Tribunal Upholds Procedural Limits in Data Protection Complaints, Strikes Out Application in Gramam Nightingale v The Information Commissioner

Citation: [2024] UKFTT 93 (GRC)
Judgment on

Introduction

In the case of Gramam Nightingale v The Information Commissioner ([2024] UKFTT 93 (GRC)), the First-tier Tribunal (General Regulatory Chamber) Information Rights reviewed an application under section 166(2) of the Data Protection Act 2018 (“DPA”) concerning the Tribunal’s scope and powers in relation to complaints about data protection rights infringements. The Tribunal’s decision centered on whether substantive issues related to a complaint could be re-examined or if its powers were strictly confined to addressing procedural inadequacies. The Tribunal struck out the application for having no reasonable prospect of success.

Key Facts

Gramam Nightingale (“the Applicant”) lodged a complaint to the Information Commissioner (“the Commissioner”) regarding the failure of a Data Protection Officer at the Football Pools to properly respond to a personal data request. The Commissioner concluded that there was a failure in data protection obligations on the part of the Football Pools and advised corrective actions. Dissatisfied, Nightingale sought review of the decision and, subsequently, applied to the Tribunal under section 166(2) of the DPA, challenging the substance of the Commissioner’s response.

The Tribunal underscored several legal principles that limit its jurisdiction strictly to procedural matters as per section 166 of the DPA. It cited several cases that reinforced the interpretation of section 166, establishing that the Tribunal is prohibited from engaging with the merits of a complaint and may only address procedural lapses:

  1. Killock v Information Commissioner [2022] 1 WLR 2241, Upper Tribunal: Emphasized that the Tribunal must not consider the merits or outcomes of the complaint under section 166. This interpretation aligns with the Explanatory Notes accompanying the DPA and Article 78(2) provisions, which are procedural.

  2. R (Delo) v Information Commissioner [2023] 1 WLR 1327, High Court: Highlighted the Commissioner’s broad discretion in handling complaints, including the decision of whether or not to issue a conclusive determination subsequently upheld by the Court of Appeal in [2023] EWCA Civ 1141.

  3. Cortes v Information Commissioner (UA-2023-001298-GDPA): Reaffirmed that the Tribunal should not assess the appropriateness of an already given response, avoiding a collateral attack on the complaint’s outcome.

These cases collectively define the Tribunal’s remit, clarifying that it must adhere to procedural oversight rather than revisiting substantive determinations made by the Commissioner.

Outcomes

After reviewing Nightingale’s application and its opposition to the Commissioner’s strike-out submission, the Tribunal concurred with the Commissioner’s argument and struck out the proceedings. It reasoned that the Commissioner had fulfilled procedural obligations by investigating and responding to the complaint. The Applicant’s dissatisfaction with the complaint’s outcome did not present a legal basis for the Tribunal to intervene under section 166, as it cannot re-evaluate the merits or initiate a substantive review.

Conclusion

The First-tier Tribunal’s decision in Gramam Nightingale v The Information Commissioner conclusively upholds the established principle that the Tribunal’s purview under section 166 of the DPA is procedural, not substantive. This is in line with the prevailing understanding articulated in earlier decisions such as Killock, Delo, and Cortes. Legal professionals should note that the Tribunal strictly interpreted its powers, reinforcing procedural boundaries in the oversight of data protection complaints and distinctly marking its limits in contrast to the substantive judicial review procedure available in the High Court.