First-tier Tribunal Strikes Out Data Breach Complaint for Lack of Evidence - Jashu Vestani v The Information Commissioner

Citation: [2023] UKFTT 915 (GRC)
Judgment on

Introduction

The First-tier Tribunal (General Regulatory Chamber) decided on the case of Jashu Vestani v The Information Commissioner ([2023] UKFTT 00915 (GRC)), addressing whether the Tribunal could review the actions of the Information Commissioner in response to a data breach complaint by Vestani. The key legal principles involved are the Tribunal’s discretionary power to strike out cases under Rule 8 of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (the 2009 Rules), and the duties of the Information Commissioner under Sections 165 and 166 of the Data Protection Act 2018 (DPA). This analysis elucidates how these legal principles applied to Vestani’s case, ultimately leading to the striking out of the application.

Key Facts

Vestani’s personal data was involved in a data breach at Capital Letters (London) Limited, which was followed by instances of fraudulent activity and cyber-attacks. Vestani believed these incidents were a direct result of the data breach. After unsatisfactory correspondence with Capital, Vestani filed a complaint with the Information Commissioner. On March 14, 2023, the Commissioner concluded that there was not sufficient evidence to link the data breach to the subsequent cyber incidents and closed the case. Vestani, dissatisfied with this outcome, sought justice from the Tribunal.

Rule 8 of the 2009 Rules

Rule 8(3)(c) allows the Tribunal to strike out a case if there is no reasonable prospect of success. This power is to prevent unsubstantiated cases from occupying Tribunal resources. Citing HMRC v Fairford Group [2014] UKUT 0329 and AW v Information Commissioner and Blackpool CC [2013], the Tribunal must consider if a case is realistically likely to succeed without conducting a ‘mini-trial’.

The Overriding Objective

Rule 2 of the 2009 Rules mandates the Tribunal to give effect to the overriding objective to “deal with cases fairly and justly” when exercising any power.

Sections 165 and 166 of the DPA

These sections outline the process to be followed if a complainant is unsatisfied with the handling of a data breach complaint by the Information Commissioner. The Tribunal can intervene if the Commissioner fails to take appropriate steps to respond to the complaint, but the Tribunal’s review is administrative rather than on the merits of the case. Killock & Veale & others v Information Commissioner [2021] UKUT 299 (ACC) confirmed that the Tribunal does not have the same expertise as the Commissioner in determining the outcome of complaints and that the Commissioner’s judgment is to be given weight due to its expertise as a regulator.

Outcomes

Upon reviewing Vestani’s application and the Information Commissioner’s response, the Tribunal assessed whether the Commissioner had fulfilled its duties under the DPA and whether any procedural improprieties occurred. The Tribunal found no evidence of the Commissioner failing to respond appropriately or neglecting procedural obligations. It also stated that the merits of the case, namely the direct link between the data breach and subsequent fraudulent activities, cannot be substantiated without concrete evidence.

The Tribunal emphasized that its role is not to reinvestigate the original data breach complaint but to evaluate the lawfulness of the Commissioner’s actions. Given these considerations, the Tribunal concluded that there was no reasonable prospect of Vestani’s case succeeding and thus decided to strike out the application according to Rule 8(3)(c).

Conclusion

The Vestani case emphasizes the Tribunal’s role in ensuring that cases proceed based on a reasonable prospect of success and adhere to the principle of fair and just treatment. The Tribunal must balance the interests of justice against the efficiency of its proceedings, taking into account the expertise of the Information Commissioner. The outcome of striking out Vestani’s application reaffirms the Tribunal’s reluctance to allow appeals where a claimant cannot provide substantial evidence linking administrative actions with concrete outcomes, ensuring that its limited resources are reserved for cases that warrant a full hearing.