal’s approach in handling the application.

Key Facts

Declan Hoyland (the Applicant) applied to the tribunal under section 166 DPA after the Information Commissioner (the Respondent) concluded the United Nations did not fall within the scope of the UK GDPR, being based in New York. The application was submitted approximately 7 months after the designated time frame, with the Applicant asserting personal circumstances and misunderstandings regarding data location as reasons for delay.

The case draws on several legal principles, primarily the interpretation of the General Data Protection Regulation (GDPR) obligations and the roles of the Information Commissioner and the tribunal provided by this framework:

  1. Timeliness of Application: The tribunal adheres to strict procedural rules under rule 22(6)(f) of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009, enforcing a 28-day limit for applications post the 6-month period from when the Commissioner receives the complaint. Hoyland’s application was markedly out of time.

  2. Scope of the Commissioner’s Obligations Under the GDPR: The legal framework obliges the Commissioner to handle and reach an “outcome” for complaints within appropriate measures but does not necessitate a conclusive ruling on the merits, as highlighted in Delo by Warby LJ.

  3. Jurisdiction of the Tribunal: Based on Killock & Veale & ors v Information Commissioner [2021] UKUT 299 (AAC) and Delo [2023] EWCA Civ 1141, it is not within the tribunal’s power to review the merits of the initial complaint or the process by which the Commissioner’s outcome was reached, if a decision has been provided.

  4. Human Rights Considerations: The Applicant asserted violations of human rights (Article 6 and 8), but the tribunal noted these assertions would not fall under section 166 applications. This suggests the tribunal cannot weigh human rights considerations as grounds for interfering with the Commissioner’s process or outcome.

  5. Effectiveness of Remedy: The concern that there might not be an effective remedy due to the UN’s perceived exclusion from GDPR coverage cannot be addressed through a section 166 application, indicating that alternative legal routes may be necessary for such a challenge.

Outcomes

Judge Buckley rejected the application on multiple grounds:

  • The delay in application was substantial and no substantial merit in the substantive grounds for an appeal was found.
  • The Applicant’s challenges related to the process and the Commissioner’s outcome decision, which fell outside the jurisdiction of a section 166 application.
  • The tribunal’s inability to offer legal advice or provide an alternative course for the Applicant’s grievances against the UN’s personal data handling practices.

Conclusion

In Declan Hoyland v The Information Commissioner, the tribunal’s decision underscores the boundaries of the Information Commissioner’s mandate under the GDPR and the scope of the tribunal’s jurisdiction in reviewing the Commissioner’s outcomes. The emphasis on procedural timeliness and the distinction between an “outcome” and a definitive ruling on the merits of a complaint provide clarity on the handling of similar claims. It underlines that applicants should seek remedies through appropriate legal routes that align with the limitations of the tribunal and the nature of the complaint.