Analysis of Levi v Information Commissioner Case: Tribunal Upholds ICO Discretion in Data Breach Complaint Response

Citation: [2023] UKFTT 1033 (GRC)
Judgment on

Introduction

The case of Robin Levi v The Information Commissioner ([2023] UKFTT 01033 (GRC)) presents a scenario wherein an individual, Mr. Levi, exercised his right to appeal under section 166 of the Data Protection Act 2018 (DPA) concerning the handling of his data breach complaint by Group 1 Auto. This article analyzes the case law provided and outlines the key legal principles involved, aligning them with the respective authorities and arguments made within the case summary.

Key Facts

Mr. Levi’s complaint stemmed from a data breach by Group 1 Auto involving the incorrect submission of his house number to the DVLA. Despite corrective actions and assurances by Group 1 Auto, Mr. Levi sought a penalty against them and demanded an explanation from the Information Commissioner (ICO) as to why they were considered blameless. The ICO, concluding that Group 1 Auto had taken the breach seriously and addressed the complaint, decided against regulatory action. Mr. Levi appealed against this determination, requesting sanctions be applied to Group 1 Auto and contesting the ICO’s decision.

The primary legal principles invoked in this case derive from the DPA, particularly sections 165 and 166, which provide a mechanism for individuals to make complaints about data protection breaches and to appeal the Commissioner’s response to such complaints.

Appropriate Steps (Section 166 DPA)

The tribunal highlighted that the Commissioner’s role is not to be challenged on the merits of the underlying complaint but rather on whether the Commissioner took “appropriate steps” to respond to the complaint, as defined by section 165(4)(a) of the DPA. The ‘appropriateness’ of the ICO’s response is also informed by its position as an expert regulator.

Judicial Authorities

  • Killock & Veale & others v Information Commissioner: The Tribunal recognized the ICO as the expert regulator best positioned to evaluate the merits of a complaint and determine its outcome.
  • HMRC v Fairford Group (in Liquidation): The Upper Tribunal advised against conducting a ‘mini-trial’ in such assessments and emphasized the need for realistic prospects of success in the appeal.
  • AW v Information Commissioner and Blackpool CC: The principle of abuse of process was highlighted as a relevant consideration for striking out claims, and it was advised that such power should be used only in plain and obvious cases.
  • R (on the application of Delo) v Information Commissioner and Wise Payments Ltd: The High Court underscored the ICO’s discretion in addressing complaints and recognized its authority to determine the focus of its regulatory powers.

Tribunal’s Role and Discretion

The tribunal exercised its discretion under rule 8(3)(c) of the 2009 Rules to strike out the application upon concluding that there was no reasonable prospect of the Application’s success. Furthermore, the overriding objective as per rule 2(3) emphasized the Tribunal’s duty to ensure fairness and just treatment in exercising its powers.

Outcomes

The Tribunal, in line with the overriding objective and the aforementioned legal standards, concluded that Mr. Levi had no reasonable prospect of succeeding on his Application. Accordingly, the application was struck out.

Conclusion

In the case of Robin Levi v The Information Commissioner, the critical legal principle was the Tribunal’s authority to assess whether the Commissioner took “appropriate steps” in line with DPA requirements. The Tribunal’s application of case law and statutory provisions culminated in the striking out of Mr. Levi’s Application. The principles reaffirm the ICO’s role as an expert regulator vested with the discretion to gauge the extent of its investigation into data protection complaints and reflect the Tribunal’s careful consideration of its powers to intervene in such matters.