Tribunal Affirms Limitations on Remedies Available Under Data Protection Act 2018

Introduction

The case of Shimaa Hatab v Information Commissioner, heard before the First-tier Tribunal (General Regulatory Chamber) and decided on 04 January 2024, elucidates important principles governing the nature of remedies available under the Data Protection Act 2018 (DPA). The decision, which revolves around the applicant’s right to complain about the handling of personal data and the scope of the Tribunal’s authority, takes into account prior judgments that have shaped the understanding of Section 166 of the DPA. This article provides an analysis of the key legal principles applied and the topics discussed in the decision, with implications for data subjects and regulatory bodies alike.

Key Facts

Shimaa Hatab filed a complaint with the Information Commissioner (the “Commissioner”) regarding an organization’s response to a data subject access request, the security of processing personal data, and an alleged disclosure of personal data to a third party outside the UK. Subsequent communications with the Commissioner resulted in a letter stating that the case was closed and no further action would be taken. After requesting reconsideration and a decision notice, the applicant received a review outcome from the Commissioner, which maintained that the initial complaint had been properly addressed.

Dissatisfied, Hatab applied to the Tribunal for an order requesting access to non-redacted email logs and identifiable information of users who accessed her Skype account. The Commissioner countered that procedural requirements under Section 166 of the DPA had been met, thus no grounds existed for an order from the Tribunal.

Legal Principles

The Tribunal’s analysis draws on several key legal principles arising from the DPA and case law:

1. Procedural Focus of Section 166 DPA: The adjudicating judge, Hazel Oliver, underscored that Section 166 is confined to procedural issues related to how the Commissioner handles complaints (Sections 166(1)(a)-(c)). It does not empower the Tribunal to assess the substantive merits or adequacy of the Commissioner’s response to complaints.

2. Limited Powers of the Tribunal: The judgments cited, including Killock v Information Commissioner and R (Delo) v Information Commissioner, affirm that the Tribunal can only make procedural orders. The Tribunal must not be diverted into evaluating the merits of the complaint itself or the outcome of the Commissioner’s investigations.

3. Commissioner’s Discretion: The court reaffirmed that the Commissioner enjoys broad discretion in deciding the scope and depth of investigations into complaints (R (Delo) v Information Commissioner).

4. Preclusion of Collateral Attacks on Outcomes: The Tribunal referenced Cortes v Information Commissioner to illustrate that use of Section 166 as a vehicle to challenge or force a reimagination of the Commissioner’s conclusions is impermissible.

Outcomes

Applying these principles, Judge Oliver determined that the provided correspondence—including the initial outcome letter and subsequent case review—is indicative that the Commissioner took steps that fulfilled procedural obligations as required by Section 166(1) DPA. Consequently, no room exists for the Tribunal to order further proceedings under Section 166(2) DPA, and allegations suggesting the inadequacy of the investigation conducted are seen as an impermissible challenge to the outcome of the Commissioner’s decision, not the process.

Conclusion

The Tribunal’s decision to strike out the application made by Shimaa Hatab is rooted in the legal interpretation that Section 166 of the DPA provides only for procedural remedies related to the handling of complaints by the Information Commissioner. The judgments referenced, such as Killock, Delo, and Cortes, collectively inform the understanding that the Tribunal is barred from engaging with the substance of the Commissioner’s investigative outcomes. This decision reiterates the circumscribed role of the First-tier Tribunal in cases under Section 166 of the DPA and reinforces the Commissioner’s discretion in managing the investigative process in data protection matters. Legal professionals should thus advise clients that the Tribunal’s authority extends only to ensuring procedural compliance by the Commissioner, not the revision of decisions based on the perceived adequacy or merits of investigations.