Tribunal Limits Scope in Data Protection Case: No Power to Overturn ICO Decisions or Award Compensation

Introduction

The case of Maria De Leon v The Information Commissioner is an important determination by the UK First-tier Tribunal (General Regulatory Chamber) on Information Rights, which clarifies the Tribunal’s scope of authority and limitations when adjudicating on matters arising under the Data Protection Act 2018, specifically section 166.

Key Facts

In this matter, the Applicant, Maria De Leon, sought an order under section 166 of the Data Protection Act 2018 following the Information Commissioner’s Office (ICO) decision to take no further action on her complaint. The ICO had communicated this outcome to De Leon repeatedly. De Leon contested this decision, insisting that the ICO did not take ‘appropriate steps’ in handling her complaint. The Information Commissioner applied to the Tribunal to have the case struck out on the ground that it had no reasonable prospect of success.

Legal Principals

The Tribunal’s decision pivoted on the interpretation of section 166 of the Data Protection Act 2018, which constrains its function to addressing specific failures by the Commissioner to progress a complaint. As emphasized by the presiding judge, Alison McKenna, the Tribunal does not possess supervisory jurisdiction over the ICO’s handling of complaints nor the authority to review decisions made by the ICO to conclude complaints. This limitation on the Tribunal’s jurisdiction is well-established by precedent in decisions from the Upper Tribunal, High Court, and Court of Appeal, binding on the current matter.

The legal principle revolves around the jurisdiction limits set by Parliament, which dictate that the Tribunal can only provide remedies where the ICO has failed to progress a complaint. Even where the outcome is unsatisfactory to the complainant, if the ICO has addressed the complaint, the Tribunal has no scope to offer remedies beyond those expressly provided for in the legislation. Furthermore, the Tribunal lacks the power to award compensation; such claims must be brought before the Courts.

Outcomes

Applying the relevant legal principles, Judge McKenna struck out De Leon’s Notice of Application under rule 8(3)(c) of the Tribunal’s Rules, as there was no remedy the Tribunal could grant under section 166 DPA 2018 given that the ICO had issued an outcome decision on the complaint already. The Tribunal clearly pointed out that De Leon’s desired actions — overturning the ICO’s decision or seeking compensation — were outside its powers and should be pursued through the Courts, which hold different jurisdiction under the Data Protection Act.

Conclusion

The decision in Maria De Leon v The Information Commissioner emphasizes the narrow and delineated scope of the Tribunal’s jurisdiction under the Data Protection Act 2018. It underscores the principle that the Tribunal is not a general forum for redress of all data protection issues but is limited to addressing specific statutory failures by the ICO. Moreover, it reaffirms that while the Tribunal can review the progression of complaints, it cannot review the substantive decisions of the ICO to conclude no further action on those complaints. For complainants seeking remedies beyond the Tribunal’s statutory authority, the decision highlights the Courts as the appropriate venue for redress.